GDPR and Cookies Consent
A cookie (also called web cookie, Internet cookie, browser cookie) is a small piece of data sent from a website and stored on the user’s computer by the user’s web browser when the user is visiting the website.
GDPR did put the spotlight on cookies as they were typically saving bits of personal data upon visiting a website without your knowledge. You can compare public internet websites with public areas in the real world really. How would you feel if in the real world someone would start harvesting personal details about you without any notice or you being aware?
Cookies: GDPR and Personal Data
Cookies were designed for websites to remember information the user previously entered on the website e.g. names, addresses, credit-card numbers etc. They also remember if you were already logged in, or recording settings and preferences you have for the site. Cookies that contain personal data should be encrypted to prevent hackers reading the information or even gain access (using the user’s credentials) to the website to which the cookie belongs. So do confirm with your software vendor and IT support teams what type of cookies your website or internet software sets and if content is encrypted.
A special category of cookies are the tracking cookies which are commonly used as ways to compile long-term records of individuals’ browsing history. Given this practice very clearly consists of the collection of personal data it is in scope of GDPR. GDPR insists all personal data collection to be minimal and substantiated i.e have a legal basis. Given the questionable motives for tracking with no real link to the service the customer is after, one is left with asking the user nicely if he or she wants to be subjected to it. In other words asking consent is the last resort.
For most website builders the go-to analytics tool is Google Analytics. This choice is made most likely without considering its privacy implications. Google has been fined multiple times for its analytics tool not meeting the GDPR requirements. Add to that Google’s focus as an internet search and advertising juggernaut to understand people’s every move, desire and motive and you will understand why we would like you to consider more privacy focused alternatives.
Check our our knowledge base item on privacy focused alternatives to google analytics that can run without cookies and cookie banners.
GDPR and Cookies Consent Tips
There are many different little popup / banner tools that one can add to one’s website with an aim to comply with GDPR consent requires. We like the guys at cookiefirst.com as they are European based and fairly priced but as said there are many others.
Many of these banners are not compliant with the consent rules outlined below, so be careful when selecting a banner.
- No data collection can occur prior to the consent being given
- Consent must be granular. Users must be able to activate some cookies rather than others and not be forced to consent to either all or none.
- Consent must be freely given, users can not be forced to accept. On the cookie banner, make sure checkboxes for anything else than the essential cookies are left unchecked. Denying access to users that do not accept tracking cookies has already been penalised by the privacy authorities.
- Consent must be as easily withdrawn as they are given. On the cookie banner make sure it is as easy to accept as to reject. If your cookie banner has an easy accept-all button, then make sure the reject-all button is also present. Users should be able to change their minds, so make sure users can come back to your cookie settings banner.
- Consent must be well informed by provide clear, concise and understandable information to the user. Make sure your cookie banner does not use any ‘dark patterns’ to try and trick users e.g. making the accept-all button green and the reject-all button red.
Feel free to check our GDPR Questions and Answers section for further GDPR related information.