Is CNAME cloaking for setting cookies legal? Does it eliminate the need to obtain consent?
ANSWER
As a general rule, CNAME cloaking is not, in itself, contrary to personal data protection laws. However, organizations using this technique must still comply with all applicable information and transparency requirements, particularly those concerning the identity of the data controller and the processing of personal data. Where required by law, valid user consent must also be obtained.
It should be emphasized that CNAME cloaking does not exempt an organization from obtaining consent for cookies when such consent is legally required. The use of this technical solution does not change the legal obligations related to cookie storage and access to information on a user's device.
It is also important to note that an improper implementation of CNAME cloaking may result in personal data protection violations.
In particular, there is a risk that third parties could gain access to authentication tokens stored in cookies. Such a situation may lead to significant security issues, especially in the context of online services involving sensitive information, such as:
- insurance services,
- banking services,
- other platforms processing confidential user data.
Therefore, while CNAME cloaking can be used as a technical solution, it does not remove the requirement to comply with data protection regulations, transparency obligations, or cookie consent requirements where those requirements apply. Additionally, organizations should carefully assess the security implications of its implementation to prevent unauthorized access to user information.
