Don’t Get Caught with Your Hand in the GDPR Cookie Jar

by | 19.Apr.18

Everyone’s talking about GDPR and opt-in for communications, but don’t forget about the implications for cookies!

If you’ve already read the first two posts in this series, it’s likely that your forms and consents are regulation-ready and you have a clear understanding of who is covered by GDPR in your database. GDPR prep doesn’t stop there. In the final part of this series we’ll examine cookies and their role in this regulation.

Quick reminder: My background is in digital marketing, not law. The tips and advice you read in this post should be taken as just that. If you’re looking for directives on ensuring that your company is GDPR compliant, consult legal counsel.

What is a cookie anyway?

A web cookie is not a physical object but a packet of information that is sent to your computer from individual websites and stored within your browser. A cookie is stored as a key value pair such as tracking and recording a visitor logging into a website with five (5) attributes – domain, expiration, max-age, path, secure.

This packet of information is sent from your browser by a website to help track your visits and activity. Cookie’s are used for all sorts of tasks from basic engagement tracking to enhancing your website’s functionality such as web personalization or shopping carts. Your website may even have several cookies that are essential to keeping your site and processes running seamlessly.

There are several different types of cookies and they each support different functionality. You need to understand these differences to stay compliant with GDPR:

Session Based Cookies

Cookies that are maintained only during a specific visit to a website or domain. Once you exit the browser or leave that site, the session cookie is deleted. These are typically used by online retail sites to maintain your shopping cart.

Permanent Cookies

Cookies stored by the browser so that even after you close or navigate to other sites the information is preserved. These cookies are mainly used to remember login credentials. They must have a mandatory expiration of 6 months by law.

In standard cookie functionality, there are a few different parties involved. The first party is you the visitor, the second party involved is the website you are visiting, and then there is a third party of cookies that consist of those with a domain that is different from the one within the address bar.

Third Party Cookies

Cookies that are not directly related to the website domain you are currently visiting but, as the name implies, these are other platforms that gather information on your overall browser activity. These tools are looking for behavioral and demographic data to allow their customers to better target audiences such as DoubleClick, Twitter, and other advertising platforms.

Super Cookies

These types of cookies are set at the top-level domain or public suffix such as .com. They are not tied to the website you are visiting nor directly seen or controlled through the browser. A key example of this is the Adobe Flash plug-in almost all browsers use, which has the ability to collect and store information.

Why cookies matter to GDPR?

GDPR is centered around the protection of data and the consent to collect, utilize, and communicate to this data. And cookies are a web browsers way of collecting and communicating visitor information.

There has been an EU cookie law in place since 2002 that ensures the transparency of data collection by websites. The GDPR law has more specific language and consent obligations as well as an expanded scope on the selection process of cookies. The previous laws required the website to provide clear and comprehensive information on the cookies that are utilized and consent had to be provided to actively use these cookies. The updated law includes the ability for the visitor to select types of cookies that should be allowed to collect their information as well as implied consent no longer allowed by GDPR.

In the past, websites used implied consent by displaying a simple banner that appeared on initial visit to the site and a cookie policy or information about cookies within their privacy policy. With GDPR a company needs explicit opt-in by taking an action such as clicking a button or filling out a form. The visitors need to be able to make a choice to be tracked or not and if there is no choice, there is no consent. This creates the need for a Cookie Preference Center and changes how a company gets consent as well as what they need consent on.

What is needed for cookie consent?

Clear Definition

Ensure you are providing clear direction and definition on how the visitors data is being used and shared via cookies.

Action Required

An affirmative action is needed by the visitor to permit tracking and cookie use that collects personal data. The action must be taken to “okay” the usage and enablement of specific cookies. There are a few different ways to gain this consent whether it is a checkbox, choosing your settings similar to a preference center, or a simple button. Always with consent, you should have a documented audit trail to prove when the action occurred in case the cookie gets deleted by the visitor. This consent should kept within your database for historical reference and updated if the visitor chooses to change their preferences. This means, cookies by default that track personal info should be turned off and with no action taken on the opt-in, they should remain off.

Ability to Opt-Out

There must be a way for visitors to say “no” or to update their preferences at a later date to opt-out of cookies. A company must disable all cookies that are opted-out of at this time and ensure they are not tracking or store data with these cookies.

Cookie Policy

Similar to a privacy policy, you are now required to create a cookie policy that documents the different cookies on your website and how they share visitors’ data. This should be written clearly for any visitor to understand.

A great example of this cookie preference center and consent request is MailChimp. The first time you visit the site you will see:

How to implement a Cookie Preference Center?

Even if your company mainly does business in the US, you still are required by GDPR to have some sort of opt-in process for cookies for anyone visiting the site from the EU. However, based on your business you could implement a snippet of code that only allows the banner to be visible to those visiting from the protected countries. This would prevent the majority of your visitors from being interrupted, yet keep your company and website compliant with GDPR.

If you have a web development team or partner to build a sophisticated cookie preference center, by all means, go for it! If you do not have the resources to build a feature like this, there are several technology companies that can help implement a seamless experience for your visitors. DemandLab has been researching One-Trust, Cookiebot, Trust-Arc, Civic UK, and Cloudflare as vendors to help with privacy management and all of these companies have products and services that help organize and maintain cookie compliance.

There are a lot of moving parts to a cookie preference center and therefore you want to make sure you have the right team around you, so all the boxes are checked, functionality is correct and your site is fully compliant with GDPR.

Reach out for information more today!

Share This