From time to time, we get questions from customers about the usage of cookies and cookie-compliance tools. This article contains a summary of the laws covering cookies in the European Union and some of the tools you should use to make sure you are GDPR-compliant.
What are cookies
According to Wikipedia, a cookie is "a small piece of data stored on the user's computer by the web browser while browsing a website". They are harmless and serve vital functions for a website. Often they are used to collect and hold user information but cannot follow you across different devices.
Due to the quantity of data a cookie may contain, including your personal information, a website's cookies usage is often subject to the rules and regulations within the GDPR.
The ePrivacy Directive and the GDPR
Cookies are subject to the GDPR and the ePrivacy Directive (EPD), amended in 2009. The EPD was supposed to be replaced by the ePrivacy Regulation (EPR) in 2018, but that never happened.
The General Data Protection Regulation (GDPR) is the most widespread data protection legislation passed by any governing body. However, throughout its' 88 pages, it only mentions cookies directly once, in Recital 30.
Natural persons may be associated with online identifiers provided by their devices, applications, tools, and protocols, such as internet protocol addresses, cookie identifiers, or other identifiers such as radio frequency identification tags. This may leave traces that, particularly when combined with unique identifiers and additional information received by the servers, may be used to create profiles of the natural persons and identify them.
When using cookies to identify visitors, it qualifies as collecting personal data and is, therefore, a matter of GDPR. What does it mean to you? You have the right to process and store visitors' data, as long as they give their consent or if you claim to have a legitimate interest.
Consider the following to comply with the regulations governing cookies under the GDPR and the ePrivacy Directive:
You must receive users' consent before you use any cookies except strictly necessary cookies.
You must provide accurate and specific information about each cookie's data and its purpose in plain language before permission to track is received.
You must document and store consent received from users.
Allow users to access your service even if they refuse to allow the use of certain cookies.
And it would help if you made it as easy for users to withdraw their consent as it was for them to give it in the first place.
A cookie summary
GDPR compliant tools
Cookiebot is a GDPR and ePrivacy compliant cookie and online tracking solution. Cookiebot is leading in Travel & Tourism, Heavy Industry & Engineering, and Home & Garden. It is easy to use and a simple UI for administrating your cookie consent settings. It is a bit limited regarding styling your cookie banner or pop-up. Cookiebot offers both free and paid options.
Fully automatic core functions: cookie consent, cookie monitoring and cookie control. Cookiebot enables true compliance with privacy legislations through respectful and transparent data exchange, based on consent between end-users and the websites they visit.
OneTrust is a more robust GDPR, Privacy Management Software, and Cookie consent service with many features, yet easy to use. It has better usage coverage in more websites categories – including Computers Electronics & Technology, Business & Consumer Services, Finance, Science & Education, and 17 other categories. OneTrust offers both free and paid options too.
Scan your website for cookies, create customised cookie banners, enable preference centers and auto-generate consent records to demonstrate compliance over time.
Quantcast is a cloud-based GDPR compliance management platform that helps publishers, marketers, agencies, and consultancies manage content publishing and advertising of relevant data. It is part of a more extensive audience intelligence and measurement tool and a bit tricky to administrate. Quantcast Choice is provided for free.
Build privacy into every product, feature, and decision that we make around data. Individuals can easily access information about Quantcast's data practices, including what data we collect, what we use it for and with whom we share it."
I hope this article gave you some guidance of the laws covering cookies in the European Union and inspired you in some of the tools you should use to make sure you are GDPR-compliant.
Get in touch with me or one of my colleagues if you have any questions.