What does GDPR mean for your cookie consent policy?
Cookies are a tricky topic for web professionals. Essential to the sites that use them, annoying to the consumers who agree to them, and misunderstood by plenty of people on both sides, they’re at the core of many ongoing debates about online privacy. Cookies are only addressed once in the European Union’s recently enacted General Data Protection, but what little the GDPR has to say can have an important impact on organizations that do business online.
By getting your site in compliance with existing regulations, you can not only keep yourself that much further ahead of oncoming legal changes, but also give your users some peace of mind. An IBM-sponsored survey recently collected answers from 10,000 consumers around the world—75% of which said they won't purchase a product if they don't feel like they can trust the company with their data.
A poorly communicated cookie policy can contribute directly to those feelings of mistrust. In this situation, it’s far better—and in many cases, legally required—to ask permission first than to ask forgiveness later.
What Does the GDPR Say About Cookies?
Recital 30 of the GDPR is the only section of this lengthy document that directly addresses cookies, stating that:
"Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them."
What this means for website owners and other data controllers and processors is that many, if not most, cookies are regarded as a mean of collecting personally identifiable data. That makes them subject to the GDPR’s sweeping guidelines governing the handling and storage of personal data, which could impact organizations on several fronts.
What Are the New Cookie Standards, If Any?
For one, any site using cookies that processes personal data must make sure they process this data on a lawful basis such as consent or legitimate interest. If consent is the relevant lawful basis for your processing, users have to actively opt in and consent to cookies under the GDPR guidelines or adjust settings within their own browser. (Those pop-up boxes informing users that the site uses cookies no longer qualify.) The GDPR also gives consumers the right to be forgotten, which means that data controllers in some cases have to erase all personally identifiable data if they are no longer needed, if they were processed illegally or improperly, or if the person whose data has been collected requests their deletion. Opting out of cookie tracking must be as easy as opting in, and users must be able to change their decision at a later date.
Users who reject cookies must also receive full access to the site—it’s not acceptable to offer limited features or functionality to visitors who don’t want their information tracked. It’s important to remember that one of the biggest aims of the GDPR is transparency. Site owners should take care to have a clearly communicated, easy-to-understand cookie policy that’s readily available to anyone visiting their site.
Opting out of cookie tracking must be as easy as opting in, and users must be able to change their decision at a later date. Users who reject cookies must also receive full access to the site—it’s not acceptable to offer limited features or functionality to visitors who don’t want their information tracked. It’s important to remember that one of the biggest aims of the GDPR is transparency. Site owners should take care to have a clearly communicated, easy-to-understand cookie policy that’s readily available to anyone visiting their site.
Is Consent Required for All Cookies?
This is an important distinction, as it’s a reminder that these policies haven’t been put in place as a blanket condemnation of cookies. In fact, many types of cookies are essential to creating a useful internet experience. The idea behind the right to refuse cookies is to prevent site owners and third parties from creating personal profiles of users’ behavior or tracking consumers beyond what is necessary to the site’s operations.
The European Commission’s official Internet Handbook lists the cookie types that are “clearly exempt from consent”, including:
- User‑input cookies (session-id) such as first‑party cookies that keep track of the user's input when filling in online forms, shopping carts, etc., for the duration of a session or persistent cookies limited to a few hours in some cases
- Authentication cookies, which identify the user once they have logged in, for the duration of a session
- User‑centric security cookies, used to detect authentication abuses such as multiple failed login attempts, for a limited persistent duration
- Multimedia content player cookies, used to store technical data to play back video or audio content, for the duration of a session
- Load‑balancing cookies, which help distribute server requests evenly to keep service running smoothly, for the duration of session
- User‑interface customization cookies such as language or font preferences, for the duration of a session (or slightly longer)
- Third‑party social plug‑in content‑sharing cookies, for logged‑in members of a social network
Of course, the GDPR isn’t the only piece of legislation that EU data controllers and processors need to keep in mind. 2011’s ePrivacy Directive (which introduced those omnipresent cookie banners) and the GDPR will likely soon have company on the regulatory front. The EU’s ePrivacy Regulation is a proposed replacement for the 2011 Directive and is rumored to be the most stringent regulation so far regarding cookies. It’s too early to say what impact it could have on how organizations handle cookies, but it seems quite likely that more restrictions are on the horizon.
Data controllers need to increase their awareness of how personal and sensitive info is being collected, stored, and applied. It probably pays to get a cookie policy sorted out sooner rather than later.