GDPR: What’s Relevant for the Use of Cookies & Identifiers in Online Marketing

After several years of ongoing negotiations, the EU Commission, the EU Parliament, and the EU Council reached a compromise on the EU General Data Protection Regulation (GDPR), which is expected to come into force mid-2018. The new GDPR contains numerous provisions that might have practical ramifications for online marketing companies across Europe, as well as for companies outside of the EU, which operate within EU markets. Professor Dr Christoph Bauer and Dr Frank Eickmeier (both pictured), ePrivacy GmbH, provide ExchangeWire a detailed look at the clauses in the GDPR, what they mean in plain English, and their possible impacts.

1. Principles of personal data processing

The fundamental "principles relating to personal data processing" of the GDPR contain changes for some European countries. The new principles are those of “data avoidance and data minimisation”, “earmarking of data for a particular purpose”, the “prohibition subject to the reservation of the right to grant permission”, and “transparency” (cf. Art. 5).

2. Personal Data

The scope of the data protection legislation will broaden significantly, particularly with regard to personal data. The term 'personal data' previously referred to data that revealed, or was capable of revealing, the identity of an individual such as his or her surname, first name, telephone number, etc. Data like cookie IDs, user IDs, IP addresses, Mac addresses, etc instead were, in a lot of cases, classified as anonymous and, thus, did not fall within the scope of the data protection legislation. This was the reason why modern online and tracking technologies, such as OBA, cookie synching, cross-device targeting and many other targeting technologies were deemed permissible pursuant to data protection law.

The new GDPR has now pulled the rug out from under this approach with Art. 4(1) of the GDPR, now explicitly stating as follows:

Prof Dr Christoph Bauer, ePrivacy

Prof Dr Christoph Bauer, ePrivacy

“…‘personal data’ means any information relating to an identified or identifiable natural person ('data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person."

Number 30 of the so-called 'Recitals' contains more detailed stipulations of relevance for the online industry, additionally specifying further examples for personal data:

“…online identifiers provided by their devices, applications, tools and protocols, such as Internet Protocol addresses, cookie identifiers or other identifiers such as Radio Frequency Identification tags…”.

Plainly speaking, online identifiers, such as cookie IDs, IP addresses, etc, might, pursuant to the new GDPR, be deemed personal data – that would be a fundamental change! However, there are also some opinions, stating that these online identifiers are only personal data when they can be used to identify a person. Which of these two main opinions will be the major opinion cannot be said yet.

If we assume that online identifiers are personal data, this would mean that the processing of these online identifiers will, in future, generally require the consent of the concerned data subject – the user – for precisely defined purposes. But don’t worry: it is likely that, in many cases, such giving of consent will not be necessary at all, thanks to the newly inserted 'online marketing clause' embedded in Art. 6(1)(f) of the GDPR.

That 'online marketing clause' specifies circumstances in which personal data may be processed without the consent of the data subject:

Dr Frank Eickmeier, ePrivacy

Dr Frank Eickmeier, ePrivacy

“Processing of personal data shall be lawful only if and to the extent that at least one of the following applies: [….] 1. f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child …”.

This clause grants legal permission, not only for classical direct marketing methods, but may also be applicable for online behavioural marketing measures, given that “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest” (Recital 47 of the final Regulation). As a consequence, it will be possible to use personal data with the interest of direct marketing, as long as the interests of the data subject concerned are not overriding the marketing interests.

3. Legitimate interests

The current interpretation of the term 'legitimate interest' reflects a notable shift towards the US approach to data protection, given that the 'reasonable expectations of users' are evidently set to become the central point of departure for any consideration of this issue in the future: data, which users can reasonably expect to be processed, can be processed without the user's consent – even by a third party:

“The legitimate interests of a controller, including of a controller to which the data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on the relationship with the controller.” (Recital 47 in the final Regulation)

In short: in the future, most business models in the online industry will not require data subjects to give their consent to the use of their data, provided they stay within the bounds of their users’ 'reasonable expectations'. The true scope of the 'reasonable expectations' criterion remains to be seen. It may well make sense for companies to refer to such 'reasonable expectations' in their individual data protection declarations or privacy statements and, thereby, to include them into the scope of this criterion.

4. The opportunity to opt out

Art. 21 of the GDPR stipulates that data subjects must be given the opportunity to opt out of the processing of their data. That it also explicitly requires a right of objection in the context of profiling, is a positive development from the perspective of the online industry, as it makes clear that the EU legislator has acknowledged and wishes to regulate the profiling activities of the online industry.

Users must be informed of their right of objection (opt-out) upon first contact with the data controller (for example, the publisher of the data), at the latest, for example, by means of the privacy statement or a centrally managed preference management such as www.youronlinechoices.org.

Finally, this initial, preliminary analysis of the most significant provisions from the perspective of the online industry leads to the following conclusion: the fundamental business models in the online industry are unlikely to come under serious threat in the future, although the concept of personal data has been extended to cookie IDs, IP addresses, and other online identifiers. Due to Art. 6(1)(f), the new GDPR is unlikely to have major ramifications in practical terms.