Cookies are mentioned only once in the GDPR (General Data Protection Regulation), but the repercussions are significant for any organisation that uses them to track users’ browsing activity. Recital 30 of the GDPR states:
Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers […].
This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
In short: when cookies can identify an individual via their device, it is considered personal data.
This supports Recital 26, which states that any data that can be used to identify an individual either directly or indirectly (whether on its own or in conjunction with other information) is personal data.
What it means
Not all cookies are used in a way that could identify users, but the majority are and will be subject to the GDPR. This includes cookies for analytics, advertising and functional services, such as survey and chat tools.
To become compliant, organisations must find or find a lawful basis to process that data.
Prior to the GDPR, many organisations relied on consent, but the strict rules for obtaining and maintaining consent mean that it should only be used where no other lawful basis applies.
A significant repercussion of that is that organisations can no longer simply tell website visitors that ‘by using this site, you accept cookies’.
If there is no genuine and free choice, then there is no valid consent. Simply visiting a site doesn’t count as consent, and you must make it possible to both accept or reject cookies.
Likewise, it must be as easy to withdraw consent as it is to give it. If organisations want to tell people to block cookies if they don’t give their consent, they must make them accept cookies first.
Websites must also provide an opt-out option. Even after getting valid consent, sites must give people the option to change their mind. If you ask for consent through opt-in boxes in a settings menu, users must always be able to return to that menu to adjust their preferences.
Achieving compliance
In most cases, organisations can obtain cookies by using soft opt-in consent. This means giving individuals an opportunity to act before cookies are turned on.
For many websites, that has meant a splash page that contains information about the cookies they collect. Individuals must interact with the notice before they view any content on the site.
However, organisations need to be careful when using soft opt-in consent. Last year, Max Schrems’ privacy group, NOYB, began a campaign targeting organisations that make it difficult for people to opt out of tracking cookies.
The group launched 422 formal complaints, claiming that the organisations in question were violating the GDPR.
The problem, says Schrems, is that organisations are creating elaborate cookie banners to increase the chances of users giving their consent. This risks a GDPR breach and could result in a significant fine.
NOYB said that in its first batch of complaints, 81% of organisations gave users no option to reject the use of cookies. If users didn’t want cookies to be tracked, they had to navigate to a page that isn’t linked in the cookie warning.
Meanwhile, 73% of sites used “deceptive colours and contrasts” that encourage users to click “accept”, and 90% provided no easy way for users to withdraw consent.
Schrems said: “Frustrating people into clicking ‘okay’ is a clear violation of the GDPR’s principles.”
He added: “They often deliberately make the designs of privacy settings a nightmare, but at the same time blame the GDPR for it.
The so-called ‘cookie wall’ blocks users’ access until they consent to the site’s tracking activities. Although users still have a choice – of sorts – in either agree to the site’s terms or going elsewhere, it’s not true consent under the GDPR’s rules.
The EDPB (European Data Protection Board) has since acknowledged the flaws in the enforcement of cookie banner laws
It has set up a taskforce to coordinate the response to complaints concerning cookie banners, and has updated its guidelines on how to create a compliant banner.
That means that many organisations might be under the mistaken belief that their practices are GDPR compliant because they have yet to be fined. However, the increase in enforcement means that fewer organisations will now get away with non-compliant practices.
Are you sure your policies are GDPR-compliant?
The cookie wall issue is an example of how hard it can be to interpret the GDPR’s requirements. Their complexity will inevitably have organisations looking for compliance shortcuts, but if you’re not careful, you could get caught out.
You can find more advice on creating effective GDPR processes with our GDPR Toolkit.
Designed and developed by GDPR experts, the toolkit contains a complete set of template documents to demonstrate your compliance practices.
It’s ideal for anyone who wants help completing their documentation requirements quickly and easily – but it’s more than simply a set of templates. It also includes:
- Gap analysis and DPIA tools that help you identify compliance weaknesses and how to address them;
- Two licences for the GDPR Staff Awareness E-learning Course; and
- Guidance documents covering data subject consent forms, data retention records, and pseudonymisation, minimisation and encryption.
A version of this blog was originally published on 15 September 2017.
Luke thanks for the concise/valuable information, as meeting GDPR compliance before 25 May 2018 is crucial.
Hi,
Nice article. Now we have different cookies:
1 – To track user authentication when user login to a web application
2 – Cookies for analytics e.g. Google Analytics, Facebook etc.
3 – Cookies set when you fill forms e.g. contact us etc.
In case of 1 I believe mentioning in the privacy policy would be sufficient as without registration such cookies can’t be stored.
