Purpose compatibility & cookies

On 17th January 2023, Board's Cookie Banner Taskforce published a report on its work since 700 noyb.eu claims fled data protection authorities across the EU. Certain unification at the Board level was probably necessary as it seems the supervisory authorities still cannot agree on basic interpretation of Article 5(3) of the ePrivacy directive and its interplay with GDPR.

Let’s start from where European regulators reached consensus as regards cookie banners:

1. “Reject All” button must be displayed on the same layer as the consent, meaning that clicking though “setting”, “learn more” or “manage cookies” subsections in order to not give consent should be avoided;
2. “Reject All” option must not be embedded invisibly in the cookie banner text or outside the cookie batter without sufficient visual support;
3. There must clear contrast between “Reject All” button’s colour and its background so it not visually lost in the cookie banner compared to the consent button; ??
4. Small hovering icon or similar solutions for privacy settings including for consent withdrawal should be permanently visible on all pages of the website;
5. Pre-ticked boxes are prohibited (no big news here…).

However, the above can hardly be regarded as universal & harmonised EU cookies guidelines by the Board.

Although these would be desperately needed, there are many reasons why we do not have them after almost 7 years of GDPR and ePrivacy directive co-existing together. We need clear standpoint from the Board as regards:

• needing consent for any cookie/pixel/SDK based advertising, marketing or analytical tools (such as Google Analytics, Facebook pixels but also ad serving and tracking on social media and mobile applications); and
• whether some limited analytics can be in fact considered necessary for provision of website or mobile app service, as developed in France and Germany (see web audience in ePrivacy regulation proposals).

We have clear answers from certain data protection authorities on the above, but not from the Board. Why? This report confirms one of the key obstacles that prevents Board from saying the above out loud.

I don't mean the multi-billion ad serving business behind no-consent ad campaigns that European companies seem to be enjoying while US companies are being fined for it.

No, this is clearly not it ?? It is the purpose compatibility of Article 6 (4) of the GDPR that seems to be lurking into picture and confusing the debate.

The first page of the report confirms rather bluntly that Art. 5(3) ePrivacy only apply as regards placement and reading of cookies. For any processing that takes place after it, GDPR applies.

Well, this is simply not true.

Art. 5(3) ePrivacy applies rather generally to gaining access to or storing information on the device. It protects person's privacy on that device. ?? Once you store cookie in that device, from human rights' perspective, you are in that person's house. The cookie then spies and transmits private information to 3rd party's server (is this the "reading of cookie"?). As long as the cookie does this, ePrivacy rules continue to apply because the right to privacy continues to be compromised (legally or ilegally).

It is also absolutely wrong to say GDPR applies after the cookie is placed and read, because it starts to apply way before that.

Just consent and informing in line with GDPR are examples of that. But don't forget the LIA, DPIA, TIA and vendor/security verification that logically must be done (way) before placement of the cookie, if required.

Right to privacy and right to protection of personal data are distinct rights that might apply jointly. In the same way, ePrivacy and GDPR might need to be applied jointly, depending on whether these rights are triggered.

There is no purpose compatibility currently under ePrivacy cookies rules. This is why there is a massive lobbying effort to introduce this concept as a new consent exemption into the ePrivacy regulation. In my opinion, this push has no legal substance and is here to confuse the interpretation for years.

Purpose compatibility is a specific legal basis regime under Article 6 (4) GDPR that only applies to non-consent processing. ePrivacy dictates as lex specialis what legal basis can be used. If consent, then GDPR consent. If no consent, then anything that works under GDPR.

Direct marketing purpose would never be compatible with the original purpose, if consent under ePrivacy is required. It would be unlawful. This is already establised with unsolicated commnication.

Direct marketing cookies require consent and therefore would not pass purpose compatibility test. For consent cookies, there is no compatibility option under ePrivacy nor GDPR.

If the consent cookie is removed that means the consent is withdrawn and that means the processing must stop unless the law dictates otherwise (and it does not).

So why do we even entertain this idea of "compatible purposes" if it will not work for subsequent direct marketing processing of personal data?