A cookie is a small piece of data created by a web server and placed on a user’s device.
Depending on the purpose of the cookie, it might contain personal data and therefore be subject to the requirements of the GDPR (General Data Protection Regulation).
In this blog, we explain your regulatory requirements and show you how you can achieve GDPR cookie compliance.
What does the GDPR say about cookies?
To understand how cookies overlap with the GDPR, it’s important to explain how they can be considered personal data.
Cookies typically don’t consist of details that you would ordinarily think of as personal data. Most of them don’t contain names or phone numbers, for example. However, it’s worth looking at the GDPR’s definition of personal data, which is explained in Article 4(1). It defines personal information as:
any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’
Some cookies are considered ‘online identifiers’, because they contain information about an individual or the interactions they have with a website. This includes information that’s used to save user preferences, login details or track their behaviour for analytics purposes.
These types of cookies are subject to the GDPR, and organisations must implement appropriate controls to protect that information.
Cookie consent and the GDPR’s lawful bases
There is a longstanding misconception that under the GDPR, organisations need individuals’ consent to process personal data. In fact, organisations can use one of six lawful bases, and ironically, consent is usually the least preferable.
That’s because the GDPR’s rules for obtaining and maintaining consent are stricter than its predecessors. For example, organisations can no longer tell website visitors that ‘by using this website, you accept cookies’.
If there is no genuine and free choice, then there is no valid consent. Simply visiting a site doesn’t count as consent, and you must make it possible to both accept or reject cookies.
Organisations would generally be better off using legitimate interests as their lawful basis. This is the broadest of the GDPR’s grounds for processing, and it applies whenever an organisation uses sensitive information in a way that the data subject would reasonably expect.
‘Interests’ can refer to almost anything here, including an organisation or third party’s commercial interests or wider societal benefits.
What about the PECR?
For UK-based organisations, there is a major caveat when it comes to legitimate interest in the form of the PECR (Privacy and Electronic Communications Regulations).
The PECR cover several areas, including electronic marketing, cookies and the security of public electronic communication services. Its rules sit alongside the UK GDPR (the domestic version of the Regulation that was adopted following Brexit) and take precedence over them.
This is essential, because the PECR require the use of consent much more frequently than the GDPR.
Like the GDPR, it states that consent must be “given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement”.
In the next section, we explain how to navigate these regulations simultaneously.
How to stay compliant when processing personal data gained via cookies
The key to GDPR and PECR compliance is to minimise the amount of information that you process and reduce your risk landscape. As such, you should start by conducting an audit to make sure that you know what each cookie does, whether it’s required and when it’s deployed.
For GDPR compliance, you only need to address cookies that are considered personal data. In other words, any information that can be used to identify an individual.
However, the PECR cover all cookies, including information that has been anonymised.
You are also required to inform users of the kinds of cookies you use – or want to use – and the types of data they collect. For example, you may be using the information for marketing, to improve security, to analyse website performance or to tailor the site to the user’s preferences.
You can inform users about the cookies you collect using a banner or splash page upon visiting your website.
Your banner must also highlight non-essential cookies, which will typically be those related to user experience rather than website performance. For example, advertising cookies and cookies that automatically fill in login details are non-essential, as are cookies used for analytics.
The banner must give users the option to tailor their preferences regarding the use of non-essential cookies.
Another important question is whether you’re using session or persistent cookies. Persistent cookies are saved on the user’s computer even when it is turned off.
By contrast, session cookies are stored temporarily on the browser’s memory and are deleted when the browser is closed. They are often associated with essential site functions, and are therefore exempt from an organisation’s PECR consent requirements.
Organisations must also turn off optional cookie collection by default until the user provides their consent. Likewise, they must give users the option to manage their cookie preferences using a checkbox or slider.
Implementing an effective cookie compliance process
Organisations can expect a more complex route to cookie compliance compared to other aspects of the data protection, given that they must deal with both the GDPR and the PECR.
The key to effective compliance begins with a comprehensive assessment of your organisation’s cookie collection practices.
You must identify how and when you collect cookies, review the ways you keep website visitors informed of your practices and evaluate the mechanisms given to individuals to adjust their preferences.
This information must then be assessed against your regulatory compliance requirements to identify any practices that fall short.
Given the complexity of this process, plus the stakes for non-compliance, it’s understandable that many organisations would seek expert advice.