GDPR and Cookies Consent

A cookie (also called web cookie, Internet cookie, browser cookie) is a small piece of data sent from a website and stored on the user’s computer by the user’s web browser when the user is visiting the website.

GDPR did put the spotlight on cookies as they were typically saving bits of personal data upon visiting a website without your knowledge. You can compare public internet websites with public areas in the real world really. How would you feel if in the real world someone would start harvesting personal details about you without any notice or you being aware?

Cookies: GDPR and Personal Data

Cookies were designed for websites to remember information the user previously entered on the website e.g. names, addresses, credit-card numbers etc. They also remember if you are logging in, or recording settings and preferences you have on the site. Cookies that contain personal data should be encrypted to prevent hackers to read the information within or even gain access (with the user’s credentials) to the website to which the cookie belongs. So do confirm with your software vendor and IT support teams what type of cookies your website or internet software sets and if content is encrypted.

A special category of cookies are the tracking cookies which are commonly used as ways to compile long-term records of individuals’ browsing history. Given this practice very clearly consists of the collection of personal data it is in scope of GDPR. GDPR insists all personal data collection to be minimal and substantiated i.e have legal basis. Given its often questionable motives with no real link to the service the customer is after, one is left with asking the user nicely if he or she wants to be subjected to it in other words asking consent.

GDPR and Cookies Consent Tips:

There are many different little popup / banner tools that one can add to one’s website with an aim to comply with GDPR consent requires.
Many of these banners are not compliant with the consent rules outlined below, so be careful when selecting a banner.

  • No data collection can occur prior to the consent being given
  • Consent must be granular. Users must be able to activate some cookies rather than others and not be forced to consent to either all or none.
  • Consent must be freely given, users can not be forced to accept. On the cookie banner, make sure checkboxes for anything else than the essential cookies are left unchecked. Denying access to users that do not accept tracking cookies has already been penalised by the privacy authorities.
  • Consent must be as easily withdrawn as they are given. On the cookie banner make sure it is as easy to accept as to reject. If your cookie banner has an easy accept-all button, then make sure the reject-all button is also present. Users should be able to change their minds, so make sure users can come back to your cookie settings banner.
  • Consent must be well informed by provide clear, concise and understandable information to the user. Make sure your cookie banner does not use any ‘dark patterns’ to try and trick users e.g. making the accept-all button green and the reject-all button red.

Feel free to check our GDPR Questions and Answers section for further GDPR related information.