The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative.  Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).

To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.

Q. Does the GDPR require that a company obtain consent from a website user before placing cookies on its browser?

No. 

The GDPR does not discuss when a company may deploy cookies on the web browser of a visitor to the company’s website.  There are, however, other European Union privacy laws that apply to the online tracking of individuals, and the deployment of cookies, including the Directive 2002/58/EC (ePrivacy Directive).¹

The European Data Protection Board has discussed the interaction of the GDPR and the ePrivacy Directive in the context of cookies, and the obligation to obtain user consent.  The EDPB found that where the ePrivacy Directive imparts a specific rule – such as an obligation to collect consent of an online user before placing, or accessing, cookies – that provision takes precedence over the general rules of the GDPR.  So, for example, if the ePrivacy Directive mandates that a website solicit opt-in consent from a user before accessing a behavior tracking cookie, that requirement “trumps” any general analysis that one might conduct as to whether the accessing of a behavioral tracking cookie is permitted based upon the GDPR.²  The EDPB also implied that any enforcement, or penalties, for the failure of a company to abide by the specific rule should come from the Member State’s legislation implementing the ePrivacy Directive and not from the GDPR itself.  It is worth noting that the penalties in many Member States for a violation of their statutes implementing the ePrivacy Directive are significantly less than the penalties under the GDPR.

The EDPB went out of its way, however, to note that the preemptive effective of the ePrivacy Directive is limited to the narrow scope of the specific rule set forth in the ePrivacy Directive.  In the specific context of cookies, this means that while the ePrivacy Directive may govern a company’s ability to place or access cookies, because the ePrivacy Directive “does not contain a special rule for any prior or subsequent processing activities (e.g., the storage and analysis of data regarding web browsing activity for purposes of online behavioral advertising or security purposes)” the GDPR applies to the “lawfulness of all other processing operations that follow the storing of or access to information in the terminal device of the end-user.”³  As a practical matter this means that while a company may not be subject to the penalty structure of the GDPR if they fail to obtain proper consent before accessing a behavioral advertising cookie, they may be subject to the penalty structure of the GDPR if they do not have a lawful basis under the GDPR for storing the data that they obtain from the cookie, using that data to enhance a consumer’s profile or to serve targeted advertising.