Cookies and similar technologies
A cookie is a small text file placed on a device that 'remembers' it. Other tracking tech includes device fingerprinting, tags, pixels, web beacons, embedded scripts and social plugins, and they work in apps and emails too. Two laws apply: Article 5(3) of the ePrivacy Directive (consent to store/read information on a device) and the GDPR (when the data is personal). The GDPR is clear that data relating to someone who can be identified via an online identifier - and pseudonymous data - is personal data.
Article 5(3) of the ePrivacy Directive allows storing or accessing information on a user's device only with consent, after clear information about the purposes. This catches cookies and most tracking technologies. There are two exemptions: (1) the sole purpose is carrying out a communication over a network; or (2) the cookie is strictly necessary for a service the user explicitly requested.
| Exemption | Meaning |
|---|---|
| Communication-only | Sole purpose is to carry out transmission of a communication over a network |
| Strictly necessary | Strictly necessary for a service the subscriber/user explicitly requested |
Yes, generally. The GDPR makes clear data relating to a person who can be identified via an online identifier is personal data, and that pseudonymous data is still personal data. In Vidal-Hall v Google the English Court of Appeal held browsing-habit profiles were personal data - partly because other users of a device could deduce information from targeted ads.
Under Article 3(2)(b), monitoring the behaviour of individuals in the EEA brings processing within the GDPR; Recital 24 confirms this includes internet-based tracking. So non-EEA sites setting cookies on EEA users' devices may be caught.