4

I want to use cookie consent for saving user language, currency and affiliate marketing purpose.

Can I store data without consent of the registered users? They are registered so do I need to take consent from them.

Dale M
  • 237,717
  • 18
  • 273
  • 546
Cyber
  • 43
  • 3

1 Answers1

6

Yes, you still need consent (opt-in).

There are two relevant laws at play here: GDPR makes general rules about the processing of personal data, and ePrivacy has specific rules about cookies and similar technologies, regardless of whether the cookies involve personal data.

The ePrivacy directive was implemented in your EU member state (or the UK) in national law. The national laws contain the authoritative rules on this matter. But in general:

  • Accessing or storing any information (such as cookies) on the end user's device requires consent.
  • Consent is defined by the GDPR.
  • You do not need consent if the access/storage is strictly necessary for a service explicitly requested by the user (“functional cookies”).

Using cookies to store site preferences such as user language is strictly necessary for a service explicitly requested by the user, so you do not need consent for this. You must still make your use of cookies transparent to the user.

Setting cookies for marketing purposes is not strictly necessary to provide the service, so you always require consent for them.

You now raise the interesting question if this is also the case if the user is already registered. Yes, you still need consent (opt-in).

This is due to the way how the GDPR defines “consent”. Consent is not general or vague agreement. Agreement with your terms of service or privacy policy is not consent in the sense of the GDPR. Instead, consent is defined in Art 4(11) GDPR to be (emphasis mine):

any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her

Art 7 GDPR adds further conditions for consent. (1) You are responsible for demonstrating that the user has given valid consent. (2) The request for consent should be clearly distinguishable from other matters (i.e. not buried in a larger document) and should be presented “in an intelligible and easily accessible form, using clear and plain language.” (3) Withdrawing consent must be as easy as giving it. (4) In general, you cannot make access to a service conditional on unrelated consent. I.e. you can't force your users to consent to marketing cookies in order to use the app. The users must have an actual choice, or the consent isn't freely given.

Supervisory authorities have produced extensive guidance on the matter of consent. If you're in the UK, consider the ICO Guide to Consent and Guidance on the use of cookies and similar technologies. If you're in the EU/EEA, consider the EDPB Guidelines 05/2020 on Consent (PDF).

To summarize why agreement with your terms of service is not consent to marketing cookies:

  • Agreement to such large documents is not sufficiently specific.
  • The consent would not be sufficiently informed. You cannot expect users to actually read all your legal documentation. You must present information in an intelligible manner, possibly with multiple layers (compare WP29 Guidelines on Transparency, endorsed by EDPB).
  • Agreement to your terms of service is not an unambiguous indication that the user wants these cookies.
  • If consent to marketing cookies is a condition of using your service, the consent is likely invalid.

The consequence is that cookie consent is usually obtained via separate consent management tools that provide detailed explanations about different categories of cookies, and let the user select which specifically categories of cookies they want to consent to, if any.

In this context, you might ask “if getting consent is so difficult, but GDPR requires that I have consent, how does that work?” It is a common misconception that the GDPR requires consent for everything – the ePrivacy requirement that most cookies need consent is one of the exceptions. In general, GDPR offers a choice of six categories of legal bases for processing in Art 6 GDPR, and consent is just one of them. In many cases, an online service will process personal data because it is necessary to fulfil a contract with the user, or because there is a legitimate interest for the processing (and the legitimate interest outweighs the user's interests). For example, reasonable security measures such as keeping logfiles can be based on a legitimate interest and do not require consent.

amon
  • 24,244
  • 3
  • 46
  • 77