For 2 such cookies are set automatically as user lands on any website, do we need a consent? I doubt because cookies from different analytical service anonymously track users and hence this can’t be used to identify a user – nevertheless should be explained in the privacy policy
In case of 3, this is similar like 1 and if user unsubscribe this cookie ‘must’ be removed.
In case of all of above I believe a separate popup for implicit consent that this site uses cookies is not required or is it still a must?
Hi Wahaj,
Users can be identified in all three of these scenarios, so you need to establish a lawful basis for collecting data. But remember, this doesn’t have to mean consent. There are five other bases.
The moment you interact with a website, even to see the privacy policy itself or to be shown a consent dialogue, indeed even if you request a non-existent page, the server itself will log your IP address – this is built into all servers. It is used for simple traffic analysis, to ban certain rogue IPs and to identify issues with teh server and attempts to break in to the server – without it we are saying to any hacker “please go ahead and attack my machine, I am not watching” …
Hi Luke
Can you explain the difference between soft opt-in consent and ‘By using this site, you accept cookies’ messages please? If you do not give consent then it will result in not being able to use the website so it amounts to the same thing doesn’t it?
Hi Clare,
Good question! There is a very subtle difference between the two. Messages that say ‘By using this site, you accept cookies’ imply that cookies will start being collected as soon as you visit the site. In other words, the user has their information collected before they’ve had a chance to consent.
A soft opt-in message will say “Our site uses cookies.”, but it won’t start collecting cookies until the user clicks ‘okay’ or navigates to another page on the site. This way, the user can choose to leave the page without any cookies having been collected or click on the message to customise their cookie preferences.
Question regarding storing a cookie allow for user to bypass their login:
Clearly, personal info is being stored in a cookie, however if this information is only used for login authentication and not used for any other tracking , then will this action still violate GDPR compliance?
The GDPR is just as concerned about organisations storing personal data as it is with how that information is used. So, yes, this information would need to be stored in accordance with the GDPR’s requirements.
This site uses cookies but I don’t see any cookie notice nor link to a Privacy Policy. I may have made an affirmative acceptance in the past but if so I can’t see any method to revoke should I wish.
Hi Nick,
When you click on our site, you will see a notice that says we collect cookies, with a link to our cookie policy. This process isn’t GDPR compliant, but we can assure you that it will be by 25 May 2018.
Hi
Thanks for the article. Serious question: with the internet being an inherently global technology, is the GDPR not too localised a solution? How can non-EU companies be compelled to follow this regulation for which they have no obligation?
I’d really appreciate your comments
Hi Pete,
That’s certainly a legitimate criticism, but the GDPR is a product of the European Union, so its powers are limited to EU-based concerns. No one is suggesting that organisations that “have no obligation” to comply with the GDPR will be forced to do so.
However, there are plenty of non-EU organisations that process EU residents’ personal data – and that does fall within the GDPR’s scope. Such organisations must register with an EU member state of their choosing, which will be responsible for enforcing the Regulation. If they don’t, they run the risk of breaching EU residents’ personal data or having an EU resident exercise one of their rights under the GDPR, and then being “found out”.
I know a lot of non-tech-savy people who get confused by cookie policies believing all cookies are bad due to the methods some websites present their cookie notice (or hide it!), which is far from the truth. Cookies which are not involved with personal data (or that could be used to get it) are allowed without consent, so it seems to me that one option would be to use a mix of implied and explicit consent to cover all cookies used by a given website. So for example, the cookie notification request advises the visitor that by using the site, they accept the essential basic cookies (such as session cookies or simple preference cookies or cache information cookies that don’t contain or pass on personally identifiable data) which is the implied consent, but seperately requests explicit consent for tracking or analytics cookies which do not load unless the customer has selected “accept”. If the customer ignores the message or clicks on “decline” then the analytics/tracking cookies do not load. The website visitor is then aware of the required cookies. What are your thoughts on this method of handling the cookie requirements?
Who requires to show this cookie notice? whey there is no cookie notice on your site?
Hi Ray,
We do have a cookie notice: https://www.itgovernance.eu/cookie-policy.
Hi, I have a question regarding the duration cookies can be stored on a user’s browser? Apparently the GDPR will allow a maximum of 13 months. Is it something that Facebook or other advertising platforms are updating? Or is it something we will need to update manually?
Thank you in advance!
Best regards
Hi Olivier,
It’s the organisation’s duty to comply with the GDPR. However, cookies — being personal data — are subject to the same data subject rights. That means you could request that they be erased.
Great article. Our business primarily runs on digital marketing which includes remarketing and retargeting and it’s in multiple markets (EU included). Because of this law, now, we are unable to get any data to analyse or optimise. It’s quite ridiculous.
That was a really great guide! You’ve done a great job at expressing each point clearly. I’m a website owner and most of my customers from Europe. So, this really helps me a lot! Thanks again