Cookie Policy and GDPR

If you are a website owner, you know what cookies are. If you do not, it is okay. Cookies are small text files a website places on the visitor’s device. They collect data to track the website activity to serve many purposes, such as functioning services, analytics, advertising, etc. You should also be aware of cookie policy, but we will get to that in a bit. Read more about cookies in this article.

Common types of cookies are:

First-party cookies –These are placed on the user’s system directly by the website.

Third-party cookies – These are placed by a third-party, and they are commonly used for advertising and analytics.

Session cookies – This type of cookies expires once the user’s session on a website expires.

Persistent cookies – This type of cookies remain in the user’s system unless they delete it, or the site does. They usually have expiration dates coded in.

Strictly necessary cookies – They are often mandatory for a website to function smoothly. This type of cookies is essential for the users to use certain features of a website, such as remembering past activity in the site or holding items in the shopping cart.

Learn how cookies track you on the web here.

You should be familiar with the General Data Protection Regulation (GDPR), what it means for cookies, and why you need a GDPR compliant cookie policy for your website. Before continuing, you may read our guide to GDPR.

EU parliament in 2018 implemented GDPR, which was a turning point for the EU member states. The strict law left no room for organizations or individuals to be careless about people’s data. Otherwise, they are at risk for hefty fines and penalties. If you serve people in the EU, regardless of where you are from, follow the GDPR standards!

In the sea of words in the Regulation, the cookie is only mentioned once, but it is worth serious consideration.

Here is an excerpt from Recital 30 of GDPR:

“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers […] This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”

Data that cookie collects may be used to identify an individual if combined with additional information. This alone makes cookies worthy of close reviews if you want to make your website GDPR compliant.

GDPR, along with ePrivacy Directive 2009/136/EC – also known as the EU Cookie Law because of its exclusive mandate about the usage of cookies – redefined how cookies should be managed and gave the users more control over them. The laws want you to be honest about what data you collect and for what, and you cannot collect or process the data without their consent.

Cookies are usually beneficial, but imagine not being aware of something following your online activity or not being able to do anything about it. Alarming, right? That is why there is public reluctance towards cookies. Cookies are dynamic; they change according to user behavior. They stay hidden. Also, it may sound concerning that the cookies from third parties can access user data. So, they pose a bigger threat to internet users.

A cookie policy is a statement that informs the visitors about the cookies the website uses, their purpose, and how to control them. It is a section the users can refer to inform themselves about the type of data that the website or third-party will collect. Being transparent about what cookies the site uses is an excellent way to avoid any negative impact on trust the users have on a website.

It comprises of following parts:

• What are cookies
• How you use cookies
• List of cookies you use with their purpose
• How to delete or opt-out.

It will be ideal if you place a link to the cookie policy in the privacy policy and vice-versa. Some websites have a cookie clause as part of their privacy policy, and that acts as their cookie policy. It is a valid practice. A privacy policy is an account of how a website handles the users’ personal data, and we already know that data collected by the cookies can be interpreted as personal data. However, such a clause should still cover the above parts.

You may refer to Cookie Law Info’s privacy and cookie policy.

GDPR does not mandate websites to include a cookie policy. It precisely wants you to be transparent about the data your site collects. Then again, cookies are used to collect user data. Having just a cookie policy for the sake of it is not enough. You must make sure they fall within the lines of the requirements of the law. Here is a comprehensive checklist for making your cookie policy GDPR compliant:

• It should be easily accessible from any page at any time by including a link to it in the cookie banner and the website footer.

• Present it in a concise, clear, and plain language.
• List all the cookies (including strictly necessary) that the website uses.
• Include the type, purpose, and duration (if applicable) of these cookies.
• Mention if there are any third-party cookies and their purpose.

• Details about how to delete or opt-out of the cookies if the users wish to.
• Keep it up to date and accurate.

Many websites are good examples of having GDPR compliant cookie policy. Here are some of them:

• LinkedIn
• BBC
• National Geographic
• BMW
• Spotify
• F C Barcelona
• Zara India

The key to GDPR compliance is being pro-user. The more you provide control and transparency to the users, the more committed you will be to the law. Make sure your website policy stays within the framework of the Regulation.

How to block cookies in different browsers

How to create a GDPR compliant cookie banner

Is my website GDPR compliant?