Cookies and Tracking Technologies: A Comprehensive Guide for CIPP/E Exam Preparation
Introduction
Cookies and tracking technologies are among the most heavily tested topics in the CIPP/E exam, sitting at the intersection of the ePrivacy Directive (Directive 2002/58/EC, as amended by Directive 2009/136/EC), the General Data Protection Regulation (GDPR), and national implementing laws. Understanding how these rules interact is essential for both exam success and real-world compliance.
Why Are Cookies and Tracking Technologies Important?
Cookies and similar tracking technologies are the backbone of the modern internet. They enable website functionality, user authentication, analytics, behavioral advertising, and personalization. However, they also pose significant risks to individual privacy because they can:
• Track users across websites and devices without their knowledge
• Build detailed profiles of browsing behavior, preferences, and interests
• Enable invasive targeted advertising
• Store or access information on a user's terminal equipment without authorization
Because of these privacy implications, European data protection law imposes strict requirements on when and how organizations may use cookies and tracking technologies. Non-compliance can result in significant fines, reputational damage, and enforcement actions from supervisory authorities.
What Are Cookies and Tracking Technologies?
A cookie is a small text file placed on a user's device (computer, smartphone, tablet) by a website. Cookies store information that can be read by the website on subsequent visits.
Types of Cookies:
• First-party cookies: Set by the website the user is visiting directly. Used for session management, remembering preferences, and analytics.
• Third-party cookies: Set by a domain other than the one the user is visiting. Commonly used for cross-site tracking and behavioral advertising.
• Session cookies: Temporary cookies that expire when the browser is closed.
• Persistent cookies: Remain on the device for a set period or until manually deleted.
Other Tracking Technologies:
• Web beacons (pixel tags/tracking pixels): Invisible images embedded in web pages or emails that track user behavior.
• Browser fingerprinting: Collecting device and browser configuration data to uniquely identify users without storing anything on their device.
• Local storage (HTML5): Similar to cookies but with greater storage capacity.
• ETags and cache-based tracking: Using HTTP cache mechanisms to track users.
• SDKs and mobile identifiers: Tracking technologies used in mobile applications.
The Legal Framework: How It Works
1. The ePrivacy Directive (Article 5(3))
The primary legal instrument governing cookies and tracking technologies in Europe is Article 5(3) of the ePrivacy Directive (often called the "Cookie Directive" after its 2009 amendment). This provision states that:
"The storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information..."
Key points:
• The rule applies to any information stored on or accessed from a user's terminal equipment — not just personal data.
• Consent is required before placing cookies or accessing stored information (prior consent).
• The user must receive clear and comprehensive information about the purposes of the cookies.
2. Exemptions from Consent
Article 5(3) provides two narrow exemptions where consent is not required:
• Strictly necessary cookies: Cookies whose sole purpose is to carry out the transmission of a communication over an electronic communications network.
• Cookies strictly necessary to provide a service explicitly requested by the user: For example, a shopping cart cookie, a session authentication cookie, or a cookie that remembers the user's language preference on the current session.
Important for the exam: Analytics cookies, advertising cookies, social media plug-in cookies, and most third-party cookies do not fall within these exemptions and therefore require consent.
3. The Consent Standard Under the GDPR
Since the ePrivacy Directive references consent, and the GDPR defines consent in Article 4(11) and sets out conditions in Article 7, the GDPR consent standard applies to cookies. This means consent must be:
• Freely given: The user must have a genuine choice. Access to a service must not be conditional on accepting non-essential cookies (no "cookie walls" unless there is a genuine alternative).
• Specific: Consent must be given for each distinct purpose (e.g., analytics vs. advertising).
• Informed: Users must be told who is setting the cookies, what data is collected, and for what purposes.
• Unambiguous indication by a clear affirmative action: Pre-ticked boxes, silence, scrolling, or continued browsing do not constitute valid consent.
4. Key CJEU Case Law
• Planet49 (Case C-673/17, 2019): The Court of Justice of the European Union (CJEU) ruled that:
- Pre-ticked checkboxes do not constitute valid consent for cookies.
- Consent must be an active, affirmative act.
- Users must be informed about the duration of cookies and whether third parties have access to the cookies.
