GDPR (General data protection regulation) enforced by the European Union to protect its citizens' data privacy is all set to change the way users data is being handled by websites or business organizations. The law demands all parts of a website which has access to the users' data to comply with its rules.
As far as a mailing list or a website form is concerned users are well aware that they are giving their personal information in it. But when it comes to cookies, users have no idea that their information is being held without their consent. Thus GDPR has brought some strict norms to control such flaws of the websites.
What are cookies?
Cookies are small text files that are placed in the web browser of the user's device by the website the user is visiting. There are three different types of cookies session, persistent, and third-party cookies.
- Session cookies are the temporary ones which expire when you close the browser or when a certain amount of time is elapsed.
- Persistent cookies remain in that browser until their expiry period is reached to track the activities of the user on the website which created that cookie.
- Third party cookies are used for the advertisement purposes and these are placed on your browser by websites other than the one you are visiting.
There can be both necessary and non-necessary cookies in it. Necessary cookies are essential for the proper functioning of the website. Whereas non-necessary cookies are placed mainly for the advertising and marketing related benefits.
GDPR On Cookies
Although cookies are mentioned only once in the 88-page long GDPR instructions. It reflects on the importance of cookies with those few words.
"NATURAL PERSONS MAY BE ASSOCIATED WITH ONLINE IDENTIFIERS…SUCH AS INTERNET PROTOCOL ADDRESSES, COOKIE IDENTIFIERS OR OTHER IDENTIFIERS…. THIS MAY LEAVE TRACES WHICH, IN PARTICULAR WHEN COMBINED WITH UNIQUE IDENTIFIERS AND OTHER INFORMATION RECEIVED BY THE SERVERS, MAY BE USED TO CREATE PROFILES OF THE NATURAL PERSONS AND IDENTIFY THEM".
In short, if any data that either alone or in combination with other data is capable of identifying the person then possession of such data should be compliant with the GDPR norms.
Cookies and GDPR Compliance
GDPR compliance of cookies is indeed an important task to be done in order to make sure the overall compliance of your website to GDPR. The most unfortunate fact is that sometimes even the website owner wouldn't have any knowledge of the cookies that are present in his or her own website. Thus having a cookie audit done on your website will be useful to understand it.
Since cookies store a huge amount of personal data of users in them compared to any other part of a website, it would be a good plan to start complying your website for GDPR with the cookies that are present in them.
What are the requirements for complying cookies to GDPR?
GDPR has put forward some instructions on the GDPR compliance of cookies. You have to carefully follow them in order to achieve compliance and hence to avoid any repercussions on behalf of it.
- Language in which cookie details are written - GDPR has stated that the details regarding cookies should be given in a simple and straightforward language so that users don't have any issue in understanding it in its entire meaning. Often many websites use complex language to stop people from further reading it and hence they will be forced to give consent without fully understanding the details regarding cookies.
- Opt-in and Opt-out options - All websites provide opt-in options in the cookie consent forms. But how many of them provide a proper opt-out option in it? must be rare to none. GDPR considers the right of users to withdraw or refuse the service of cookies as an important one. The law states that it should be as easy to deny consent as it is to allow. GDPR also demands the website owners to include the ability to enable or disable cookies in a granular level. Ie; consent should be specific to the use of each cookie and users should be able to reach a decision on allowing a cookie after reading its purpose.
For any website, cookies are essential for monitoring their performance. Thus giving users a choice to disable the cookie will impact the chances of the website on improvement. But abiding by the law is more important than that. Thus the only choice left is to let the users clearly understand how important those cookies are for the website while also giving them the right to deny the use of that cookie.