A court ruling has established that data collected through cookies can constitute sensitive personal data under the GDPR when it can be used to infer information about health, political beliefs, sexual orientation, or other protected categories. This significantly raises the compliance bar for cookie-based analytics and advertising.

The Legal Reasoning

The GDPR defines special categories of sensitive data including health information, political opinions, religious beliefs, and sexual orientation. Traditionally, these categories were interpreted narrowly. The ruling expanded this interpretation: if data can be used to infer sensitive information -- even if that was not the original collection purpose -- it must be treated as sensitive data.

Browsing history collected through cookies inevitably reveals sensitive information. A user visiting health-related websites, political party pages, or religious organizations generates data from which sensitive inferences can be drawn. Since cookie-based analytics collect browsing patterns at scale, the probability that any dataset contains sensitive inferences is extremely high.

Compliance Implications

Sensitive data processing under the GDPR requires explicit consent -- a higher standard than ordinary consent. It may also trigger mandatory data protection impact assessments. Most cookie consent mechanisms do not meet the threshold for explicit consent, and most organizations have not conducted DPIAs for their analytics implementations.

The Takeaway

This ruling makes the compliance position of cookie-based analytics significantly more precarious. Organizations that avoid collecting browsing data altogether -- through cookieless, privacy-first analytics -- are unaffected because they never create datasets from which sensitive inferences could be drawn.