ePrivacy consent and cookie controllership
Cookie consent must meet GDPR standards. Planet49 confirmed consent is not valid via a pre-ticked box, and users must be told the cookie's duration and whether third parties can access it. The EDPB adds: consent must be before placement; scrolling/swiping is not consent. First-party cookies = website operator is controller; third-party cookies = the third party is a controller if it sets purposes/means. The website operator must obtain consent even for third-party cookies. Consent is usually the most adequate basis, but legitimate interest may cover subsequent processing.
- Consent is invalid via a pre-ticked checkbox (Planet49)
- Users must be told the duration of the cookies and whether they can be accessed by third parties
- Consent must be informed - purposes and the controller's identity
- Scrolling or swiping cannot indicate consent
- Consent must be obtained before the cookie is placed or read
| Type | Who is the controller? | Who obtains consent in practice? |
|---|---|---|
| First-party | Website operator | Website operator |
| Third-party | The third party (if it sets purposes/means) | Still the website operator - the only entity with a user relationship |
The ePrivacy consent rule applies to storing/accessing information on the device, not necessarily the subsequent processing. Per Fashion ID, even where cookies were placed with consent, controllers can in principle rely on legitimate interest for the subsequent processing. But the EDPB and ICO warn that mixing bases can be confusing and unfair to users.