The ongoing debate surrounding the use of legitimate interests as a legal basis for cookies highlights the complexities of privacy compliance in the digital world.
Under the ePrivacy Directive, consent is mandatory for most cookie use, with exceptions for strictly necessary cookies. Regulators such as the CNIL, ICO, and EDPB consistently reinforce that consent is the appropriate legal basis for cookies, particularly in ad tech ecosystems.
Despite industry efforts to explore legitimate interests as a valid alternative, such as through the IAB’s Transparency and Consent Framework (TCF), it is clear that legitimate interests face significant challenges in practice.
The Role of Legitimate Interest and Consent
One of the core challenges with relying on legitimate interests is the inherent conflict between an individual’s right to privacy and a company’s desire to process data for commercial purposes, such as personalised advertising. Legitimate interest requires a careful balancing act where the rights of the individual outweigh the economic motivations of the data controller. As highlighted by regulators like the ICO and CNIL, it becomes problematic to justify legitimate interest for cookie-based data collection when this processing entails extensive tracking and profiling of individuals. This is especially true in Real-Time Bidding (RTB) systems, where processing happens at such a scale that legitimate interest cannot reasonably apply due to the significant intrusion into user privacy.
Regional Differences in Cookie Regulations
While the GDPR applies across the EU, regional differences in the interpretation and enforcement of cookie rules have emerged. For instance, the French CNIL has been clear that prior consent is required before placing cookies, while the UK’s ICO also underlines that PECR governs cookie use, and legitimate interest cannot substitute consent where it is mandated by law. Companies operating in multiple jurisdictions must navigate these differences carefully, ensuring that their cookie consent mechanisms are compliant across regions.
The Advertising Industry’s Stance
Within the digital advertising ecosystem, some stakeholders, such as IAB Europe, have pushed for a more flexible approach to the use of legitimate interests for cookies. However, this approach is fraught with challenges, especially in light of the EDPB’s stance, which firmly places consent as the most appropriate legal basis for data processing in digital advertising. The Berlin Group also supports this view, questioning whether legitimate interests in the digital advertising sector can ever outweigh an individual’s right to privacy. This tension is evident in the way digital advertising platforms manage cookies and user tracking, with many still relying heavily on consent to mitigate the legal risks associated with using legitimate interests.
What’s Next for Cookie Compliance?
The debate surrounding legitimate interests and cookies is far from over. As more companies explore legitimate interest assessments (LIAs) as a legal basis for cookie usage, the ongoing regulatory scrutiny suggests that consent will remain the primary legal basis for the foreseeable future. Companies need to stay vigilant, ensuring their cookie consent mechanisms are robust, transparent, and compliant with both GDPR and ePrivacy rules. Furthermore, as regulatory guidance continues to evolve, businesses must remain adaptable, possibly integrating tools like the IAB TCF to manage consent and legitimate interests in a way that balances user rights and commercial needs.
Speak with our privacy experts! Get in touch today
Conclusion
While legitimate interests offer a theoretical alternative to consent for certain types of data processing, it is clear that when it comes to cookies and tracking technologies, legitimate interests face significant regulatory and ethical hurdles. Consent remains the most viable and compliant legal basis, particularly in the realms of digital advertising and tracking. Organisations must prioritise transparent consent mechanisms, respect user privacy, and stay aligned with the evolving regulatory landscape to avoid compliance risks.
By staying ahead of these developments and integrating privacy by design, businesses can position themselves not only as compliant entities but as leaders in responsible data practices.
For further reading, check out related guidance from regulators like the ICO and CNIL, or explore the IAB Transparency and Consent Framework.