posted by

Cookie consent and GDPR compliance

GDPR legislation mentions cookies in only a single instance throughout the 88 pages of its documentation, but that doesn’t mean they’re not incredibly important.

In fact, cookies are the cornerstone of how our data is collected and managed. It’s essential that businesses understand what they are, how they function, and the consequences of not delivering an appropriate cookie consent opt-in for their users.

What are cookies?

Cookies are tiny text files placed in your web browser as you look at websites. They have a variety of uses and in themselves aren’t at all harmful. So, what’s the problem? And why does every website you visit have a cookie banner pride of place as the first thing you see?

Well, cookies store all kinds of data, which can be used to identify users without their consent, giving away private information that they’d prefer stayed private.

GDPR, the ePrivacy Directive (known as ‘cookie law’), and the European Data Protection Board (EDPB) dictate the practices every website must implement if they, at any time, will place cookies in a browser that gather the data of a European citizen.

Types of cookies

Based on duration

Based on provenance

Based on purpose

What is personal data?

For example: Names and surnames, home addresses, personal email addresses, identification numbers, location data, IP addresses, cookie IDs, mobile phone identifiers, and medical IDs.

For example: Racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union memberships, genetic data, biometric data, health and sex-life information, and sexual orientation.

Why do we need to provide cookie consent?

GDPR states:

Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

In simpler terms, it means that any data gathered that could be used to determine who we are should only be collected if we say that it’s okay to do so. Given that cookies collect precisely those types of data, and that it’s considered our right to keep that information private, the websites must ask our permission before any such gathering or utilization can happen.

What is the cookie policy?

Your cookie policy needs to tell your users which cookies are active on your website and how they’re used. It provides detail of the information you track and why and where it’s sent worldwide.

It will also contain the instructions your users will need to opt-in, opt-out, change their minds at any point, and subsequently their cookie settings. Legally, you must have a cookie policy if you’re to comply with GDPR and CCPA legislation.

What does your cookie policy need to include?

  1. The types of cookie you use.
  2. How long they stay in your browser.
  3. The data they track and the categories of personal information they store.
  4. The purpose of the cookie.
  5. Where the data is sent, and who it’s shared with.
  6. Instructions into changing those settings and rejecting cookies.

These are the determining factors of the cookie notice examples you see each day. Your policy may be linked to a banner or integrated into the cookie pop up requirements you need to consent to before accessing your desired pages.

Do I need a cookie policy on my website?

It would be incredibly unlikely that a website wouldn’t need a cookie policy. So few websites function without any essential cookies being placed, and for those cookies to be able to do their job, they need the user’s consent almost all of the time. And as we said earlier, it’s a legal requirement under GDPR and CCPA, so if you think you can get away without one, then think again.

There are still a few incredibly simple websites that don’t use cookies, and even then, it’s rarely worth the risk of skipping out on a cookie consent banner or alternate opt-in option, given the simplicity of adding them to most systems. You can’t be sure when you’ll implement a function that requires user consent, or a third party application that drops cookies that you didn’t realize.

The best way to understand what level of cookie control you need and how to protect yourself while gathering such data is to utilize a tool that determines the cookies in use on your website. With all the relevant information at your fingertips and a system that manages it for you, integrating the results directly into your policy, it means that you’ll never miss an instance that may leave you vulnerable.

How to deliver a website cookie notice

GDPR states that each website must adhere to the following requirements.

  1. Consent must be provided before any cookies are installed and activated, apart from whitelisted, necessary cookies.
  2. Users must be able to decide which cookies they activate and which they don’t. It must be more than a simple ‘all or none’ option.
  3. Consent must be freely obtained and given.
  4. A user should be able to withdraw their choices just as easily as they opted into them.
  5. All consent must be stored as legal documentation.
  6. Consent shouldn’t be open-ended; renewal should be obtained each year or at shorter intervals where appropriate.

You will have seen myriad ways of acquiring consent, during the numerous times each day you click ‘accept’ to remove the occasionally annoying cookie banner examples at the top or bottom of each page.

How you choose to present yours is down to the system you use to track and activate each of the cookies on your website and integrate them into your banner, pop-up, or policy.

What happens if you don’t comply with GDPR?

The first consequence of GDPR non-compliance is that your users’ data and privacy are available for violation, and harvesting by data collectors. The second, and of far more concern to website operators, are the hefty fines and penalties delivered by GDPR.

GDPR has the power to deliver fines of up to 4% of an organization’s global turnover, or a flat fine of €20 million—whichever is highest.

If you don’t think that such fines happen in the real world and are merely empty threats to force the powers that be back into line, don’t be so quick to judge.

Whether you’re operating at a level subject to merit such monumental figures or not, the fines associated with your operation’s size are often enough to damage your budget and the health of your business significantly. Nobody should be running that type of risk.

Wrapping things up…

Complying with legislation is a must if you want to protect yourself from potentially crippling fines and penalties.

PrivacyRun delivers an efficient and cost-effective solution that your business needs to keep your website data and cookie control in order.

Our package performs to all GDPR and CCPA legislation. Talk to one of our team about cookie consent examples if you’d like to dig a little deeper. It’s the complete package every data controller needs to continue trading with confidence, providing peace of mind for all partners—earning them a trouble-free night’s sleep, every night.