GDPR Compliant Cookie Policy: What are the Requirements?

If you are a website owner or just a user who is curious about what a GDPR compliant cookie policy looks like, then this article is for you.

The General Data Protection Regulation or GDPR (read the guide to GDPR), together with the ePrivacy Directive (The EU Cookie Law), has changed the way that we now approach cookies and cookie policies. The cookie policies now strictly have to keep the users and their data in mind. It is no longer enough to declare that the website uses cookies. However, now the purpose is to inform them of all the specifics of the data collection and processing.

Let’s take a look at what is cookie policy and why is it necessary to have one. Then let us delve into the requirements for cookie policy.

Almost all websites use cookies, and cookie policy is a way for websites to declare that they use cookies to the users of the sites. The cookie policy of a website is about the cookies that they use, how they use, and why they use it. 

Cookies are essentially small text files that are seemingly harmless, as they do not corrupt or retrieve any data stored on a computer. However, they may store data that can be used by third-party services for targeted advertisements. This creates privacy concerns among people as the cookies record their online activities and share with a third-party without their knowledge. Read more about cookies here.

A cookie policy basically has three main parts: 

• “What are Cookies” part, to explain to the users what cookies are and inform them that the website uses cookies. 
• “How Cookies are Used” part, to explain the details of the cookies, and how and why the cookies are used. 
• “How to Opt-out of Cookies” part, to let the users know how they can opt-out of the cookies used by the website. This can be either through a mechanism available on the website or browser settings.

The cookie policies are also sometimes included as a part of the privacy policy of a website. While the privacy policy lists the purpose of all the data collected by the site, the cookie policy informs users about the data collected by cookies and their purpose.

The GDPR says that the data that cookie collects may be used to identify an
individual if combined with additional information. This alone makes cookies worthy of close reviews.

While most cookies are harmless and help in providing a better user experience, they can also be a cause of concern for the users’ online privacy. Many websites use the values stored in the cookies to create user profiles based on their activities online. These may include personally identifiable data. While these data help create a more personalized browsing experience for the user, they are sometimes also shared with third-party service providers.

So, the websites must be clear and transparent about the cookies that they use, and the users also have the right to know about it.

One can argue that the cookies only collect the data that the users have
voluntarily given while browsing through the internet. However, most of the time, the users are not aware that the cookies store their activities, like online searches, clicking on an ad, social media interaction, etc., in any form. And many times, the users may not even be aware of what cookies are. So, it is the responsibility of the websites to inform their users about the information collected.

GDPR requires that if you collect, store, and share users’ personal information like their name, email IDs, etc., the users should know what you intend to do with it. So, this makes it mandatory to have a comprehensive privacy policy to avoid potential lawsuits and avoid paying the hefty fines. A comprehensive privacy policy must also include details about cookies.

The GDPR and the ePrivacy Directive affect the website’s cookie policy also. First of all, it is important to have a cookie policy separately on a site that has detailed information about the cookies. Informing the users of clearly everything about the cookies is an important part of the law. It helps in attaining maximum transparency about the users’ data, personal or otherwise.

The following are the requirements of a cookie policy to be compliant. Make sure when composing a cookie policy for your website, it checks all the criteria mentioned below.

• The document should be concise, transparent, accessible, and written in plain and clear language.

• The cookie policy should list all the cookies that are used on the website.

• The purpose of each cookie used on the website should be clearly stated.

• The duration for how long each cookie is installed on the users’ browser should be mentioned.

• Clearly explain where the data is stored and with whom the data is shared.

• Should explain how to reject or opt-out of the cookies.

The strictly necessary cookies do not require user consent. However, the cookie policy should list these cookies and inform their purpose. 

Cookie policy must be updated regularly as the cookies used on a website may change along the way. Change in cookies could be the result of adding a new feature or a service to the site. For example, if you add a social media plugin to your website, it will install cookies. You will need to address such cookies in your privacy policy.

Some of the examples of cookie policies that check the above criteria are listed below:

• Researcher Academy 
• Equilibrium
• Craghoppers
• SAT7
• Leo Learning

For more examples, read GDPR Compliant Cookie Policy Templates.

There is no escaping the fact that websites, regardless of its location, need an update to their cookie policies. They need to comply with the GDPR standards. All the sites now have to keep in mind the fact that the users must have absolute control over their data. The cookie policies of a website should be then crafted with the users in mind. As already mentioned, a transparent and complying cookie policy will earn users’ trust and build your reputation.

Disclaimer: Please note that we made it a point to deliver the most accurate information possible in this article. However, it does not represent legal advice. To know what is best for their website to fully comply with the law, the website owners should seek legal assistance.