Actually, Art. 6 GDPR does leave doors open besides consent, e.g. if "processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child."
In that case, it's simply not consent, so instead of collecting void consent, which will get you into trouble, you should display a simple privacy notice that links to your privacy policy, where you explain your legitimate interests. That is what you have to do for first-party tracking, for session cookies than can be associated with a specific person, and even for log files that contain IP addresses.
If you offer a free digital newspaper, you may argue in court that your ad-funded offering could not exist without third-party advertising and analysis tools, and that your legitimate interest (secure funding via ads) aligns well with the interests of the data subject (read free news). National Data Protection Authorities have suggested that they consider valid consent necessary for third-party tracking, so it's a somewhat bold strategy, but in the end, the ECJ will have to decide.
Until the ePrivacy regulation arrives with some clarifications, we're effectively living in a limbo. Cases of blatant abuse aside, I doubt that we will see waves of draconian fines regarding third-party tracking until then.
In that case, it's simply not consent, so instead of collecting void consent, which will get you into trouble, you should display a simple privacy notice that links to your privacy policy, where you explain your legitimate interests. That is what you have to do for first-party tracking, for session cookies than can be associated with a specific person, and even for log files that contain IP addresses.
If you offer a free digital newspaper, you may argue in court that your ad-funded offering could not exist without third-party advertising and analysis tools, and that your legitimate interest (secure funding via ads) aligns well with the interests of the data subject (read free news). National Data Protection Authorities have suggested that they consider valid consent necessary for third-party tracking, so it's a somewhat bold strategy, but in the end, the ECJ will have to decide.
Until the ePrivacy regulation arrives with some clarifications, we're effectively living in a limbo. Cases of blatant abuse aside, I doubt that we will see waves of draconian fines regarding third-party tracking until then.
Recommended reading: https://ico.org.uk/for-organisations/guide-to-data-protectio...