Cookies and the GDPR
What is a Cookie?
Cookie is a piece of data stored in a small text file saved to your browser when visiting a website.
New Regulations: GDPR
Beginning on May 25th 2018, a new set of regulations known as the General Data Protection Regulation (GDPR), took effect. The regulations are related to data protection and privacy for those living in the European Union (EU). The goal is to give EU citizens control over their personal information on the web. There are numerous implications of GDPR for website owners, as well as visitors, regardless of their country of citizenship. We’ll explore some of the main ones here, especially as they relate to cookies.
Cookies = Personal Identifiers
Recital 30 of the GDPR states “Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers. This may leave traces which […] may be used to create profiles of the natural persons and identify them”.
This means that cookies may be used to identify a person visiting the site and, in turn, store information about that person. Per current practices, a cookie is automatically stored in the browser the moment the site is visited. New regulations dictate that this is no longer acceptable. Under GDPR, website owners now need to ask visitors for consent regarding cookies to allow website visitors to choose if and how cookies are used when they visit a website. So, when a user visits a website, a banner like this one may appear:
Cookies Consent Banners on Websites
The above is a good example of a GDPR-compliant cookies consent banner. Important considerations when adding a cookies consent banner are:
- Make sure that the request is a clear affirmative action
- Do not pre-check boxes or selection items
If you are providing options regarding the kinds of cookies used, make sure that no boxes are pre-checked, as users need to actively confirm their consent for consent to be valid under GDPR. Note: this also applies to forms elsewhere on your site.
- Implied consent is no longer acceptable
You may see banners that say things like, “By using this site, you accept cookies.” However this is not a clear affirmative action giving active consent.
- Inform visitors about how cookies are used
- Use simple and clear language
Though this seems obvious, part of GDPR compliance includes describing things like cookies, personal data and other possibly technical topics in language that is easy to understand.
How to Opt-Out
If a website visitor chooses to opt-out of using cookies, or wants to remove any previously-collected cookies, this can be done by adjusting browser settings. To remove cookies currently stored in the browser, select the “Clear Browsing Data” (or equivalent) option in the browser settings.
Here are samples of where to manage cookie settings on various browsers:
Different Types of Cookies
Not all cookies perform the same function. There are session cookies, persistent cookies, and third party cookies. Session cookies only last while the browser is open and deletes itself when it is closed. Online merchants may use these to keep track of items added to a shopping cart.
Persistent cookies will remain even when the browser is closed but expires after a set amount of time instead. Websites can use these to preserve login information so the user would not have to re-enter it with every visit.
Third party cookies are cookies that are created from a different domain from the one that is being visited. For example, a cookie from XYZ.com may be created even if the user is visiting ABC.org. These cookies are usually used by advertisers to track browsing history so they can serve relevant ads to the user. Because of their different uses, some users may only want to opt-in one kind, but not the others. So some sites may even have a banner like this that offers options for each type of cookie:
(Just be sure not to pre-check those boxes.)
What does this mean to me?
Website owners who need to comply with GDPR should address these two areas:
For a user, cookie storage must be actively consented to or rejected, plain and simple. A good consent model capable of achieving compliance is a soft opt-in which means the website must give the user an opportunity to decide on allowing or disallowing the website to store a cookie during the first visit to the site. Additionally, if the user accepts a cookie, and no longer wants to grant the website that storage, the owner must provide the user an easy option to opt-out.