GDPR

Fact-Check of the 5 Biggest Myths Around Cookies and GDPR

Fortune Cookie with Content

There is still a lot of uncertainty about the setting of cookies. The specifications of GDPR are not very precise, and implementation for digital channels is not always easy to derive. This has led to many myths about the use of cookies. In this blog post, we will demystify the most common ones.

Myth 1: “We only operate in Switzerland and do not need a cookie banner.”

Answer: Yes, but only under certain conditions.

Explanation:

If the website is really only addressed to users in Switzerland and this is also evident on the website, then this is correct. On closer inspection, however, the need for a GDPR-compliant cookie solution usually emerges. If you answer with a ‘yes’ to at least one of the following questions, you should consider using a cookie banner:

  • Can people from the EU apply on your website?
  • Do you give the impression on the website that users outside Switzerland are also being addressed, e.g. by providing telephone numbers in international formats, free entry or preselection of the country in forms, selection of languages and currencies that are not necessary for Switzerland and the purpose of the website?
  • Does your target audience also include the Principality of Liechtenstein? 
  • Do you use tracking pixels from advertising and social networks operating outside Switzerland?

The first two questions show that your website is not only valid for Switzerland.

The Principality of Liechtenstein is a member of the European Economic Area (EEA) and is therefore territorially subject to the GDPR. The GDPR also regulates the processing of personal data of EU citizens outside the EU. By using tracking pixels, you support Facebook & Co. in creating user profiles that are used for advertising purposes.

Myth 2: “No cookie may be set without consent.”

Answer: Wrong

Explanation:

Through recent court rulings by the European Court of Justice, this opinion was established. As a general rule, this applies. However, no consent is required for cookies, which are absolutely necessary for the operation of the website. It only needs to be informed about its purpose. (e.g. saving the language selection, saving of the shopping basket, etc.). In addition, a legitimate interest can be asserted for certain cookies. For example, to anonymously measure how the website is used in order to optimize it. 

For cookies that are used directly or indirectly for marketing and targeting purposes, the explicit consent of the user is mandatory. Such cookies may only be set thereafter. Often third-party solutions integrated on the website also set marketing cookies (e.g. YouTube, SlideShare, etc.).

Myth 3: “We do not use cookies and, therefore, do not need a cookie banner”.

Answer: Correct

Explanation:

If your website really does not set permanent cookies, then a cookie banner is not required. In this case, however, a meticulous check of each individual page is recommended. A website that is subject to GDPR and does not show any indication of cookies immediately looks suspicious and invites authorities to check it.

Myth 4: “We always set cookies, but inform the visitor that he/she must accept cookies in order to use our website. So there is a choice.”

Answer: Wrong

Explanation:

GDPR regulates how consent must be given, namely, before the relevant cookies are set:

  • Informed (purpose)
  • Voluntarily 
  • Actively approved
  • Granular (per purpose, no general agreements)
  • Permission can be revoked at any time and as easily as it was given

This myth violates, except for the point “informed”, immediately against all other requirements for the consent according to GDPR. 

Myth 5: “Consent must only be given for marketing cookies.”

Answer: Wrong

Explanation:

Consent is required for all cookies that are not absolutely necessary or for which no valid legitimate interest can be claimed. Previous rulings have dealt with marketing/targeting cookies. In particular, the definition of legitimate interest is very vague and there have not been any court rulings yet that could help further clarify this. 

Conclusion

As you can see, not everything can be answered with a clear yes or no. There are still no meaningful court rulings or further specifications of the GDPR application for the digital world, as there would be for the e-privacy regulation. However, this regulation is still not valid due to several disagreements. We, therefore, recommend that you follow recent developments and court rulings.

Amazee Metrics offers support and advice in all matters relating to data protection in online marketing. We are happy to advise you on your individual cookie solution.

We cover a broad range of GDPR topics, read more.

Subscribe to our newsletter and stay up to date.