To process personal data, you must have a lawful basis. The GDPR has six lawful bases, one of which is consent. But how about cookies?
If consent is required under the Cookie Law, you cannot rely on the full range of possible lawful grounds provided by the GDPR, as Cookie Law requirements are separate from, and different to, those of the GDPR.
If you’re setting cookies, you need to look to Cookie Law first and comply with its specific rules, before considering any of the general rules of the GDPR.
That said, according to the ICO, UK’s Data Protection Authority, certain “strictly necessary” cookies (essential to provide an online service at someone’s request) are unlikely to require consent. However, it is still good practice to provide users with information about these cookies, even if you do not need consent.
If your cookies do not meet one of the exemptions, then you can only use consent – and this must be of the GDPR standard. If you have obtained consent in compliance with the Cookie Law, then consent is also the most appropriate lawful basis under the GDPR. Trying to apply another lawful basis (such as legitimate interests) when you already have GDPR-compliant consent would be completely unnecessary.
If your cookies meet one of the exemptions, then the requirement to have consent to set it doesn’t apply.
For some countries (i.e. Germany), analytics cookies could be based on a legitimate interest, but, in general, they are not exempted and – according to the ICO – always require consent.
Guidelines for cookie consent storage range from just a few months to 12 months. It’s important to check the guideline specific to the EU country that applies to you.
Anyway, according to the ICO, it depends on the purpose of the cookie. You need to ensure that your use of the cookie is:
Cookie consent management for the ePrivacy, GDPR and CCPA