- These rules apply regardless of whether the cookie data constitutes personal data.
• Fashion ID (Case C-40/17, 2019): A website that embeds a third-party social media plug-in (e.g., a Facebook "Like" button) is a joint controller with the social media company for the collection and transmission of personal data triggered by the plug-in. The website operator must obtain consent before the plug-in collects data.
5. Relationship Between the ePrivacy Directive and the GDPR
This is a critical concept for the exam:
• The ePrivacy Directive is lex specialis (a specific law) in relation to the GDPR (lex generalis / general law).
• Article 5(3) of the ePrivacy Directive governs the act of storing or accessing information on a device.
• The GDPR governs the subsequent processing of personal data collected via cookies.
• Both frameworks apply simultaneously: you need a lawful basis under Article 5(3) ePrivacy Directive to place the cookie, and a lawful basis under the GDPR to process any personal data collected through the cookie.
• For non-exempt cookies, consent serves as the legal basis under both instruments.
6. National Implementation
Because the ePrivacy Directive is a directive (not a regulation), it must be transposed into national law by each EU Member State. This has led to some variation:
• France (CNIL): Has issued detailed guidance on cookies, requiring granular consent mechanisms and specific information. Has issued significant fines (e.g., against Google and Amazon for cookie violations).
• Germany: The TTDSG (Telekommunikation-Telemedien-Datenschutz-Gesetz) codifies Article 5(3) requirements. Consent is required for non-essential cookies.
• UK: The Privacy and Electronic Communications Regulations (PECR) implement Article 5(3). The ICO enforces cookie compliance.
• Spain (AEPD): Has published cookie guidelines requiring layered consent mechanisms.
• Italy (Garante): Has issued detailed cookie guidelines requiring a two-tier notice and consent approach.
7. The Proposed ePrivacy Regulation
The European Commission proposed an ePrivacy Regulation in 2017 to replace the ePrivacy Directive. Key proposed changes include:
• Direct applicability across all EU Member States (no transposition needed)
• Broader scope covering new technologies (e.g., IoT, machine-to-machine communications)
• Cookie consent management through browser settings
• Harmonized enforcement with GDPR-level fines
Note for the exam: The ePrivacy Regulation has been subject to lengthy negotiations and, as of current knowledge, has not yet been adopted. Be aware of its existence and proposed changes but focus primarily on the current ePrivacy Directive and GDPR framework.
Practical Compliance: Cookie Consent Mechanisms
Organizations typically implement compliance through:
• Cookie banners: Pop-up or overlay notices that appear when a user first visits a website, providing information and requesting consent.
• Consent management platforms (CMPs): Tools that manage cookie preferences, record consent, and block non-essential cookies until consent is obtained.
• Cookie policies: Detailed documents listing all cookies used, their purposes, duration, and third-party recipients.
• Granular consent options: Allowing users to accept or reject cookies by category (e.g., necessary, analytics, marketing, preferences).
Best practices include:
• No cookies (other than strictly necessary ones) should be placed before consent is obtained.
• Consent must be as easy to withdraw as it is to give.
• Records of consent should be maintained.
• Cookie preferences should be regularly refreshed (many supervisory authorities suggest every 6-12 months).
• "Accept all" and "Reject all" buttons should be equally prominent (per guidance from CNIL and other DPAs).
Common Exam Scenarios and How to Approach Them
Scenario 1: A website uses a pre-ticked checkbox for analytics cookies.
Answer: This is not valid consent per Planet49. Consent must involve a clear affirmative action.
Scenario 2: A website states that continued browsing constitutes consent to cookies.
Answer: This is not valid consent. Scrolling or continuing to browse does not meet the GDPR's requirement for unambiguous indication by a clear affirmative action.
Scenario 3: A website embeds a third-party analytics tool that places cookies.
Answer: The website operator must ensure consent is obtained before the third-party cookie is placed. The website operator may be considered a joint controller with the third party (per Fashion ID).
Scenario 4: A cookie wall blocks access to content unless the user accepts all cookies, with no alternative offered.
Answer: This likely invalidates consent because it is not freely given. However, note that some DPAs (e.g., the Dutch DPA and the French Conseil d'État) have taken nuanced positions — the EDPB's guidance suggests cookie walls generally do not result in valid consent unless there is a genuine equivalent alternative (e.g., a paid option).
