Disclaimer: I’m a Software Engineer who has spent a bunch of time working on issues relating to the GDPR from a systems design/security/process point of view. I’m definitely not a lawyer so this is my perspective and not legal advice. If you want legal advice, get a lawyer.
Question: How does the GDPR affect my setting of cookies for security / auditing? (revisiting this question)
A few years back I wrote about How does the GDPR affect my setting of cookies? and at the time commented that:
There are other lawful reasons for processing personal data covered under Article 6. “Lawfulness of processing” but none of these really apply to a general website and it’s setting of cookies.”
I’d like to revisit this – particularly from the point of view of the legitimate interest of fraud detection and network/system security.
For more information on this see: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/legitimate-interests/what-is-the-legitimate-interests-basis/
There are services such as CAPTCHA which use cookies to ensure a legitimate user can access a website (and to allow the website to protect themselves from attackers). This is an example then of a formal “legitimate interest” to use cookies.
In order to be absolutely clear these cookies should be used specifically for site security (not shared between that and other tracking purposes) and ideally should be set up to expire in a reasonable time (or be session cookies) to minimise user tracking.