The European Union’s General Data Protection Regulation (GDPR) goes into effect on May 25. When it does, business on the internet will change profoundly. That’s because the GDPR will have a reach that extends well beyond Europe. The internet has made commerce truly global, and any business with European clientele must be compliant with the GDPR. We’ve been spending a lot of time on GDPR compliance here at Hashed Out. After all, data security is kind of our thing. Today let’s talk about how the GDPR will affect the common practice of using cookies.
What is a Cookie?
What does the GDPR say about cookies?
The General Data Protection Regulation only mentions cookies one time. It’s in Recital 30:
(30) Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags.
This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
Despite the lack of total mentions in the document, we can gather quite a bit of information about how we need to handle cookies from this recital and other guidance with relation to the handling of personal information.
Any cookies that contain personal identifying information need to be regarded as personal data. Some may be tempted to argue that cookies don’t contain enough personal data to successfully identify an individual (despite the fact that many contain names, IP addresses and other information), but Recital 26 of the GDPR offers a bit more insight, stating that data that can reasonably be used, alone or in conjunction with other data, to identify an individual should be considered personal data.
Even the use of pseudonymization, which is commonplace, doesn’t change the designation.
Granted, almost any compliance expert will tell you that a lot of the GDPR is written vaguely and will need to be litigated. And that’s 100% accurate. But err on the side of caution until the courts can provide more clarity. Considering the penalties associated with the GDPR, playing loose with the new regulation could be expensive. Or worse.
So, for all intents and purposes, consider cookies to be personal data.
Tracking Cookies require consent under the GDPR
Before we go any further, it’s worth pointing out that cookies that aren’t “strictly necessary” already require consent under many legal frameworks across the world. This isn’t starting with the GDPR. And there are some additional legal bases for some kinds of cookies. Article 6 provides six bases, some of which don’t apply:
- It’s necessary to perform a contract
- It’s necessary to comply with a legal obligation
- It’s necessary to protect someone’s vital interests (protect their life)
- You’re performing a task carried out in the public interest
- It’s necessary for the purpose of legitimate interests of the controller
Your best bets are 1 and 6, though it depends on the kind of cookie you’re using and what you’re processing data for. Any cookie that tracks a user requires express consent from the data subject.
That being said, the GDPR has its own unique definition for consent. This is provided in Recital 32.
(32) Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.
This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data.
Silence, pre-ticked boxes or inactivity should not therefore constitute consent.
Consent should cover all processing activities carried out for the same purpose or purposes.
When the processing has multiple purposes, consent should be given for all of them.
If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
Interpreting that, you need to have tracking cookies disabled when someone lands on your website for the first time. Consent is the only legal basis for using these kinds of cookies under the GDPR right now. People must clearly opt in to the practice, as opposed to in the past where you could just take a person not opting out to be a signal of consent.
Frankly, if your website is using cookies for different purposes, you’re supposed to collect consent for each separate purpose. Article 7(3) also states that individuals should have the right to withdraw consent and that doing so should be as simple and straightforward as giving it was.
How to handle consent with Cookies
Once again, you need to have tracking cookies disabled when visitors arrive at your site for the first time. Asking for consent doesn’t have to be difficult though. It can be done with a well-designed privacy notice. We have an entire article devoted to writing GDPR privacy notices, but here’s the most relevant advice.
Your Cookie-related privacy notice needs to contain the following:
- Information on what data you’ll be collecting with the cookie
- Information on what that data will be used for
- An opt-in button that allows the user to consent
- A link to a dedicated privacy page with more information
Remember, you’re not trying to scare your customers to death, you’re just providing a friendly heads up that you would like to improve their experience by using cookies.
But remember, the consent has to be explicit. Without it you cannot proceed.
A few final words on cookies and the GDPR
But again, this is down the road. Until the courts can begin to clarify some of the GDPR, we suggest (over and over) that you err on the side of caution.