Cookies are mentioned only once in the GDPR (General Data Protection Regulation), but the repercussions are significant for any organisation that uses them to track users’ browsing activity. Recital 30 of the GDPR states:
Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers […].
This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
In short: when cookies can identify an individual via their device, it is considered personal data.
This supports Recital 26, which states that any data that can be used to identify an individual either directly or indirectly (whether on its own or in conjunction with other information) is personal data.
What it means
Not all cookies are used in a way that could identify users, but the majority are and will be subject to the GDPR. This includes cookies for analytics, advertising and functional services, such as survey and chat tools.
To become compliant, organisations must find or find a lawful basis to process that data.
Prior to the GDPR, many organisations relied on consent, but the strict rules for obtaining and maintaining consent mean that it should only be used where no other lawful basis applies.
A significant repercussion of that is that organisations can no longer simply tell website visitors that ‘by using this site, you accept cookies’.
If there is no genuine and free choice, then there is no valid consent. Simply visiting a site doesn’t count as consent, and you must make it possible to both accept or reject cookies.
Likewise, it must be as easy to withdraw consent as it is to give it. If organisations want to tell people to block cookies if they don’t give their consent, they must make them accept cookies first.
Websites must also provide an opt-out option. Even after getting valid consent, sites must give people the option to change their mind. If you ask for consent through opt-in boxes in a settings menu, users must always be able to return to that menu to adjust their preferences.
In most cases, organisations can obtain cookies by using soft opt-in consent. This means giving individuals an opportunity to act before cookies are turned on.
For many websites, that has meant a splash page that contains information about the cookies they collect. Individuals must interact with the notice before they view any content on the site.
However, organisations need to be careful when using soft opt-in consent. Last year, Max Schrems’ privacy group, NOYB, began a campaign targeting organisations that make it difficult for people to opt out of tracking cookies.
The group launched 422 formal complaints, claiming that the organisations in question were violating the GDPR.
The problem, says Schrems, is that organisations are creating elaborate cookie banners to increase the chances of users giving their consent. This risks a GDPR breach and could result in a significant fine.
Meanwhile, 73% of sites used “deceptive colours and contrasts” that encourage users to click “accept”, and 90% provided no easy way for users to withdraw consent.
Schrems said: “Frustrating people into clicking ‘okay’ is a clear violation of the GDPR’s principles.”
He added: “They often deliberately make the designs of privacy settings a nightmare, but at the same time blame the GDPR for it.
The so-called ‘cookie wall’ blocks users’ access until they consent to the site’s tracking activities. Although users still have a choice – of sorts – in either agree to the site’s terms or going elsewhere, it’s not true consent under the GDPR’s rules.
The EDPB (European Data Protection Board) has since acknowledged the flaws in the enforcement of cookie banner laws
It has set up a taskforce to coordinate the response to complaints concerning cookie banners, and has updated its guidelines on how to create a compliant banner.
That means that many organisations might be under the mistaken belief that their practices are GDPR compliant because they have yet to be fined. However, the increase in enforcement means that fewer organisations will now get away with non-compliant practices.
Are you sure your policies are GDPR-compliant?
The cookie wall issue is an example of how hard it can be to interpret the GDPR’s requirements. Their complexity will inevitably have organisations looking for compliance shortcuts, but if you’re not careful, you could get caught out.
You can find more advice on creating effective GDPR processes with our GDPR Toolkit.
Designed and developed by GDPR experts, the toolkit contains a complete set of template documents to demonstrate your compliance practices.
It’s ideal for anyone who wants help completing their documentation requirements quickly and easily – but it’s more than simply a set of templates. It also includes:
- Gap analysis and DPIA tools that help you identify compliance weaknesses and how to address them;
- Two licences for the GDPR Staff Awareness E-learning Course; and
- Guidance documents covering data subject consent forms, data retention records, and pseudonymisation, minimisation and encryption.
A version of this blog was originally published on 15 September 2017.