Cookies and the GDPR

What is a Cookie?

A cookie is a piece of data stored in a small text file saved to your browser when visiting a website.

Most websites use cookies. Cookies are used to remember information about the visitor (the reason your shopping cart is still full). But there is more to it than making your life a little bit simpler.

Online marketers use cookies stored on your web browser to show you relevant ads based on how you browse the web. This is known as Retargeting. For example, when viewing different cat food brands on Chewy.com, you may see ads for cat toys or other cat products when you next login to Facebook. To some, this can be interpreted as a breach of privacy because your online activities and personal preferences are being shared.

New Regulations: GDPR

Beginning on May 25th 2018, a new set of regulations known as the General Data Protection Regulation (GDPR), took effect. The regulations are related to data protection and privacy for those living in the European Union (EU). The goal is to give EU citizens control over their personal information on the web. There are numerous implications of GDPR for website owners, as well as visitors, regardless of their country of citizenship. We’ll explore some of the main ones here, especially as they relate to cookies.

Cookies = Personal Identifiers

Recital 30 of the GDPR states “Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers. This may leave traces which […] may be used to create profiles of the natural persons and identify them”.

This means that cookies may be used to identify a person visiting the site and, in turn, store information about that person. Per current practices, a cookie is automatically stored in the browser the moment the site is visited. New regulations dictate that this is no longer acceptable. Under GDPR, website owners now need to ask visitors for consent regarding cookies to allow website visitors to choose if and how cookies are used when they visit a website.  So, when a user visits a website, a banner like this one may appear:

Cookies Consent Banners on Websites

The above is a good example of a GDPR-compliant cookies consent banner. Important considerations when adding a cookies consent banner are:

  • Make sure that the request is a clear affirmative action

In the example above, the banner explains why the website is using cookies, provides the option to view more about the types of cookies used on the site and how to control them. It also makes the user clearly and affirmatively consent to use of cookies by continuing to use the site.

  • Do not pre-check boxes or selection items

If you are providing options regarding the kinds of cookies used, make sure that no boxes are pre-checked, as users need to actively confirm their consent for consent to be valid under GDPR. Note: this also applies to forms elsewhere on your site.

  • Implied consent is no longer acceptable

You may see banners that say things like, “By using this site, you accept cookies.” However this is not a clear affirmative action giving active consent.

  • Inform visitors about how cookies are used

As we will explain later in this post, there are different types of cookies that serve different purposes. Straightforward information about where, when, how and why personal data is being used needs to appear front and center. Sometimes, this is described briefly in the cookies consent banner and in further detail in your Privacy Policy or Cookie Policy.

  • Use simple and clear language

Though this seems obvious, part of GDPR compliance includes describing things like cookies, personal data and other possibly technical topics in language that is easy to understand.

How to Opt-Out

If a website visitor chooses to opt-out of using cookies, or wants to remove any previously-collected cookies, this can be done by adjusting browser settings. To remove cookies currently stored in the browser, select the “Clear Browsing Data” (or equivalent) option in the browser settings.

Here are samples of where to manage cookie settings on various browsers:

Google Chrome

Firefox

Safari

 

Different Types of Cookies

Not all cookies perform the same function. There are session cookies, persistent cookies, and third party cookies. Session cookies only last while the browser is open and deletes itself when it is closed. Online merchants may use these to keep track of items added to a shopping cart.

Persistent cookies will remain even when the browser is closed but expires after a set amount of time instead. Websites can use these to preserve login information so the user would not have to re-enter it with every visit.

Third party cookies are cookies that are created from a different domain from the one that is being visited. For example, a cookie from XYZ.com may be created even if the user is visiting ABC.org. These cookies are usually used by advertisers to track browsing history so they can serve relevant ads to the user. Because of their different uses, some users may only want to opt-in one kind, but not the others. So some sites may even have a banner like this that offers options for each type of cookie:

(Just be sure not to pre-check those boxes.)

What does this mean to me?

Website owners who need to comply with GDPR should address these two areas:

1) Allow users to actively and affirmatively consent to use of cookies.

For a user, cookie storage must be actively consented to or rejected, plain and simple. A good consent model capable of achieving compliance is a soft opt-in which means the website must give the user an opportunity to decide on allowing or disallowing the website to store a cookie during the first visit to the site. Additionally, if the user accepts a cookie, and no longer wants to grant the website that storage, the owner must provide the user an easy option to opt-out.

2) Include documentation of the company’s Cookie Policy.

This policy, generally incorporated into the Privacy Policy,  should contain information on how a user can opt out of cookies or change the settings regarding how cookies collect their information. A cookie policy should include what types of cookies are set, how long they last on the browser, what data they track, their purpose, where the data is being sent, and how to reject a cookie or update cookie’s settings.

As a website owner, you are responsible for the creative, technical and business aspects of your site and we know it can feel overwhelming. If you’re looking for support with implementing a cookies consent banner, creating a Privacy Policy or Cookies Policy, or have general questions about GDPR and what it means for you, contact us.

Hear Valerie Blau’s Presentation at the Morris County Chamber of Commerce Tech Talk Forum:
“Cookie Monster – GDPR and Data Privacy on the Web”

Tuesday, November 13, 2018
7:45 AM to 9:00 AM
Morris County Chamber of Commerce
325 Columbia Turnpike – Suite 101
Florham Park, NJ 07932

RSVP to Val directly