by Tine Coremans and SpotIT (our external Data Protection Officer)
The purpose of this blog post is to explain briefly how cookies should be handled on a website in a GDPR and ePrivacy compliant way, in order to avoid penalties from the Data Protection Authority.
What is a cookie?
A cookie is a small text file that is downloaded onto ‘terminal equipment’ (eg a computer or smartphone) when the user accesses a website. It allows the website to recognise that user’s device and store some information about the user’s preferences or past actions (source: https://ico.org.uk/for-organisations/guide-to-pecr/cookies-and-similar-technologies/).
Cookies are an important tool that can give businesses a great deal of insight into their users’ online activity. As a rule, cookies will make your browsing experience better.
Cookies & privacy
The cookie law, passed in 2002 and amended in 2009, supplements the GDPR, addressing crucial aspects about the confidentiality of electronic communications and the tracking of Internet users more broadly. The GDPR only mentions cookies once, however, this does not mean that its regulations do not apply to cookies (source: https://gdpr.eu/cookies/).
How should we understand the ePrivacy Directive and GDPR legislation in relation to cookies?
General cookie & consent rules
All cookies, except the ones that are strictly required to keep a website running whenever a user visits it, require consent.
How should you request this consent, in order to be valid?
- consent should be free, no pressure is to be executed upon the user
- consent should be informed: the users involved should receive clear and relevant information
- consent should be specific: only concerning the relevant process
- consent should be an active event: pre-checked boxes or tacit consent are not allowed
Best practices concerning cookies are cookie banners. Consent is required in a clear and informed manner, and visitors who refuse to accept cookies are not disadvantaged in a way that is disproportionate and prohibits the “freely” character of the given consent, for example by refusing access to the website.
Yet the rules on consent are not a “GDPR”-thing only, meaning that rules on cookies go broader than just personal data. In practice, this means that asking consent for cookies has nothing to do with whether or not personal data is involved.
Types of cookies
1/ Functional cookies – strictly necessary cookies
The only type of cookies that doesn’t require consent.
These cookies are required to have a functional website. The interpretation of this is very strict because consent is not required for this type of cookies. The only purpose of strictly functional cookies is to keep a website up and running to enable communication between the visitor and the website.
For example ‘user-input cookies’, ‘authentication cookies’, ‘multimedia content player session cookies’, ‘user interface customisation cookies’,…
2/ Preferences cookies
These are not strictly required to enable a website to be functional, however, they are desired to improve the user experience.
Functional cookies linked to user preferences do require consent. For example, cookies regarding language or regional preferences, or cookies that store a user’s username and password.
3/ Marketing cookies / tracking cookies
Cookies used within a domain or within several domains to capture user’s surfing behaviour also require consent. These cookies enable targeted advertising, to name one: Google Ads (previously Google Adwords).
4/ Analytical cookies
Analytical cookies like Google Analytics (see our earlier blog post: https://appsaloon.be/blog/how-to-make-google-analytics-gdpr-compliant/) are used to track visitors on the website and can be used to measure a website’s performance and to optimise it. Although they are useful, they require consent.
All different types of cookies have additional characteristics, specifying the type of cookie further.
1/ Session cookies
These cookies are only used / necessary during the use of the website.
2/ Persistent cookies
Cookies with a wider scope, meaning they’re not only used during the session.
3/ First-party cookies
Only placed by the website, ensure that the website functions properly and preferences are remembered.
4/ Third-party cookies
These cookies are set by a third party (with a different domain name) on a website and serve to make the user experience better and more personal.
Cookie notice & cookie compliance
All different types of cookies need to be listed in a website’s cookie notice.
Minimally, a cookie notice needs to provide information regarding:
1/ the data controller’s identity
2/ definition of cookies
4/ legal grounds:
- consent provided through cookie banner or cookie wall
- legitimate interest of strictly required cookies
5/ cookie overview:
- different types of cookies: strictly required / preferences / marketing / analytic
- cookie characteristics: session / persistent and first-party / third-party
- which data are collected
- what is the purpose of the data collection
- retention period of the collected data
- third parties that obtain data
6/ allow and explain the user to launch data subject requests regarding their personal data
7/ the right to withdraw cookie consent and how to withdraw consent
8/ the possibility to complain
This is very similar to what we wrote earlier on our blog about GDPR, more specifically, in the section ‘what a website owner needs to know’.
Any cookie or other identifier uniquely attributed to a device and therefore capable of identifying an individual or treating them as unique, is seen as personal data, and falls under the GDPR, even if it’s a third-party based plugin planting this identifier. This means that lots of web analytics cookies, advertising and target cookies and quite a few functional services like survey and chat tools store personal data.
- Get rid of cookie boxes containing text like ‘by using this site, you accept cookies’. This won’t qualify as consent for storing visitor’s data.
- Your visitors should be able to accept/decline the trace: accepting/declining cookies needs to be a manual action and visitors need to be able to opt-out at any time.