The GDPR and Cookies

With the General Data Protection Requirements (GDPR) coming into force on 25th May 2018 the way organisations use and consent to cookies may need to change. Currently most websites use a soft opt in approach to notify the user that the site is using cookies. Few websites currently offer any method to opt out.

Hold on... What are Cookies?

Cookies are small text files that are stored on your device to hold information about you in relation to a particular website. For example you may set your location on a website that provides a weather forecast, when you next visit the website the cookie will be used to identify your chosen location from your last visit to the website. Cookies can also be used to track from one site to another, such as personalising display advertising with a product you’ve recently viewed on a retail website.

So what's changing in May?

Under the GDPR any cookie that is used to uniquely attribute a piece of information to a device even without identifying them is considered personal data. Therefore the GDPR rules on consent apply.

Current Examples (Less than 5 months before GDPR is enforced)

BBC

The BBC gives clear cookie information at the top of the page, with the option to acknowledge the notice, change your settings, or find out more. If you proceed to another page on the site without acknowledging the message, the cookies message doesn't show again nor does it show during your next session on the website. It would appear that this method of consent (or lack of) is not GDPR compliant.

The BBC puts it’s cookies into three groups, strictly necessary, functional and performance cookies.

Strictly necessary – these cannot be turned off and are required in order for the website to function. e.g. signing in, remember security settings etc.

Functional – these can be turned off although they help personalise the website, e.g. remember your location, font size, new visitor message etc.

Performance – these can be turned off although they help the BBC understand how visitors use the site to help improve it e.g. Google Analytics, Google DoubleClick, Optimizely etc.

European Commission (Only the data protection section)

 

Although the EC starts using cookies automatically the user is forced to accept or refuse. The cookies message does not disappear after a certain number of page views or after a session.

If you refuse cookies, some cookies do remain, presumably these are necessary in order to carry out the functions of the website.

When trying to view certain parts of the website which require additional cookies e.g. a YouTube video the following message is displayed. If you click “accept”, the video is displayed and cookies are turned on throughout the website.

After you accept cookies it is difficult to opt out. The EC cookies page suggests you visit aboutcookies.org to manually control cookies yourself. This goes against Article 7(3) on consent:

“The data subject shall have the right to withdraw his or her consent at any time. …. It shall be as easy to withdraw as to give consent.”

Information Commissioner’s Office (ICO)

 

The ICO begins using cookies as soon as you enter the site. You are met with the above pop-up which allows you to turn cookies on and off. The message remains until you, click “I’m fine with this” or close the window.

 

To disable cookies you must click on the “Information and Settings” link, where you can then turn cookies off. Once you have disabled cookies it is not possible to opt out (although under the GDPR this will need to change, see below).

What do I need to do to make my website compliant?

It’s likely that most websites will be able to apply legitimate interests for the majority of cookies on their website, even when it comes to first party web analytics such as Google Analytics. In which case an opt-out method may need to be added to the cookie message and other suitable place, such as the footer, in order for the user to opt out of non-necessary cookies.

The main issue will be for websites that share third party cookies, particularly for targeted online marketing, as its unlikely legitimate interests could be applied, therefore clear consent (such as ticking a box) may be required before these cookies are activated.