GDPR Requirements for Cookie Policies

Written by
GDPR Cookie Policy Compliance

As a business owner, you know the European Union (EU) General Data Protection Regulation (GDPR) went into effect in May 2018. However, one of the most confusing aspects for a lot of businesses, large and small, has been the infamous “cookie policy.”  No matter where your business resides, your website reaches customers protected by the GDPR which means you need to understand how to implement a GDPR compliant cookie policy.

GDPR Compliant Cookie Policy

Defining cookies

In comparison to the chocolate chip variety, website cookies are relatively boring. A cookie is data that your site uses to “remember” a mobile device or browser. For example, if a web browser saves a person’s login information, it’s using a cookie to do that.

Websites use cookies to identify users, remember their preferences, and keep them from having to re-enter information when moving from one page to another or when coming back later.

How cookies work

Cookies are a communication between your server and a visitor’s browser. When someone visits your website, your site sends a messaged called “cookie.txt” which their browser saves. Then, as the visitor moves between pages on your website, the visitor’s computer and your server send these messages back and forth, preserving information about the visit and any information the person shared with you.

What the types of cookies are

Lifespan Cookies

Because websites use cookies to streamline visitor experiences, the time they remain on the user’s computer, called the lifespan, is one way to define them.

Session cookies have a short life span. Once the browser closes, they are erased.

Persistent cookies have a longer life span. They remain on the user’s browser based on the amount of time you define.  The browser saves the information collected, even if the user closes the browser.

Domain Cookies

Domain cookies address the location to and from which the information is sent.

First-party cookies limit the information to just one domain or server. In other words, when a user visits your website, a first-party cookie only shares information within your site and with no one else.

Third-party cookies share the information with another domain. If your website has advertisements on it, then the advertiser is collecting data. For example, if you run ads on your site and the same advertiser runs ads on another website that your user visits, the advertiser receives the visitor data from both of them.

The problem with third-party cookies lies in the way they aggregate user information. A visitor to your site may not realize that they left a trail of data across a variety of websites that then targets information at them.

An excellent example of this would be Facebook ads and Amazon shopping. When someone shops on Amazon, it collects information about what they viewed. This is how the site makes suggestions. If they use the same browser to access their Facebook account, then Facebook can target ads based on the information gathered through their Amazon shopping.

What the GDPR says

While the GDPR’s Articles remain silent on cookies, the recitals specifically identify them as a type of personalized data companies collect from data subjects, in this case, visitors to your site. In Recital 30, the GDPR states,

Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

In short, the GDPR argues that cookies constitute personal data because servers collect information about devices, applications, and IP addresses that then allow you to connect them back to the visitor.

Since the GDPR defines cookies as personal data, looking at Recital 39 clarifies things a little bit:

It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used.

Putting these two recitals together creates the primary underpinning of the GDPR’s take on a website’s use of cookies. Regarding third-party cookies, visitors to your site need to clearly understand the information your website collects and how you share it.

What the ePrivacy Directive “Cookie Law” proposed update means

The ePrivacy Directive, initially enforced in 2002 and updated in 2009, requires prior user consent for electronic communications. However, the EU legislation protecting privacy places a burden on users. In an attempt to fix this, the European Commission and European Parliament drafted new legislation that will override the ePrivacy Directive, a new ePrivacy Regulation. This will, like the GDPR, require all member states to apply a consistent approach to cookie consent and collection.

The ePrivacy Regulation drafts, although still in negotiation, both reinforce the importance of clear and comprehensive language. To comply with this requirement, you need to use plain language that users can understand.

How to obtain cookie consent

Cookie consent on your website should address two different types of cookies.

Business Enablement

Your website uses cookies to enable business operations, such as:

  • administering your website
  • ensuring the website works properly
  • keeping items in the user’s shopping cart
  • processing payments
  • allowing users to log in to services or accounts
  • remembering information a user puts in a form

Streamlined Experience

In other cases, your website uses cookies to streamline the user experience, but they aren’t necessary to your business operations, such as:

  • remembering visitors when they come back to your site again
  • improving user experience
  • recognizing that a user has accepted the use of cookies
  • remembering the browser so your website can display the most appropriate format
  • remembering the visitor’s preferred language
  • remembering visitor preferences over website appearance
  • collecting marketing information

To obtain informed opt-in and consent, your website cookie pop-up should clearly explain the types of information you’re collecting based on these types of cookies as well as any others you use.

For example, website owners who use Google Analytics to track visitors to their site need to make sure that they obtain the appropriate opt-in to ensure GDPR compliance.

Why a cookie policy still matters

The cookie notice and opt-in on your website provides limited information. It tells website visitors enough information to understand some of what you collect.

However, the last part of the notification should be a link to your Cookie Policy. Your Cookie Policy provides website users with more detailed information about the types of cookies you collect.

At minimum, it should set out:

  • Domain type
  • Lifespan
  • Purpose (business operations, streamlined experience)
  • Where data is sent
  • With whom data is shared
  • How to reject cookies
  • How to change status after initial acceptance or rejection

How ZenGRC Helps Maintain Your Cookie Policy

To be compliant with EU rules about cookie collection, notification, and policy setting, you need to manage your documentation.

ZenGRC offers an easy-to-navigate dashboard that enables workflow management and acts as a single-source-of-truth for document management. With the ability to assign tasks in the platform and track task completion.

With our compliance dashboards, you can get at-a-glance insight into your current risk posture and prioritize tasks.

For more information about how ZenGRC can enable GDPR compliance, contact us for a demo.

Categorized in: