If you’re a rookie when it comes to cookies, look no further. This two-part blog aims to explain what they are, and why we’re hearing so much about them these days. We’ll give a rundown of cookie requirements, consent, and what organisations must do to make sure their cookies comply with the EU GDPR (and why that matters).
What are cookies?
Cookies are small text files that organisations’ websites or apps place on your device as you’re browsing. Your web browser processes and stores them. Cookies often serve crucial functions: they can give businesses a great deal of insight into their users’ online activity. Sometimes, they’re used as an advertising tool that tracks someone’s online activity, to present them with highly specific ads.
What laws should I be aware of?
Cookies store a variety of data, some of which constitutes personal information. This makes them subject to the EU General Data Protection Regulation (GDPR). Recital 30 of the GDPR outlines how a person may be associated with online identifiers their devices and apps provide, such as IP addresses, cookie identifiers and identification tags.
Companies may get permission to process this personal data either by having consent or a legitimate interest. Since cookies enable the tracking of users while on an organisation’s website or app, they require explicit and informed consent from the user.
How can my organisation be cookie compliant?
Consent is a key requirement of cookie compliance. The European Data Protection Board (EDPB) guidelines on cookie compliance and consent outline the need for valid consent and the requirements organisations must meet to achieve this. For consent to be valid under GDPR, it must be:
- Freely given
If you’ve ever wondered why websites present you with cookie banners, it’s because they need to obtain your consent. For an organisation’s cookie banner to be compliant it must be interactive, clear and avoid any pre-ticked opt-in options for the user. Websites are not allowed to activate any cookies that process personal data unless the user has given their clear and affirmative consent to it under the EDPB guidance.
It is also worth noting that consent must be given based on each purpose. There are two exceptions to consent. The first being strictly necessary cookies which are essential cookies the website needs in order to work. The second is the communication exception which can be used only when the cookies are pivotal to the transmission of the communication. It is primarily used to identify communication endpoints or to detect data loss.
What does a compliant cookie banner look like?
Data controller requirements you need to know
Data controllers must provide users with accurate and specific information about the data each cookie tracks and guarantee to outline the purpose in simple language before consent is received.
- Document and store consent received from users
- Allow users to access your service even if they refuse to allow the use of certain cookies. (Scrolling and browsing do not constitute as a user’s consent to cookies)
- Make it simple for users to withdraw their consent
- Consent is to be obtained for each purpose for which cookies are set (this does not mean that consent needs to be obtained for each cookie individually, just for the purpose it’s used).
Crumbs of evidence: cookie compliance cases reach verdicts
Cookie compliance is coming under scrutiny in recent months. The French Data Protection Authority (CNIL) fined Google and Facebook €210 million for alleged cookie violations under the ePrivacy Regulation.
The recent case involving Google Analytics also entailed discussions on analytic cookies and IP addresses. This case is important because it reinforced how cookies can contain personal data which can be used to identify a data subject and therefore need extra protection measures.
The privacy advocacy group None of Your Business (NOYB) has filed 101 identical complaints with 30 data protection authorities across Europe about various companies’ use of Google Analytics. The complaints focused on whether the transfer of EU personal data to Google in the U.S. through cookies is permitted under the GDPR, following the Schrems II judgment of the Court of Justice of the European Union. Following these complaints, the French and Austrian DPAs ruled that the transfer of EU personal data from the EU to the U.S. through the use of the Google Analytics cookie was unlawful. In September, Denmark’s data protection authority Datatilsynet found that Google Analytics is not compliant with the GDPR. Italy’s supervisory authority also banned the use of Google Analytics in a recent case. Following the footsteps of France and Austria.
Cookie consistency on the way?
EU countries are coming up with different rules regarding cookies, so the EDPB is setting up a working group in response to calls for a consistent interpretation of cookie consent. It will publish further guidance on this, but that could take months.
With the rise in fines and the emphasis on large organisations needing to comply with consent requirements and EU legislation, there may be an updated cookie law to follow. In the meantime, you can take some of the following steps to improve your organisation’s cookie compliance.
- Performing regular cookie scanning
- Having compliant cookie banners and notices in line with the latest advice from regulators
- Have a consent management platform to manage consent
- Review new vendors via CMP
- Review future changes in legislation
In the part two of this blog, we’ll look at what a court case in Belgium might mean for cookie banners, changes to the cookie consent framework, the question of third-party cookies, and the privacy implications for what could be coming next.