Share these talks and lectures with your colleagues
Invite colleaguesPractice paper
The cookie conundrum : Balancing privacy, compliance and user experience and the quest for strategic GDPR-compliant user privacy
Journal of Data Protection & Privacy,
7
(2),
179-195
(2025)
Abstract
The digital landscape has witnessed a significant transformation since the introduction of cookies in the mid-1990s, evolving from simple user tracking mechanisms to complex tools integral to online user experiences and targeted advertising. This evolution, however, has not come without consequences; the proliferation of cookies has raised substantial concerns regarding user privacy and data security, prompting the development of regulatory frameworks such as the General Data Protection Regulation (GDPR)1 and the ePrivacy Directive.2 This paper undertakes a critical analysis of the intricate intersection between cookies, the ePrivacy Directive and the GDPR, with a particular focus on the IAB Belgium ruling.3 This landmark case has catalysed significant changes in consent practices, reshaping the digital advertising ecosystem and compelling businesses to reassess their data protection strategies. Notably, the ruling reinforces the primacy of consent under GDPR for cookie deployment, particularly in the context of personalised advertising. The decision also brings into stark relief the unresolved tension between consent-based models and the use of legitimate interest as an alternative legal basis for data processing. While the IAB Belgium ruling firmly aligns with the GDPR’s stringent consent requirements, the European Court of Justice’s (ECJ) subsequent rulings on legitimate interest introduce a potential divergence. For example, in the Koninklijke Nederlandse Lawn Tennisbond (KNLTB) case,4 the court recognised commercial legitimate interest as a lawful basis for processing data, yet this recognition did not extend to cookies, which are central to behavioural advertising and commercial profiling. The recent European Data Protection Board (EDPB) guidelines5 further complicate this regulatory landscape, as they emphasise the need for legitimate interest assessments but offer limited insight into how this legal basis should apply to cookies. This confluence of judicial and regulatory decisions underscores the ongoing challenges in harmonising legitimate interest with cookie-related data processing, calling for a more cohesive regulatory framework. As organisations navigate this complex regulatory environment, the insights provided in this paper aim to serve as a valuable resource for understanding the evolving dynamics of cookie compliance and the broader implications for data protection in the digital age. The paper ultimately seeks to inform stakeholders of the pressing need for accountability and user-centric approaches in the realm of digital privacy.
Keywords: cookies; ePrivacy; GDPR; LGPD; PIPEDA; DPDPA; CCPA; IAB; Planet49; data protection; privacy enhancing technologies; legitimate interest; consent
The full article is available to subscribers to the journal.
Author's Biography
Noémie Weinbaum , French attorney at law, is currently a consultant specialising in data protection and artificial intelligence at PS Expertise. With nearly 25 years’ experience in risk management, regulatory compliance and data security, she holds several advanced certifications, including Data Protection Officer (DPO) and Fellow of Information Privacy (FIP) at the International Association of Privacy Professionals (IAPP), Certificate in Investment Performance Measurement (CIPM), Certified Information Privacy Professionals Europe/United States (CIPP/E/US) and Artificial Intelligence Governance Professional (AI GP). Throughout her career, Noémie has directed multidisciplinary teams at organisations such as McAfee, Natixis and UKG, where she spearheaded the development of privacy governance frameworks and programmes that comply with international regulatory standards. A regular contributor to academic and professional discourses, Noémie frequently presents at conferences and publishes on critical topics such as GDPR compliance, AI governance and cyber security crisis management.
Roy Kamp is a distinguished legal expert specialising in emerging technologies, with extensive experience in the oversight and implementation of data protection frameworks for multinational corporations. Currently serving as Legal Director for Central and Northern Europe at UKG, he manages complex contractual negotiations and oversees the strategic direction of personal data governance. Prior to this role, Roy held the position of Data Protection Officer (DPO) at both Wayfair and McAfee, where he was responsible for ensuring compliance with data protection laws and managing privacy-related risk. He is a certified Fellow of Information Privacy (FIP) and holds multiple certifications from the International Association of Privacy Professionals (IAPP), including Certified Information Privacy Professionals Europe (CIPP/E), Certified Information Privacy Professionals United States (CIPP/US) and Certificate in Investment Performance Measurement (CIPM). Roy’s expertise encompasses the operationalisation of the General Data Protection Regulation (GDPR), litigation management and regulatory compliance within global corporate environments.
