GDPR Requirements for Cookie PoliciesPublished January 15, 2019 by Karen Walsh • 5 min read
In comparison to the chocolate chip variety, website cookies are relatively boring. A cookie is data that your site uses to “remember” a mobile device or browser. For example, if a web browser saves a person’s login information, it’s using a cookie to do that.
How cookies work
Cookies are a communication between your server and a visitor’s browser. When someone visits your website, your site sends a messaged called “cookie.txt” which their browser saves. Then, as the visitor moves between pages on your website, the visitor’s computer and your server send these messages back and forth, preserving information about the visit and any information the person shared with you.
What the types of cookies are
Session cookies have a short life span. Once the browser closes, they are erased.
Persistent cookies have a longer life span. They remain on the user’s browser based on the amount of time you define. The browser saves the information collected, even if the user closes the browser.
Domain cookies address the location to and from which the information is sent.
First-party cookies limit the information to just one domain or server. In other words, when a user visits your website, a first-party cookie only shares information within your site and with no one else.
Third-party cookies share the information with another domain. If your website has advertisements on it, then the advertiser is collecting data. For example, if you run ads on your site and the same advertiser runs ads on another website that your user visits, the advertiser receives the visitor data from both of them.
The problem with third-party cookies lies in the way they aggregate user information. A visitor to your site may not realize that they left a trail of data across a variety of websites that then targets information at them.
An excellent example of this would be Facebook ads and Amazon shopping. When someone shops on Amazon, it collects information about what they viewed. This is how the site makes suggestions. If they use the same browser to access their Facebook account, then Facebook can target ads based on the information gathered through their Amazon shopping.
What the GDPR says
While the GDPR’s Articles remain silent on cookies, the recitals specifically identify them as a type of personalized data companies collect from data subjects, in this case, visitors to your site. In Recital 30, the GDPR states,
Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
In short, the GDPR argues that cookies constitute personal data because servers collect information about devices, applications, and IP addresses that then allow you to connect them back to the visitor.
Since the GDPR defines cookies as personal data, looking at Recital 39 clarifies things a little bit:
It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used.
What the ePrivacy Directive “Cookie Law” proposed update means
The ePrivacy Directive, initially enforced in 2002 and updated in 2009, requires prior user consent for electronic communications. However, the EU legislation protecting privacy places a burden on users. In an attempt to fix this, the European Commission and European Parliament drafted new legislation that will override the ePrivacy Directive, a new ePrivacy Regulation. This will, like the GDPR, require all member states to apply a consistent approach to cookie consent and collection.
The ePrivacy Regulation drafts, although still in negotiation, both reinforce the importance of clear and comprehensive language. To comply with this requirement, you need to use plain language that users can understand.
How to obtain cookie consent
Cookie consent on your website should address two different types of cookies.
- administering your website
- ensuring the website works properly
- keeping items in the user’s shopping cart
- processing payments
- allowing users to log in to services or accounts
- remembering information a user puts in a form
- remembering visitors when they come back to your site again
- improving user experience
- remembering the browser so your website can display the most appropriate format
- remembering the visitor’s preferred language
- remembering visitor preferences over website appearance
- collecting marketing information
To obtain informed opt-in and consent, your website cookie pop-up should clearly explain the types of information you’re collecting based on these types of cookies as well as any others you use.
For example, website owners who use Google Analytics to track visitors to their site need to make sure that they obtain the appropriate opt-in to ensure GDPR compliance.
The cookie notice and opt-in on your website provides limited information. It tells website visitors enough information to understand some of what you collect.
At minimum, it should set out:
- Domain type
- Purpose (business operations, streamlined experience)
- Where data is sent
- With whom data is shared
- How to reject cookies
- How to change status after initial acceptance or rejection
To be compliant with EU rules about cookie collection, notification, and policy setting, you need to manage your documentation.
ZenGRC offers an easy-to-navigate dashboard that enables workflow management and acts as a single-source-of-truth for document management. With the ability to assign tasks in the platform and track task completion.
With our compliance dashboards, you can get at-a-glance insight into your current risk posture and prioritize tasks.
For more information about how ZenGRC can enable GDPR compliance, contact us for a demo.