A few weeks ago, I saw this tweet/post on X (formerly Twitter) from Paul Graham, the founder of Y-Combinator:
The tweet represents a misunderstanding of the EU privacy and data protection rules on the use of web cookies. Cookie banners are how online service providers have decided to comply with these rules, rather than the rules explicitly requiring such banners.
How is this case? Let's start with Article 5(3) of the ePrivacy Directive (amended), the principal piece of legislation in this context, which states the following:
...the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with [the GDPR], inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.1
According to this provision, cookies cannot be stored on a person's web browser unless the online service provider has their consent to do so and has provided information about the cookies, including what they are needed for. However, this is not required if the storing of cookies is either:
"Strictly necessary" to provide an online service to the user (for example cookies that keep track of items in a user's online shopping basket).
Needed to transmit communications over a network.
It should be noted that this provision makes reference to the GDPR regarding consent and the provision of information. Online service providers therefore need to follow the relevant rules under the GDPR too.
On consent, Articles 4.11 and 7 GDPR impose several requirements for processing personal data based on consent. Consent must be:
Freely given, meaning that users should not feel compelled to provide consent and must be given a genuine choice.
Specific, meaning that the consent must be in relation to a particular data processing operation, which in this case is the placing of cookies on a user's browser.2
Informed, meaning that data subjects need to be provided with advanced knowledge of the placing of cookies,3 including the purposes of this data processing operation.4
Unambiguous, meaning that the consent must come in the form of a positive action taken by the user showing that they agree to the placing of cookies on their device.5
Demonstrable, meaning that the provider must be able to show that consent has been provided by the user to the placing of cookies on their device.
As easy to withdraw as it is to give.
Further guidance on requirements on consent for cookies is provided in the Planet49 judgment of the Court of Justice of the European Union. In that case, it was held that pre-ticked boxes do not constitute valid consent for the placing of cookies on a user's device.6
In an attempt to comply with these requirements, website operators typically display cookie banners when people first visit their websites or app. These banners are used to provide information about the cookies they use and to gain people's consent to the placement of those cookies on their devices.
So the answer to Paul Graham's tweet is that EU law does not require cookie banners per se. Rather, this is how online service providers, which typically use cookies for advertising purposes, have chosen to comply with the requirements of EU law.
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), Article 5(3) as amended by Directive 2009/136/EC amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws, Article 2.
Christopher Kuner et al (eds),The EU General Data Protection Regulation (GDPR): A Commentary (OUP 2020), p.183.
Christopher Kuner et al (eds),The EU General Data Protection Regulation (GDPR): A Commentary (OUP 2020), p.184.
Recital (42), GDPR.
Recital (32), GDPR
Case C-673/17, Bundesverband der Verbraucherzentralen and Verbraucherverbände — Verbraucherzentrale Bundesverband eV v Planet49 GmbH (1 October 2019)