Cookie – User’s “Consent” to Data Controller “legitimate interest”?

In recent months, in accessing websites, we are seeing a new way of presenting cookies more and more frequently.

Next to the well-known banner with the button: “accept cookies” there is often a link such as: “find out more”, or “more options”. By clicking on one of these links, a cookie wall opens, which has been already declared non compliant by the European Data Protection Committee (EDPB), and a series of choices, relating to profiling cookies, including third parties ones, for which consent is unchecked, while the legitimate interest one is already checked.

Legitimate interest is one of the six legal bases that the European Regulation 2016/679 (GDPR) considers lawful when it comes to data processing. Consent of the interested party and legitimate interest of the data controller (or third parties) are two different legal bases.

The GDPR deals with the legal bases in art. 6; art. 6, lett. f) refers to Recitals 50 and 47. Quoting the latter: “It may be considered legitimate interest to process personal data for direct marketing purposes”. In the case of profiling cookies, even from third parties, it does not appear correct to consider legitimate interest as a legal basis, in the light of this recital and even more according to art. 22 of GDPR.

The EDPB published on 5th May 2020 Guidelines on consent, which among other things deals with cookies management. The EDPB believes that the option to “continue browsing” is not a valid way of giving consent, to the extent that this action may be difficult to distinguish from other user activities or interactions; in the same way the scrolling within the website: in no one case it can be interpreted as an acceptance for the use of cookies; cookie walls that do not offer an alternative to consent cannot be used, as they limit access to certain services or content only to users who accept the use of cookies.

The consent, free, specific, informed, unambiguous and revocable at any time, is given by the interested party to a request from the owner for a specific treatment.

Legitimate interest is a legal basis that is identified and used by the Data Controller only after balancing the rights of the Data Controller and those of the interested parties.

Before starting any data processing on the basis of legitimate interest, the Data Controller must assess whether he has correctly considered all the risks involved, and therefore all the possible consequences on the interested parties (possibly carrying out a DPIA), but also collect and document elements enough to be able to show that the relative interests were well balanced with each other.

The chance of consenting or denying the legitimate interest on the part of the interested party seems nonsense: first of all, this practice is unlawful according EDPB, as a user with average IT knowledge will not spend time selecting from which companies or for what purposes he may be profiled, therefore this practice is in clear contrast with the principles of the GDPR and the indications of the EDPB regarding consent; last but not least, if the legal basis is the legitimate interest, for which the owner has reasonably balanced the interests, how can the interested party affix or deny his consent with respect to the legitimate interest declared by the data controller? Following this reasoning, it is as if the legal bases for the same treatment and the same purpose overlap (!), confirming the legitimate interest of the Data Controller.

We are witnessing something new from an operational point of view that is spreading, for which we hope , national DPA will act in order to declare this practice illegitimate.

Written by:

Maria Grazia Romano e Floriana Tagliaferro

Translated by:

Francesco Russo

Posted in Data Protection, GDPRTags:
Write a comment