What is the legal basis for processing cookies? Many websites use checkboxes that allow users to select the legal basis for processing. Can the legal basis be either the controller's legitimate interest (Article 6(1)(f) GDPR) or the user's consent?

ANSWER

Yes, I can confirm that this practice is quite common. However, I consider it incorrect.

This is because, with regard to storing cookies or accessing information already stored on a subscriber's or end user's terminal device, Articles 173 and 174 of the Polish Telecommunications Law (UPT) apply directly as lex specialis (special regulations taking precedence over general GDPR provisions).

Under Article 173(1) of the UPT, the installation of cookies and the use of information already stored on a user's terminal device are permitted only after obtaining the consent of the subscriber or end user.

Before consent is given, the user must be clearly, easily, and comprehensibly informed about:

1) The purpose of storing and accessing the information (i.e., the purpose of the cookies).

2) The possibility of determining the conditions for storing or accessing the information through the settings of software installed on the user's telecommunications terminal device or through service configuration settings.

Article 173(2) of the UPT states that the subscriber or end user may provide consent through the settings of software installed on the telecommunications terminal device or through service configuration settings.

At the same time, Article 174 of the UPT provides that the rules governing consent under personal data protection legislation apply when obtaining such consent. Therefore, consent must constitute a freely given, specific, informed, and unambiguous indication of the user's wishes, by which the data subject agrees to the processing of their personal data.

It follows clearly from the above that the placement of statistical/analytics cookies (as a category of cookies that are not strictly necessary for the operation of a website) should be based on the user's consent.

Therefore, relying on the controller's legitimate interest as the legal basis for storing or accessing non-essential cookies is generally not appropriate. Such cookies should only be activated after valid consent has been obtained from the user.