Scenario 5: A session cookie is used to maintain a user's shopping cart.
Answer: This falls within the exemption — it is strictly necessary to provide a service explicitly requested by the user. No consent required.
Scenario 6: A website uses browser fingerprinting instead of cookies to track users.
Answer: Article 5(3) of the ePrivacy Directive applies to accessing information stored in terminal equipment, which includes reading device/browser configuration data. Browser fingerprinting therefore falls within scope and typically requires consent.
Exam Tips: Answering Questions on Cookies and Tracking Technologies1. Always start with Article 5(3) of the ePrivacy Directive. When a question involves cookies or tracking technologies, your first reference point should be the ePrivacy Directive, not the GDPR. The ePrivacy Directive is lex specialis and specifically addresses the act of placing or reading information on a user's device.
2. Know the two exemptions by heart. The exam frequently tests whether a particular cookie requires consent. Remember: only cookies strictly necessary for (a) transmission of a communication or (b) providing a service explicitly requested by the user are exempt. If in doubt, the cookie probably requires consent.
3. Apply the GDPR consent standard. When consent is required, apply the full GDPR definition: freely given, specific, informed, and unambiguous indication by a clear affirmative action. Pre-ticked boxes, implied consent, and continued browsing are
never valid.
4. Remember Planet49. This is the single most important case for cookie questions. Know the key holdings: no pre-ticked boxes, active consent required, information about duration and third-party access must be provided, and the rules apply regardless of whether personal data is involved.
5. Understand the lex specialis relationship. If a question asks about the relationship between the ePrivacy Directive and the GDPR, emphasize that the ePrivacy Directive takes precedence for matters within its scope (storing/accessing information on terminal equipment), while the GDPR applies to the subsequent processing of personal data.
6. Don't forget Fashion ID for third-party plug-ins. If a scenario involves social media buttons, embedded videos, or third-party widgets, consider joint controllership and the requirement for prior consent.
7. Distinguish between types of cookies. The exam may describe a cookie's function without naming it. Be prepared to classify it (session/persistent, first-party/third-party, necessary/analytics/marketing) and determine whether consent is required.
8. Be aware of national variations but focus on the Directive. The exam is European in scope, so focus on the ePrivacy Directive and GDPR framework. However, be aware that national implementations may vary, and questions may reference specific national rules (e.g., PECR in the UK, TTDSG in Germany).
9. Watch for trick answers involving legitimate interest. A common distractor in exam questions suggests using "legitimate interest" under Article 6(1)(f) GDPR as a basis for placing non-essential cookies. This is
incorrect — Article 5(3) of the ePrivacy Directive requires consent for non-exempt cookies, and legitimate interest is not an alternative legal basis for the act of placing or reading cookies.
10. Consider the proposed ePrivacy Regulation. If a question asks about future developments or proposed changes, mention the ePrivacy Regulation proposal, browser-based consent settings, and harmonized enforcement. But do not confuse proposed rules with current law.
11. Read the question carefully for scope. Article 5(3) applies to
any information stored or accessed on terminal equipment, not just personal data. This is a key distinction from the GDPR, which only applies to personal data. If a question emphasizes that no personal data is collected, the ePrivacy Directive still applies to the act of placing or reading the cookie.
12. Withdrawal of consent must be easy. If an exam question describes a scenario where a user can accept cookies with one click but must navigate through multiple menus to withdraw consent, this violates Article 7(3) GDPR — withdrawal must be as easy as giving consent.
Summary Table for Quick Review:Cookie Type → Consent Required?• Strictly necessary (e.g., session, authentication, load balancing) →
No• User-input cookies (e.g., shopping cart, language) →
No (if session-based and user-requested)
• Analytics cookies (e.g., Google Analytics) →
Yes• Advertising/marketing cookies →
Yes• Third-party tracking cookies →
Yes• Social media plug-in cookies →
Yes• Preference cookies (persistent) →
Generally Yes (unless strictly necessary for a requested service)
By mastering the interplay between the ePrivacy Directive, the GDPR, key case law, and practical compliance mechanisms, you will be well-prepared to answer any CIPP/E exam question on cookies and tracking technologies with confidence.
