This article is a snapshot of key areas to be aware of when assessing a website’s GDPR and ePrivacy compliance.

Cookies can be a powerful tool in personalising users’ interactions with a website. But did you know that your website’s use of cookies has to comply with Regulation 5 of the ePrivacy Directive?

In the EU, the ePrivacy Directive (2002/58/EC as amended by 2009/136/EC) is separate from, but complements, the GDPR (the General Data Protection Regulation). Organisations must comply with both laws, but the rules under the ePrivacy legislation are your first point of reference when it comes to cookies and other tracking technologies used to support your organisation’s online presence.

The applicability of Article 5(3) of the ePrivacy Directive is wider than just cookies. In fact, its scope details that information may only be stored or accessed for processing purposes with the consent of the subscriber or user. This does not prevent storage for technical or strictly necessary purposes.

Lessons to be learned from the Planet 49 case

Planet 49 (1st October 2019) is a case overseen by the European Court of Justice, which made an impactful decision regarding the e-Privacy Directive in case C-673/17 (the Planet 49 case). There are important lessons to be learned from this ruling.

Consent from the end users must be obtained before placing cookies on their device.

  • Such consent must meet the requirements of the GDPR.
  • Pre-checked boxes do not satisfy consent requirements under 95 Directive, ePrivacy, and GDPR.
  • Consent requirements do not change if the data held/accessed by the cookie is not personal data.
  • Users must be informed of the duration of the cookie and whether third parties will have access to the data.
  • Consent is not required for cookies that are defined as ‘strictly necessary’.
  • Any non-essential cookies, including third party cookies used for the purposes of online advertising or web analytics, require prior consent to the GDPR standard.

Furthermore, you may not obtain consent to set cookies ‘by implication’. Informing users that their continued use of your website–either through clicking, using or scrolling—means that you will assume their consent to set cookies, is not permissible. Similarly, cookie banners that pop up when a user lands on a website and which subsequently disappears when a user scrolls, without any further engagement by the user with the banner or with information about cookies, are not compliant with the law.

Cookies aside, what other types of tracking technologies are in use?

Cookies are the most widely known tracking technology, with most internet users being aware of browser, or http, cookies. However, there are other types of cookies and tracking technologies, such as local storage objects (LSOs) or ‘flash’ cookies, software development kits (SDKs), pixel trackers (or pixel gifs), social sharing tools such as ‘like’ buttons, and device fingerprinting technologies. The law on cookies generally applies to all these tools.

Cookie exemptions

There are only two circumstances where cookies are exempt from the requirement to obtain consent. The two exemptions are known as:

  • The communications exemption: transmission of the communication would be impossible without the use of the cookie
  • The strictly necessary exemption: the cookie is essential to providing the service requested by the user. Cookies that are simply helpful or convenient—or only essential for your own purposes—will still require consent.

Work with your data protection team

To assess your website’s GDPR and ePrivacy compliance, start by working with your data protection team to identify the types of cookies used on your website.

We at HewardMills are actively working with clients to ensure GDPR and ePrivacy compliance.

If you need help with compliance, please contact us at