Security, privacy, and related topics have been all over the news in recent months. Much of this is due to the roll-out of the General Data Protection Regulation (GDPR) – a new set of legal rules regarding the way personal data must be handled.
Of course, the GDPR isn’t the only topic of discussion. Cookies are also a popular topic once again. Unfortunately, there’s a lot of misinformation about how cookies relate to the GDPR, and what your responsibilities are as a website owner when it comes to consent and security.
In this article, we’ll aim to clear up the confusion surrounding cookies in the wake of the GDPR. Plus, we’ll explore what’s required in order to obtain valid consent for cookie use. Let’s talk!
Do Cookies Fall Under the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation (GDPR) is a set of rules and requirements regarding user privacy on the web. It gives individuals a lot more control over how their personal data is collected, stored, and used.
However, there’s a good deal of confusion as to how the GDPR is related to cookies. A cookie is a small file that’s sent from a website and stored on a user’s computer. It sends information back to the website about the visitor’s activity. In turn, this enables the site to deliver a more personalized user experience.
In fact, cookies do not actually fall under the purview of the GDPR. Instead, cookies are handled by the ePrivacy Directive (or the ‘Cookie Law’).
It’s important to be informed about the changes brought about by the GDPR, and to ensure that your website is compliant. However, when it comes to cookies, there are other requirements you’ll want to keep in mind
What Is the Cookie Law?
The ePrivacy Directive – commonly known as the Cookie Law – came into effect in the EU in 2002. It’s been amended a few times since then, but has remained relatively the same, and covers electronic privacy as it relates to website cookies.
In a nutshell, the Cookie Law requires that each user provides informed consent before any files are stored on their computer or other device. This means:
- You must let visitors know from the get-go that your site uses cookies, in a clear and visible way.
- You also need to provide details on how you use cookies and why.
- Most importantly, you have to give visitors the opportunity to provide, withdraw or refuse consent.
- Before consent is obtained, no cookie-related scripts can be run on your site.
Generally, the way you’ll do this is by displaying a banner on your site upon each user’s first visit. Chances are you’ve seen banners like this all across the web:
This banner should be prominent enough so people can’t miss it. It should also contain all the necessary information (with a link to a full cookie policy), and make it clear what actions constitute informed consent.
Actually creating a cookie banner and policy is pretty simple. There are a lot of online tools to help you get the job done quickly. However, you’ll first need to understand exactly how consent functions under the Cookie Law.
What Does the Cookie Law Require When It Comes to Consent?
Consent may seem like a simple concept, and in truth it isn’t hard to grasp. However, it’s important not to make assumptions here. Before implementing (or updating) your own cookie solution, you’ll need to understand what’s required under the Cookie Law, and what does and does not count as valid consent.
In order to be considered valid, user consent to cookies must be ‘active’. This means they first need to be informed of your intent to collect cookies and for what purpose. Then, they must perform some action to indicate their compliance.
This doesn’t need to be checking a box or clicking on a button. Active consent can simply mean the user continues to browse your site, travels to another section or page, or clicks on a link. What matters is that you let them know what actions constitute consent.
At the same time, users must also be given the option to refuse consent. This doesn’t mean you have to provide them with a way to turn cookies off directly through your site. In fact, in most cases, the built-in cookie-blocking settings in major browsers are considered a valid method of withdrawing consent.
You just have to let the user know that they can use their browser settings to block cookie use. While not legally required, it’s also a nice touch to provide links helping users find the right settings to manage cookies on their device or a direct way for users to manage their consent to cookies:
Most importantly, you have to make sure that no installation or data collection is performed before the user has a chance to provide consent (or refuse it). In addition, the use of your service or website can’t be conditional on whether or not a user accepts the use of cookies. This is considered to be a way of coercing people into providing consent, which is not acceptable under the Cookie Law.
What Is Not Required Under the Cookie Law?
Understanding what you don’t need to do is just as important as knowing what’s required of you. There’s a lot of misinformation floating around, after all. Being clear on your responsibilities can save you a lot of time and effort.
For instance, we mentioned earlier that you need to declare whether your site uses cookies and for what reason. However, what you don’t have to do is list out each active cookie or provide specific details on what it does. This information would likely only overwhelm visitors.
Instead, you simply need to explain what categories of cookies are in use, and what their purpose is:
In addition, you don’t need to keep active records of each user’s consent. This is a common area of confusion since consent records are often required under the GDPR. When it comes to the Cookie Law, however, you must simply be able to provide proof of consent if the need arises.
The best way to do this is typically to use a cookie management solution that blocks scripts until active consent is obtained. Therefore, if you ever need to prove consent, showing that the cookies were installed in the first place is sufficient a consenting action took place.
How Will the Cookie Law Change in the Near Future?
Earlier, we mentioned the legal name for the Cookie Law – the ePrivacy Directive. However, this Directive is set to be replaced by the ePrivacy Regulation sometime soon. Although not yet enforceable, this regulation will continue to affect how you use cookies on your site in the near future.
The primary change here can be seen in the names of the two policies. A ‘directive’ sets specific guidelines in place but leaves it up to individual EU countries as to how they’ll turn those guidelines into actual laws. A regulation, on the other hand, is legally binding throughout the entire EU, and is enforced through a standardized set of rules. In fact, a similar shift has happened with the GDPR (General Data Protection Regulation), which has replaced the earlier Data Protection Directive.
The ePrivacy Regulation will, therefore, be an updated and improved version of the Cookie Law. It will likely maintain most of the rules enforced under the Cookie law but in a more unified and better-defined way. The ePrivacy Regulation will also work alongside the GDPR, much like the ePrivacy Directive (Cookie Law) does at the moment.
At this point, it’s hard to say what this new regulation will change when it comes to cookies and consent. However, it’s something all website owners should remain aware of. Keeping up-to-date with the law is the best way to ensure that your site remains compliant and secure for all users.
One excellent place to find this information is on the European parliament’s legislative train website. Plus, for more simplified and user-friendly legal updates, the Iubenda blog is an accurate and easy-to-understand resource. Finally, the ICO’s website is another useful source of information, although it is more specific to the UK.
Conclusion
It can be easy to get lost trying to keep track of the many privacy-related rules currently in force. In particular, you may find yourself confused about which laws affect you and your website’s users.
While the new GDPR is certainly important, it isn’t the only regulation you need to know about. Legislations such as the Cookie Law (and the upcoming ePrivacy Regulation) remain active and enforceable. Understanding this law’s requirements is vital for protecting your interests (by ensuring you don’t violate the law) and providing a secure and trustworthy service to all of your users.
Do you have any questions about the Cookie Law, and how you can make sure you’re in compliance? Ask away in the comments section below!
Image credit: Pxhere.
Tom Rankin
Tom Rankin is a key member of WordCandy, a musician, photographer, vegan, beard owner, and (very) amateur coder. When he’s not doing any of these things, he’s likely sleeping.
The post The Real Story on Cookies: Dispelling Common Myths About the GDPR and Consent appeared first on Torque.
