Cookie consent still needed even if only non personal data are sent?

Hi all,

Is it correct hat cookie consent is still required even if only anonymized and non-personal data are sent to Google, Facebook, Pinterest etc.?

I have spoken to several lawyers and data protection officers regarding this topic already. Most of them said that cookie consent might not be required if you make sure that only non-personal data are sent to third parties with the aid of server side tracking. But some still think that it might be safer to use CMP?

I am really confused. In my opinion, using stape.io’s Power-up “Anonymizer” is very powerful because it will help you sending only non-personal data to third party vendors.

I know that you guys can’t assume liability for your answers. I just want to discuss this topic with you guys.

Tnx for your answers.

Kind regards,
Melvin at Kapwa Marketing

Hi Melvin,

We always let the customer define the approach, like you said - we’re not the ultimate authority on the matter.

You should also consider, that cookie banners regulate not only sending of signal, but setting of cookies themselves. If you don’t apply consent to your tags (even when using anonymizer) most of the tags will set the cookies, which would be a violation.

Hi Dan,

Thank you for your comment.

The cookies that are set are first-party cookies. And in my understanding, these cookies only send data to sGTM!? With the aid of “anonymizer”, we are able to remove / hash / anonymize all personal data.

If only non-personal data are sent to Google, Facebook etc: Why is it still a GDPR topic? This is what I do not really get here.

Setting of cookies is surely not GDPR-compliant if personal data are sent without any consent. But sending non-personal data to third party vendors shouldn’t be a violation. Or what do I miss here?

Kind regards,
Melvin at Kapwa Marketing

Hey Melvin,

First party-cookies don’t necessarily mean httpOnly cookies, most of them are still accessible with JS, although only the first-party domain.

Now the problem if you’ve set a cookie - you already violated the regulation, that’s my impression. At the very least you’ve ignored users decision to forbid it from happening, even if you don’t actually send it further.

Complicated topic, as you’ve already figured. Bottom line here is, whatever your DPO/lawyers tell you - can then be implemented, GTM+sGTM is a robust tool, so you can achieve whatever behaviour you want.

Hi Dan,

I have recently talked to another privacy policy expert and he said that there is no need for cookie consent for the use of GA4 (server-side and anonymized) if the _ga cookie is not set.

I guess, you are already aware of the possibilities of using GA4 (server side) without setting any cookies?

The problem is: If you use cookieless GA4, I assume that we use a lot of data (with regards to returning visitors,…)?

Kind regards,
Melvin

Hey Melvin,

GA4 nis not really designed to be used cookie-less, but I suggest you check this out: Cookieless via Stapes Advanced GA4 tag - #3 by jonas

Dan