- FDPIC publishes updated cookie guidelines, version 1.1, with Deltaview to the original version on October 6, 2025.
- Amendment: Proportionality of non-essential cookies is relativized; the standard is the processing purpose set by the controller.
- Guidelines address location data: high identification risk, possible profiling, DPIA obligation for sensitive inferences.
- New: Note on paywalls; FDPIC plans awareness-raising campaign and further supervisory steps.
Today, on October 6, 2025, the FDPIC published an updated version of his cookie guidelines dated January 22, 2025 published (in addition our contribution at that time). The current version is version 1.1. Initial version can be downloaded here (PDF).
This is an unusual approach by the FDPIC, but a welcome one. If guidelines are adapted, this allows the public to make constructive comments. Interested parties can thus put forward their positions without having to go to court, even if – as was previously the case – they do not have the opportunity to comment on a draft.
The main change concerns proportionality. The old version of the guidelines made a blanket statement, unnecessary cookies are generally disproportionate. The current version moves away from this particularly criticized position:
- It still says that unnecessary cookies violate the principle of proportionality.
- However, reference is now made to the previous definition of the necessary cookies.
- There, the guidelines now rightly state that it is is the person responsible for setting the processing purposeand that the proportionality of the Measured against this purpose:
Which cookies and similar technologies are technically necessary to ensure the functional feasibility of the desired processing depends on the purpose that the controller is pursuing with a specific data processing and cannot be answered in general terms.
In other words, the guidelines no longer imply that non-essential cookies violate personal privacy.
The guidelines now also explicitly address Location data (but without defining them – the indication of a country or a city cannot be understood as a location date):
- When collecting location data that leads to movement profiles, a “high probability of identification of persons” must be assumed “in practice”.
- Depending on the duration and radius, the collection of geolocation data could lead to high-risk profiling if this data alone or in combination with other data leads to precise movement profiles that allow conclusions to be drawn about key aspects of the user’s personality. This is also possible by combining imprecise location data.
- Movement profiles can lead to “sensitive conclusions about privacy” through the evaluation of repeatedly visited locations (e.g. doctor’s and lawyer’s offices). This may require a DPIA.
- In the case of apps for billing passenger transportation, the collection of location data is disproportionate and requires consent.
At the end there is also a new note on Paywalls.
In the communication on the update, the FDPIC announced his intention to carry out an “awareness-raising campaign aimed at a wider audience” and then to initiate the “necessary supervisory steps in accordance with the guidelines”.