GDPR Privacy FAQs: Do European privacy laws require that a company obtain opt-in consent from a website user before placing third party behavioral advertising cookies on their browser?

July 29, 2019

Yes.

European data privacy law distinguishes between session cookies that, for example, allow a website to function properly, and behavioural advertising cookies that are unnecessary for the functioning of the website.  With respect to behavioural cookies, recent guidance from the United Kingdom’s Information Commissioner’s Office indicates that consent is required prior to the deployment of behavioural advertising cookies on a website.  Specifically, the guidance states “[i]f your service includes cookies used for the purposes of online advertising, you cannot rely on the strictly necessary exemption. Online advertising cookies are not exempt from PECR’s consent requirements and never have been. This includes all third-party cookies used in online advertising, including for purposes such as frequency capping, ad affiliation, click fraud detection, market research, product improvement, debugging and any other purpose.”1

This means that the data subject perform a “clear affirmative act” to evidence their consent.2  For example, checking an unchecked box would constitute a clear affirmative act.3   By contrast, it is not permissible to use pre-checked boxes or simply inform users that the deployment of the cookies is a condition of utilizing the website.4


This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1. See https://ico.org.uk/media/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies-1-0.pdf (published 3 July 2019).

2. GDPR, Recital 32; see https://ico.org.uk/media/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies-1-0.pdf (published 3 July 2019) (“If the cookies you set aren’t exempt . . . then you can only use consent – and this must be of the GDPR standard. This is also the case whether or not personal data is involved.”).3. GDPR, Recital 32; see https://ico.org.uk/media/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies-1-0.pdf (published 3 July 2019) (“If the cookies you set aren’t exempt . . . then you can only use consent – and this must be of the GDPR standard. This is also the case whether or not personal data is involved.”).

4. See https://ico.org.uk/media/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies-1-0.pdf (published 3 July 2019) (“If the cookies you set aren’t exempt . . . then you can only use consent – and this must be of the GDPR standard. This is also the case whether or not personal data is involved.”).