TL;DR – cookies cannot be set based on ‘legitimate interests’. Opt-out is NOT a lawful approach to cookie consent.
What? But I saw a cookie consent tool that had ‘legitimate interests’ as a pre-ticked setting. Are you saying that’s not allowed?
That’s exactly what I’m saying, yes. In fact, it’s against the law (in Europe and the UK).
Which law? Data protection or ePrivacy?
The data protection bit:
Data protection law governs the processing of personal data, and requires a lawful basis for processing – ‘legitimate interests’ is one of the options. Legitimate interests is only a valid lawful basis for processing if all aspects of the processing comply with the data protection principles, the processing doesn’t undermine individuals’ rights and freedoms, and doesn’t cause unwarranted harms to the data subject’s interests.
While cookies themselves don’t necessarily contain personal data*, any personal data that is processed as a result of a cookie being set must be done so fairly, lawfully and transparently. If there is deception, coercion or other chicanery in the mechanisms for obtaining the data (eg, setting cookies without proper consent), or if the data was collected under an incorrect lawful basis (such as claiming legitimate interests where consent is the only lawful option) then the first data protection principle cannot be met, and any subsequent processing will be unlawful.
(*NB: if a cookie includes a unique identifier, it’s likely to fall within the definition of ‘personal data’, even if that identifier is meaningless to everyone but the parties who use it to do digital stuff – that’s because ‘identifiable’ is based on ‘ability to single out’ rather than prior knowledge of other attributes associated with an individual, like a name or physical description).
The ePrivacy bit:
ePrivacy law governs electronic communications, and requires that any ‘non-essential’ reading or writing of data to the endpoint device is described so that the user can decide whether or not to indicate that they’ll allow it (consent). Cookies require reading and writing of data to the end device (setting the cookie, checking to see if a cookie is set), which means that when a cookie is not ‘essential’, it can only be set if consent is given.
So in order to set a cookie, it must either be classified as essential, or the site visitor’s consent must be obtained first?
Yup. That’s what ePrivacy law says.
Can we just classify all cookies as essential and not bother with that consent business?
Nice try (you’re not the first to suggest it), but no. According to ePrivacy law, ‘essential’ means ‘necessary for these particular electronic communications to function, or to provide functionality that the end-user has requested’.
Some examples of genuinely ‘essential’ or user-requested functions include:
- Efficient load-balancing between servers
- Privacy-friendly analytics* (those which don’t profile or infer the visitor’s attributes but focus on their interactions with the site content)
- Maintaining the security of login sessions
- Remembering language and accessibility preferences
(*not according to current ePrivacy law, which makes no provision for analytics, but allowable according to the new ePrivacy Regulations which are still being drafted)
These sorts of things are not ‘essential’, and therefore any cookies associated with them can only be set AFTER consent has been obtained:
- Targeted advertising
- Analytics of site visitor behaviours or attributes
- Chat functions which are not engaged with by the site visitor.
- 3rd-party tracking of embedded content
But what if I need to process personal data that I acquired as a result of setting a non-essential cookie without consent?
You have two choices –
1. Delete the data, go back and get proper, GDPR-standard, valid consent, and take it from there
2. Take the risk that you won’t get caught out; by regulatory action, by data subjects exercising their rights, by your supply chain, by putting site visitors off so they don’t come back, by audit findings, by your competitors doing better or by any other potential outcome of unlawfully processing personal data; and remove ‘we take your privacy very seriously’ from your privacy notices because apparently you don’t.
What if the cookie is essential, can I use legitimate interests then?
For what? You don’t need a lawful basis to set a cookie, only either a designation of ‘essential’ or valid consent. So you can just go ahead and set the cookie.
You may be able to process personal data acquired as a result of setting an essential cookie, under legitimate interests, but that will depend on a) your purpose for processing, b) a Legitimate Interests Assessment (LIA), c) adherence to data protection principles and rights at every stage of the processing, and d) the ability to demonstrate all of the above, with evidence.
OK, but if it’s so wrong, how come some CMPs provide the option of ‘legitimate interests’ for cookies?
I can’t know for sure because I haven’t personally interrogated the CEOs of these companies, but if you want my opinion, it’s down to one or more of the following reasons:
1. Those CMP vendors know but don’t care that their product is unfit-for-purpose and exposes their customers to significant risk – it doesn’t matter as long as they’re still getting paid.
2. Those CMP vendors are new to the privacy marketplace but were too busy jumping on the shiny bandwagon to make an effort to learn the rules of the road.
3. Customers of Those CMP vendors don’t even understand what they’re buying or why, and are therefore unable to distinguish between sales bullshit and competent advice.
4. These CMP tools are designed with dark patterns to trick the site visitor into ‘accepting’ cookies via deception rather than genuine consent, and this provides organisations with the illusion of compliance – which is preferable because it’s less work than actual compliance.
5. Data protection/privacy education is fastest and cheapest when it’s poorly-presented, badly-researched, unhelpfully vague and can be rolled out to thousands of people at once. That’s what most companies opt for because they resent spending money on ‘compliance’, and that’s why very few people notice when data protection law is breached.
What should I do if I mistakenly bought one of these dodgy CMPs?
Preferably, replace it.
If the option to disable this ‘legitimate interests’ nonsense exists, avail yourself of it ASAP
Cut off the data flows which rely on illegitimate-interest cookies
Question the vendor hard as to why they sold you a product which was designed to break the law.
Invest in better data protection/ePrivacy knowledge and process integration so that you don’t make this sort of mistake again
But without this data, our business will struggle!
If you want data about people’s browsing habits, do the lawful, civilised thing and ask nicely for it.