Cookies & GDPR

By:

Tine Coremans

on:

30/01/2020

In cooperation with SpotIT (our external Data Protection Officer)

Newsflash! For the first time in Belgium, a website has been convicted for its careless and sloppy cookie policy (source: VRT). The interpretation of the European GDPR legislation is so strict that nearly all websites risk conviction for their incorrect cookie policy.

The purpose of this blog post is to explain briefly how cookies should be handled on a website in a GDPR and ePrivacy compliant way, in order to avoid penalties from the Data Protection Authority.

What is a cookie?

A cookie is a small text file that is downloaded onto ‘terminal equipment’ (eg a computer or smartphone) when the user accesses a website. It allows the website to recognise that user’s device and store some information about the user’s preferences or past actions (source: https://ico.org.uk/for-organisations/guide-to-pecr/cookies-and-similar-technologies/).

Cookies are an important tool that can give businesses a great deal of insight into their users’ online activity. As a rule, cookies will make your browsing experience better.

Cookies & privacy

The cookie law, passed in 2002 and amended in 2009, supplements the GDPR, addressing crucial aspects about the confidentiality of electronic communications and the tracking of Internet users more broadly. The GDPR only mentions cookies once, however, this does not mean that its regulations do not apply to cookies (source: https://gdpr.eu/cookies/).

How should we understand the ePrivacy Directive and GDPR legislation in relation to cookies?

General cookie & consent rules

All cookies, except the ones that are strictly required to keep a website running whenever a user visits it, require consent.

How should you request this consent, in order to be valid?

consent should be free, no pressure is to be executed upon the user
consent should be informed: the users involved should receive clear and relevant information
consent should be specific: only concerning the relevant process
consent should be an active event: pre-checked boxes or tacit consent are not allowed

Best practices concerning cookies are cookie banners. Consent is required in a clear and informed manner, and visitors who refuse to accept cookies are not disadvantaged in a way that is disproportionate and prohibits the “freely” character of the given consent, for example by refusing access to the website.

Yet the rules on consent are not a “GDPR”-thing only, meaning that rules on cookies go broader than just personal data. In practice, this means that asking consent for cookies has nothing to do with whether or not personal data is involved.

Types of cookies

1/ Functional cookies - strictly necessary cookies

The only type of cookies that doesn’t require consent.
These cookies are required to have a functional website. The interpretation of this is very strict because consent is not required for this type of cookies. The only purpose of strictly functional cookies is to keep a website up and running to enable communication between the visitor and the website.
For example ‘user-input cookies’, ‘authentication cookies’, ‘multimedia content player session cookies’, ‘user interface customisation cookies’,…

2/ Preferences cookies

These are not strictly required to enable a website to be functional, however, they are desired to improve the user experience.
Functional cookies linked to user preferences do require consent. For example, cookies regarding language or regional preferences, or cookies that store a user’s username and password.

3/ Marketing cookies / tracking cookies

Cookies used within a domain or within several domains to capture user’s surfing behaviour also require consent. These cookies enable targeted advertising, to name one: Google Ads (previously Google Adwords).

4/ Analytical cookies

Analytical cookies like Google Analytics (see our earlier blog post: https://appsaloon.be/blog/how-to-make-google-analytics-gdpr-compliant/) are used to track visitors on the website and can be used to measure a website’s performance and to optimise it. Although they are useful, they require consent.

Cookie characteristics

All different types of cookies have additional characteristics, specifying the type of cookie further.

1/ Session cookies

These cookies are only used / necessary during the use of the website.

2/ Persistent cookies

Cookies with a wider scope, meaning they’re not only used during the session.

3/ First-party cookies

Only placed by the website, ensure that the website functions properly and preferences are remembered.

4/ Third-party cookies

These cookies are set by a third party (with a different domain name) on a website and serve to make the user experience better and more personal.

Cookie notice & cookie compliance

All different types of cookies need to be listed in a website’s cookie notice.

Minimally, a cookie notice needs to provide information regarding:

1/ the data controller’s identity

2/ definition of cookies

3/ purpose of the use of cookies

4/ legal grounds:

consent provided through cookie banner or cookie wall
legitimate interest of strictly required cookies

5/ cookie overview:

different types of cookies: strictly required / preferences / marketing / analytic
cookie characteristics: session / persistent and first-party / third-party
which data are collected
what is the purpose of the data collection
retention period of the collected data
third parties that obtain data

6/ allow and explain the user to launch data subject requests regarding their personal data

7/ the right to withdraw cookie consent and how to withdraw consent

8/ the possibility to complain

Conclusion

This is very similar to what we wrote earlier on our blog about GDPR, more specifically, in the section ‘what a website owner needs to know’.

Any cookie or other identifier uniquely attributed to a device and therefore capable of identifying an individual or treating them as unique, is seen as personal data, and falls under the GDPR, even if it’s a third-party based plugin planting this identifier. This means that lots of web analytics cookies, advertising and target cookies and quite a few functional services like survey and chat tools store personal data.

So, in order to fully comply with the GDPR requirements, you should adjust your cookie policy:

Get rid of cookie boxes containing text like ‘by using this site, you accept cookies’. This won’t qualify as consent for storing visitor’s data.
Don’t hide your privacy and cookie policy: the principle of transparency requires that any information addressed to your visitor be concise, easily accessible and easy to understand.
Your visitors should be able to accept/decline the trace: accepting/declining cookies needs to be a manual action and visitors need to be able to opt-out at any time.

Check our cookie policy, which is part of our privacy policy, to see how we handle this.