Cookies are mentioned only once in the EU General Data Protection Regulation(GDPR), but the repercussions are significant for any organisation that uses them to track users’ browsing activity.
GDPR mainly applies where the data being processed is personal data. So the first question to ask is this:
Do I use the cookies on my website to process personal data?
The answer to this question will vary depending on the nature and purpose of the cookie. For example, Google Analytics’ terms of service forbid you from tracking personal data. If someone came to you and asked you to provide them with the personal data you have gathered on them from Google Analytics this should not be possible because (unless you’ve done something unusual that breaches Google’s terms of service) the data stored in Google Analytics is anonymous.
That said, GDPR arguably does apply to the collecting of IP addresses even if these are only accessible by Google employees and not you. So for a thorough approach, you should check you have followed Google’s guidance on IP address anonymisation.
However, there may be some situations other than Google Analytics where you are tracking personal data with cookies, such as checking someone’s identity to see whether they are logged in or not. In these circumstances, GDPR will almost certainly apply.
PECR and cookie consent?
‘So what gave rise to all the cookie popups?’ you may be asking. The answer to that is PECR – the Privacy and Electronic Communications Regulations. This is the piece of legislation that covers cookies, whether or not they are involved in processing personal data.
When PECR applies to cookies you are using on your website, the basic rules, as summarised by the ICO, are that you must:
tell people the cookies are there;
explain what the cookies are doing and why; and
get the person’s consent to store a cookie on their device.
Items one and two are pretty straightforward but 3 (consent) is more tricky.
What does consent look like?
Not all cookies are used in a way that could identify users, but the majority are and will be subject to the GDPR and PECR. This includes cookies for analytics, advertising and functional services, such as survey and chat tools.
To become compliant, organisations will need to either stop collecting the offending cookies or find a lawful ground to collect and process that data. Most organisations rely on consent (either implied or opt-out), but the GDPR’s strengthened requirements mean it will be much harder to obtain legal consent. The consequences of this were discussed during the 2016 Data Protection Compliance Conference and its findings described by Cookie Law:
- Implied consent is no longer sufficient. Consent must be given through a clear affirmative action, such as clicking an opt-in box or choosing settings or preferences on a settings menu. Simply visiting a site doesn’t count as consent.
- ‘By using this site, you accept cookies’ messages are also not sufficient for the same reasons. If there is no genuine and free choice, then there is no valid consent. You must make it possible to both accept or reject cookies. This means:
- It must be as easy to withdraw consent as it is to give it. If organisations want to tell people to block cookies if they don’t give their consent, they must make them accept cookies first.
- Sites will need to provide an opt-out option. Even after getting valid consent, sites must give people the option to change their mind. If you ask for consent through opt-in boxes in a settings menu, users must always be able to return to that menu to adjust their preferences.
Soft opt-in consent is probably the best consent model, according to Cookie Law: “This means giving an opportunity to a visitor to act before cookies are set on a first visit to a site. If there is then a fair notice, continuing to browse can in most circumstances be valid consent via affirmative action.”