A Recipe for GDPR Cookies Consent on Your Website
When the European Union enacted the General Data Protection Regulation (GDPR), tech companies were not immediately concerned about GDPR cookie consents. After all, in the entire 88-page document, cookies were only mentioned once. Nonetheless, GDPR does cover the use of cookies along with other laws.
More specifically, the EU has an ePrivacy Directive that works together with GDPR to govern the use of cookies. The ePrivacy Directive goes into greater detail about cookies. The EU may, in the foreseeable future enact a new ePrivacy Regulation that will explicitly state that a business cannot require the placement of a cookie on an individual’s system where a cookie isn’t necessary for the operation of the system and the individual has not consented to the use of cookies.
How Cookies and Consent Relate to the GDPR
Article 5(3) of the ePrivacy Directive governs the use of cookies, as does the more general GDPR requirements. There is only one specific mention of cookies in the GDPR, stating that cookies can be information tied to an individual. By making it clear that cookie data can be personal data, GDPR underscored the need for websites and the businesses behind them to review their use of cookies.
Most though not all cookies can be used to identify a specific individual. Cookies may store a considerable amount of data specific to an individual, or at the very least, to the users of a specific device. The use of cookies to collect data that can be tied to an individual makes cookie data personal data.
Then, consider that information gathered by cookies about a person’s Internet use can then be accessed by any number of websites the individual visits. Companies may then use the data to profile the individual and other users. According to GDPR requirements, specifically Article 21, users should have the right to reject automated data processing and its results, particularly when there are legally binding results.
Once you consider all these factors, you may begin to see why GDPR affects the use and management of cookies. You may also understand why so many people view cookies and their use as an invasion of privacy.
The Relationship Between ePrivacy Directive and Cookies
The main thrust of the ePrivacy Directive’s cookie discussion is that companies must receive consent from users to use cookies and similar types of technology, such as web beacons. Like the GDPR, the ePrivacy Directive also has its own definition of what counts as valid consent. Consent must be specific, freely given and informed. Finally, it must accurately illustrate an individual’s wishes.
The ePrivacy Directive acknowledges that sometimes cookies are an indispensable part of doing business, and so, acknowledged their use in some scenarios:
When cookies are only for analyzing the effectiveness of website design and advertising
When cookies are used for verifying the identity of users engaged in online transactions
When cookies are necessary for providing “information society services” (online services)
Here are some examples of types of cookies that may fall within one or more of the above uses:
Cookies used for load-balancing
Cookies used to identify authentication abuses
Cookies used to identify font or language preferences
Cookies stored to assist with playing back multimedia content
Cookies used to keep track of user-input when filling out forms
Cookies used to identify or verify a user for the duration of a log-in session
Third-party cookies used for content-sharing for members logged into social networks
How and When Cookies Are Presented to Users
Cookie consent banners are particularly useful and have become commonplace to alert users about the collection and/or use of cookies. In the past, users were only asked to click an “OK” box to acknowledge cookie usage. This does not qualify as consent. Users must now be allowed to accept or refuse the use of cookies.
According to the European Commission, there is a JavaScript-based cookie consent kit that requires site-specific configurations to generate the necessary consent box. This kit provides the following solutions:
Adjustable template for the cookie notice page
Automatically displays the cookie consent banner in 24 languages
A corporate-consent cookie so the website remembers the user’s cookie preference
Helps to prevent prior storage of cookies before explicit consent is provided by users
A wizard that declares cookies and adds a link to the cookies notice page on your website
Companies are free to create their own alternatives. However, at the bare minimum, any alternative should meet these requirements.
The Problem With Third-Party Cookies
Businesses that allow third party cookies to be placed on users’ machines their websites may face legal risk. The first step toward preventing this risk is to identify whether or not your website uses third-party cookies. You do if your website is hosted, displays ads, has embedded content or is using analytics. Put simply, virtually every website uses third-party cookies.
The main problem with third-party cookies is that you may have no real idea where they come from, where they are on the website, what they collect and what they do with that information. Thus, it is difficult to know whether or not the third-party companies behind them may keep you GDPR compliant.
Businesses should conduct an audit of their sites to address this risk. They may then make the necessary adjustments to ensure they do not run afoul of cookie legal requirements due to the cookie-behavior of third-party companies.