Don’t Get Caught with Your Hand in the GDPR Cookie Jar
Everyone’s talking about GDPR and opt-in for communications, but don’t forget about the implications for cookies!
If you’ve already read the first two posts in this series, it’s likely that your forms and consents are regulation-ready and you have a clear understanding of who is covered by GDPR in your database. GDPR prep doesn’t stop there. In the final part of this
Quick reminder: My background is in digital marketing, not law. The tips and advice you read in this post should be taken as just that. If you’re looking for directives on ensuring that your company is GDPR compliant, consult legal counsel.
What is a cookie anyway?
A web cookie is not a physical object but a packet of information that is sent to your computer from individual websites and stored within your browser. A cookie is stored as a key value pair such as tracking and recording a visitor logging into a website with five (5) attributes – domain, expiration, max-age, path, secure.
This packet of information is sent from your browser by a website to help track your visits and activity. Cookie’s are used for all sorts of tasks from basic engagement tracking to enhancing your website’s functionality such as web personalization or shopping carts. Your website may even have several cookies that are essential to keeping your site and processes running seamlessly.
There are several different types of cookies and they each support different functionality. You need to understand these differences to stay compliant with GDPR:
Session Based Cookies
Cookies that are maintained only during a specific visit to a website or domain. Once you exit the browser or leave that site, the session cookie is deleted. These are typically used by online retail sites to maintain your shopping cart.
Cookies stored by the browser so that even after you close or navigate to other sites the information is preserved. These cookies are mainly used to remember login credentials. They must have a mandatory expiration of 6 months by law.
In standard cookie functionality, there are a few different parties involved. The first party is you the visitor, the second party involved
Third Party Cookies
Cookies that are not directly related to the website domain you are currently visiting but, as the name implies, these are other platforms that gather information on your overall browser activity. These tools are looking for behavioral and demographic data to allow their customers to better target audiences such as DoubleClick, Twitter, and other advertising platforms.
These types of cookies are set at the top-level domain or public suffix such as .com. They are not tied to the website you are visiting nor directly seen or controlled
Why cookies matter to GDPR?
GDPR is centered around the protection of data and the consent to collect, utilize, and communicate to this data. And cookies are a web browsers way of collecting and communicating visitor information.
There has been an EU cookie law in place since 2002 that ensures the transparency of data collection by websites. The GDPR law has more specific language and consent obligations as well as an expanded scope on the selection process of cookies. The previous laws required the website to provide clear and comprehensive information on the cookies that are utilized and consent had to be provided to actively use these cookies. The updated law includes the ability for the visitor to select types of cookies that should be allowed to collect their information as well as implied consent no longer allowed by GDPR.
In the past, websites used implied consent by displaying a simple banner that appeared on
What is needed for cookie consent?
Ensure you are providing clear direction and definition on how the visitors data is being used and shared via cookies.
An affirmative action is needed by the visitor to permit tracking and cookie use that collects personal data. The action must be taken to “okay” the usage and enablement of specific cookies. There are a few different ways to gain this consent whether it is a checkbox, choosing your settings similar to a preference center, or a simple button. Always with consent, you should have a documented audit trail to prove when the action occurred in case the cookie gets deleted by the visitor. This consent should kept within your database for historical reference and updated if the visitor chooses to change their preferences. This means, cookies by default that track personal info should be turned off and with no action taken on the opt-in, they should remain off.
Ability to Opt-Out
There must be a way for visitors to say “no” or to update their preferences at a later date to opt-out of cookies. A company must disable all cookies that are opted-out of at this time and ensure they are not tracking or store data with these cookies.
A great example of this cookie preference center and consent request is MailChimp. The first time you visit the site you will see:
How to implement a Cookie Preference Center?
Even if your company mainly does business in the US, you still are required by GDPR to have some sort of opt-in process for cookies for anyone visiting the site from the EU. However, based on your business you could implement a snippet of code that only allows the banner to be visible to those visiting from the protected countries. This would prevent the majority of your visitors from being interrupted, yet keep your company and website compliant with GDPR.
If you have a web development team or partner to build a sophisticated cookie preference center, by all means, go for it! If you do not have the resources to build a feature like this, there are several technology companies that can help implement a seamless experience for your visitors. DemandLab has been researching One-Trust, Cookiebot, Trust-Arc, Civic UK, and Cloudflare as vendors to help with privacy management and all of these companies have products and services that help organize and maintain cookie compliance.
There are a lot of moving parts to a cookie preference center and therefore you want to make sure you have the right team around you, so all the boxes are checked, functionality is correct and your site is fully compliant with GDPR.
Reach out for information more today!