Cookies & Consent

Broadly speaking, the user's consent is required whenever personal data is collected, processed or shared with third parties. The more specific general rule is as follows:

The usage of services not strictly necessary for delivering the service explicitly requested by the user requires the user's explicit and freely given consent. The consent must be given ere such services can be used. No user may be excluded of using a service for having declined the usage of not strictly necessary services.

That in turn means that no consent is required for any type of data storage, collection and processing that are strictly necessary for the services explicitly requested by the user. In that particular case, even a banner informing the user about the usage of cookies is not necessary. A visible link to a cookie or privacy policy describing the usage of cookies, data, etc. is sufficient in this case.

Strictly necessary cookies are:

• Consent cookies (storing whether consent is given)
• Security-related cookies
• -- to detect authentication abuses
• -- to mitigate Cross-site request forgery
• Session cookies
• Load-balancing session cookies
• Content Delivery Network session cookies
• Multimedia player session cookies
• Cookies saving a shopping cart's contents / session if anything's explicitly added to the basket
• ...

These types of cookies require consent:

• Statistical analytics (e.g. Google Analytics)
• Targeted advertising
• Third-party applications if not strictly necessary (e.g. Disqus comments field under a blog post, if the comments field is not strictly necessary for the requested service)
• ...

Further reading:

• EUR-Lex - 32016R0679 - EN - EUR-Lex (EU-GDPR)
• Was sollte man über die Datenschutz-Grundverordnung wissen? [German]
• GDPR – Do I need a Cookie Warning on my small business website?
• Cookies and the GDPR: What’s Really Required?