The European Union General Data Protection Regulation (GDPR) went into effect in May 2018. However, the policy is not all straight-forward, especially with regards to cookies.
If you have a website that reaches readers in the EU, you are required to implement a GDPR-compliant cookie policy.
Implementing a GDPR-Compliant Cookie Policy
To create a GDPR-compliant cookie policy, it’s important to understand some basics.
What are Cookies?
A cookie is a piece of data that is stored on a user’s browser in form of code. For example, when your browser automatically signs you into your Facebook account, it is cookies that enable it to remember your password and log you in.
Cookies are important for providing a good user experience online. The cookies help to identify users, remember their preferences and save their login information for various websites and apps.
When you visit a website, the server hosting the site will send a message called “cookie.txt” to your browser. As you continue browsing, information about the sites you visit is recorded in this cookie file. Moreover, your data such as login credentials, website pages visited, preferences, etc. are saved on the file.
Types of Cookies
There are two types of cookies: lifespan cookies and domain cookies.
i) Lifespan Cookies
The time that a cookie remains on your browser is referred to as a lifespan. Session cookies have a short lifespan as they are erased when you close the browser.
On the other hand, persistent cookies have a longer lifespan. These cookies remain on your browser depending on the amount of time you have defined for them. The information in these cookies is preserved even when the browser is closed.
ii) Domain Cookies
Domain cookies identify the location from where information is retrieved and where it’s sent. Under domain cookies, there are first-party and third-party cookies.
First-party cookies share a visitor’s information with just one domain on the server (usually the site that the person has visited). On the other hand, third-party cookies may share a visitor’s information with other domains. For example, if you have advertisements on your website, the advertiser is collecting your visitors’ data.
The problem with third-party cookies is that website visitors often don’t realize that the information they left on one site may be shared with other website owners, who can then target advertisements to them based on their past behaviors.
If you have ever visited a website and then when you log into Facebook, you start seeing the website’s ads, this is made possible by third-party cookies.
GDPR Cookie Guidelines
GDPR does not explicitly provide guidelines on the use of cookies. However, its articles specifically identify cookies as a type of personalized or identifying data that companies collect from visitors using applications, websites and various devices. Read Recital 30 for more information.
In GDPR, cookies are categorized as personalized data. Therefore, website, application and device owners need to be transparent to visitors about the data they collect, the extent of the data and how it’s used. Recital 39 clarifies the step publishers should take to disclose how they use cookies
ePrivacy Directive “Cookie Law” Update
The EU ePrivacy Directive, also known as the EU cookie directive, is a 2002 legal framework meant to streamline how online publishers collect data from visitors. However, this framework placed the burden on users by requiring them to consent to cookies being served on their browsers every time they visited a website.
With the implementation of the GDPR, the ePrivacy Directive requirements have been overridden with the new ePrivacy Regulation.
The ePrivacy Regulation is still being negotiated but one of its main highlights is the need for publishers to use plain language to inform users about the information they collect and how it can be used.
How to Obtain Cookie Consent on Your Website
Your website cookie consent should address two different types of cookies:
i)Business Enablement
These are cookies used to enable business operation, such as:
- Remembering the login details or other information that users put in a form
- Processing payments
- Saving a user’s shopping cart items
- Ensuring the website works properly
- General website administration
ii)Streamlined Experience
Sometimes, cookies may be required to provide visitors with a streamlined experience. These cookies may not necessarily be used for business operations but to:
- Collect marketing information
- Remember a visitor’s preferences over website appearance
- Remember the browser so that the website can display in the most appropriate format
- Remember that a user has consented to be served with cookies
- Remember visitors when they come back to your website
To reduce the complexity of EU GDPR compliance, you can use regulatory compliance software to manage your documentation. The software will act as a single-source-of-truth for document management, allowing you to see your current risk exposure and prioritize compliance tasks.
0 Comment(s)