Cookies and GDPR

As we count down to May 25th website owners across the UK are looking at their websites, privacy policies and consent mechanisms.  One area at risk of being overlooked is the humble cookie - so it's time to take a look at cookies and how they are affected by GDPR.  In this article, we are…
11 May 2018 | Digital Business

INTRODUCTION TO COOKIES AND GDPR

As you may know, a cookie is a small file that is created on a website and sent to your device.  These are designed to perform a wide range of roles, from saving your session on a shopping site to authentication, remembering your preferences, recording site visitors or providing targeted advertising.  Most business websites use them.

COOKIE TYPES

Broadly speaking, cookies fall into 2 categories.  Essential cookies are required for correct operation of a website and provide information required by a user.  Any other cookies are classed as non-essential and are used for analytics, advertising, 3rd parties and identifying returning visitors.

THE CURRENT POSITION

In place right now is the EU Cookie Law, covering all EU member states and other sites targeting EU citizens.  It requires users be informed of the fact non-essential cookies are being used.  Compliance is achieved by use of a banner or popup notification confirming use.  You will have seen a phrase such as “By continuing to use this website, you accept the use of cookies”.  This does provide notice but not any choice.  The GDPR wants to change this by giving users an informed choice.

COOKIES AND GDPR

In the GDPR, cookies are referred to in Recital 30, which says:

NATURAL PERSONS MAY BE ASSOCIATED WITH ONLINE IDENTIFIERS…SUCH AS INTERNET PROTOCOL ADDRESSES, COOKIE IDENTIFIERS OR OTHER IDENTIFIERS…. THIS MAY LEAVE TRACES WHICH, IN PARTICULAR WHEN COMBINED WITH UNIQUE IDENTIFIERS AND OTHER INFORMATION RECEIVED BY THE SERVERS, MAY BE USED TO CREATE PROFILES OF THE NATURAL PERSONS AND IDENTIFY THEM.

Basically – cookies are now deemed as Personally Identifiable Information (PII).  Like any other PII, consent from the subject must be given before use.  This must be an informed choice so a simple opt-in or implied consent will no longer apply.

Cookies in use should be listed (a link to a policy page is a practical solution) as well as an opt-in / out choice for non-essentials cookies.  If consent is not given non-essential cookies cannot be used.  A technical solution will also be required to control cookie behaviour.

COMPLIANCE TIPS

  • Let your users know what types of cookies you use and for what reasons
  • Display a clear policy that explains cookie use and options available to the user
  • Categorise all of the cookies in use on your site and give the user a choice for each
  • Review cookie use regularly

WANT HELP?

We are considering putting together a compliance support pack to help small business website owners with GDPR compliance, comprising of document templates, checklists, technical audits and GDPR compliant solutions for common website technologies such as forms, cookie management, email opt-ins and consent forms.  Get in touch if this is something you might be interested in – anticipated cost will be £499.

Disclaimer:  Obviously we are a technology company, not a law firm and offer advice only to be helpful.  We recommend you seek legal advice and cannot be held liable for issues resulting from any information provided.