The cookie conundrum: Balancing privacy, compliance and user experience and the quest for strategic GDPR-compliant user privacy

Noémie Weinbaum and Roy Kamp
Additional contact information
Noémie Weinbaum: PS Expertise, Czech Republic
Roy Kamp: UKG, The Capitol Building, UK

Journal of Data Protection & Privacy, 2025, vol. 7, issue 2, 179-195

Abstract: The digital landscape has witnessed a significant transformation since the introduction of cookies in the mid-1990s, evolving from simple user tracking mechanisms to complex tools integral to online user experiences and targeted advertising. This evolution, however, has not come without consequences; the proliferation of cookies has raised substantial concerns regarding user privacy and data security, prompting the development of regulatory frameworks such as the General Data Protection Regulation (GDPR)1 and the ePrivacy Directive.2 This paper undertakes a critical analysis of the intricate intersection between cookies, the ePrivacy Directive and the GDPR, with a particular focus on the IAB Belgium ruling.3 This landmark case has catalysed significant changes in consent practices, reshaping the digital advertising ecosystem and compelling businesses to reassess their data protection strategies. Notably, the ruling reinforces the primacy of consent under GDPR for cookie deployment, particularly in the context of personalised advertising. The decision also brings into stark relief the unresolved tension between consent-based models and the use of legitimate interest as an alternative legal basis for data processing. While the IAB Belgium ruling firmly aligns with the GDPR’s stringent consent requirements, the European Court of Justice’s (ECJ) subsequent rulings on legitimate interest introduce a potential divergence. For example, in the Koninklijke Nederlandse Lawn Tennisbond (KNLTB) case,4 the court recognised commercial legitimate interest as a lawful basis for processing data, yet this recognition did not extend to cookies, which are central to behavioural advertising and commercial profiling. The recent European Data Protection Board (EDPB) guidelines5 further complicate this regulatory landscape, as they emphasise the need for legitimate interest assessments but offer limited insight into how this legal basis should apply to cookies. This confluence of judicial and regulatory decisions underscores the ongoing challenges in harmonising legitimate interest with cookie-related data processing, calling for a more cohesive regulatory framework. As organisations navigate this complex regulatory environment, the insights provided in this paper aim to serve as a valuable resource for understanding the evolving dynamics of cookie compliance and the broader implications for data protection in the digital age. The paper ultimately seeks to inform stakeholders of the pressing need for accountability and user-centric approaches in the realm of digital privacy.

Keywords: cookies; ePrivacy; GDPR; LGPD; PIPEDA; DPDPA; CCPA; IAB; Planet49; data protection; privacy enhancing technologies; legitimate interest; consent (search for similar items in EconPapers)
JEL-codes: K2 (search for similar items in EconPapers)
Date: 2025
References: Add references at CitEc
Citations:

Downloads: (external link)
https://hstalks.com/article/9061/download/ (application/pdf)
https://hstalks.com/article/9061/ (text/html)
Requires a paid subscription for full access.

Related works:
This item may be available elsewhere in EconPapers: Search for items with the same title.

Export reference: BibTeX RIS (EndNote, ProCite, RefMan) HTML/Text

Persistent link: https://EconPapers.repec.org/RePEc:aza:jdpp00:y:2025:v:7:i:2:p:179-195

Access Statistics for this article

More articles in Journal of Data Protection & Privacy from Henry Stewart Publications
Bibliographic data for series maintained by Henry Stewart Talks ().