Cookies are mentioned only once in the EU General Data Protection Regulation (GDPR), but the repercussions are significant for any organisation that uses them to track users’ browsing activity.
Recital 30 of the GDPR states:
Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers […]. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
In short: when cookies can identify an individual via their device, it is considered personal data.
This supports Recital 26, which states that any data that can be used to identify an individual either directly or indirectly (whether on its own or in conjunction with other information) is personal data.
What it means
Not all cookies are used in a way that could identify users, but the majority are and will be subject to the GDPR. This includes cookies for analytics, advertising and functional services, such as survey and chat tools.
To become compliant, organisations will need to either stop collecting the offending cookies or find a lawful ground to collect and process that data. Most organisations rely on consent (either implied or opt-out), but the GDPR’s strengthened requirements mean it will be much harder to obtain legal consent. The consequences of this were discussed during the 2016 Data Protection Compliance Conference and its findings described by Cookie Law:
- Implied consent is no longer sufficient. Consent must be given through a clear affirmative action, such as clicking an opt-in box or choosing settings or preferences on a settings menu. Simply visiting a site doesn’t count as consent.
- ‘By using this site, you accept cookies’ messages are also not sufficient for the same reasons. If there is no genuine and free choice, then there is no valid consent. You must make it possible to both accept or reject cookies. This means:
- It must be as easy to withdraw consent as it is to give it. If organisations want to tell people to block cookies if they don’t give their consent, they must make them accept cookies first.
- Sites will need to provide an opt-out option. Even after getting valid consent, sites must give people the option to change their mind. If you ask for consent through opt-in boxes in a settings menu, users must always be able to return to that menu to adjust their preferences.
Achieving compliance
Soft opt-in consent is probably the best consent model, according to Cookie Law: “This means giving an opportunity to act before cookies are set on a first visit to a site. If there is then a fair notice, continuing to browse can in most circumstances be valid consent via affirmative action.”
If you’re figuring out how your organisation can achieve compliance with the GDPR, you might want to consider enrolling on our Certified EU General Data Protection Regulation Practitioner (GDPR) Training Course.
This course helps you gain a practical understanding of the tools and methods for implementing and managing an effective compliance framework. It focuses on how the data protection principles work in practice and the policies and procedures you need to put in place. It also offers practical guidance on how to implement an effective privacy and information security compliance programme.
Luke thanks for the concise/valuable information, as meeting GDPR compliance before 25 May 2018 is crucial.
Hi,
Nice article. Now we have different cookies:
1 – To track user authentication when user login to a web application
2 – Cookies for analytics e.g. Google Analytics, Facebook etc.
3 – Cookies set when you fill forms e.g. contact us etc.
In case of 1 I believe mentioning in the privacy policy would be sufficient as without registration such cookies can’t be stored.
For 2 such cookies are set automatically as user lands on any website, do we need a consent? I doubt because cookies from different analytical service anonymously track users and hence this can’t be used to identify a user – nevertheless should be explained in the privacy policy
In case of 3, this is similar like 1 and if user unsubscribe this cookie ‘must’ be removed.
In case of all of above I believe a separate popup for implicit consent that this site uses cookies is not required or is it still a must?
Hi Wahaj,
Users can be identified in all three of these scenarios, so you need to establish a lawful basis for collecting data. But remember, this doesn’t have to mean consent. There are five other bases.
Hi Luke
Can you explain the difference between soft opt-in consent and ‘By using this site, you accept cookies’ messages please? If you do not give consent then it will result in not being able to use the website so it amounts to the same thing doesn’t it?
Hi Clare,
Good question! There is a very subtle difference between the two. Messages that say ‘By using this site, you accept cookies’ imply that cookies will start being collected as soon as you visit the site. In other words, the user has their information collected before they’ve had a chance to consent.
A soft opt-in message will say “Our site uses cookies.”, but it won’t start collecting cookies until the user clicks ‘okay’ or navigates to another page on the site. This way, the user can choose to leave the page without any cookies having been collected or click on the message to customise their cookie preferences.