GDPR Compliant Cookie Policy: What are the Requirements?

GDPR together with the ePrivacy Directive has changed the way that we now approach cookies and cookie policies. The cookie policies now strictly have to be keeping the users and their data in mind. Now it's no longer enough to declare that the website uses cookies, but now the purpose is to inform them of all the specifics of the data collection and processing.

If you are a website owner or just a user who is curious about what a GDPR compliant cookie policy looks like, then you have come to the right place. Let's take a look at how to make a GDPR compliant cookie policy.

What is a Cookie Policy?

Almost all websites use cookies and a cookie policy is a way for websites to declare that they use cookies to the users of the websites. The cookie policy of a website is about the cookies that they use, how they use, and what they are used for. 

Cookies are essentially small text files that are seemingly harmless, which many of them are as they do not corrupt or retrieve any data stores on a computer. But they are used to store data that can be used by third-party advertisers for targeted advertisements. This creates a privacy concern among people as their activities on a browser are recorded and may be shared with a third-party without their knowledge. This privacy concern is what makes the cookie policy of a website essential.

The cookie policies are also sometimes included as a part of the privacy policy of a website where all the activities of the website are listed. While the privacy policy of a website lists the purpose of all the data of its users that are collected by website/app, the cookie policy dedicated to informing users about the data processed on the website by the means of cookies.

A cookie policy basically has three main parts. The first is the "What are Cookies" part, where the website defines to the users what cookies are and inform users that the website uses cookies. The second is the "How Cookies are Used" part, where the details of the cookies and how and why the cookies are used is explained to the users. In the third part, "How to Opt-out of Cookies", the cookie policy should also let the users know how they can opt-out of the cookies that are being used by the website by any mechanism placed on their website or through the browser settings. 

Why is a Cookie Policy Necessary?

While most cookies are harmless and actually help in providing a better user experience for the users, they can also be a cause for the users' online privacy. Many websites use the values stored in the cookies to create a users profile based on their activities online which also may include personally identifiable data. While these data are helpful in creating a more personalized browsing experience for the user, these data are sometimes also shared with third-party service providers.

So, it is necessary for the websites to be clear and transparent about the cookies that they use and the users also have the right to know that their activities are being tracked what is being done with it.

Even though we can argue that the cookies only collect the data that the users have voluntarily given while browsing through the internet, most of the time the users are not aware that these activities, whether searching for something online, or clicking on an ad, or marking your preferences like in social media etc., that they do online is stored in any form. And many times users may not even be aware of cookies and what they are. So it is the responsibility of the websites to inform the users about the information collected.

Almost all states and countries by law require that a website display a privacy overview. If you collect, store, and share users personal information like their name, emails IDs, etc., the users should know what you intend to do with it. So this makes it mandatory, depending on your state/countries privacy laws, to have a comprehensive privacy policy to avoid potential lawsuits and avoid paying the hefty fines as is required by most of these privacy laws among other consequences.

Not just that, having a privacy policy on your website will help you be transparent about your website's activities. This will provide users with a sense of confidence and will help you build trust among them.

What are the Requirements of a Cookie Policy to be GDPR compliant?

The GDPR and the ePrivacy Directive affects the websites cookie policy also. First of all, it is important to have a cookie policy separately on a website that has detailed information about the cookies. Informing the users of clearly of everything about the cookies is an important part of the law to attain maximum transparency about the users' data, personal or otherwise.

The following are requirements of a cookie policy to be compliant. Make sure when composing a cookie policy for your website, it checks all the criteria mentioned below.

  • The document should be concise, transparent, accessible, and written in plain and clear language.
  • The cookie policy should list all the cookies that are used on the website.
  • The purpose of each cookie used on the website should be clearly stated.
  • The duration for how long each cookie is installed on the users' browser should be mentioned.
  • Clearly explain where the data is stored and with whom the data is shared.
  • Should explain how to reject or opt-out of the cookies.

Now there is an obvious question whether or not cookies that are absolutely necessary for the website be listed in the cookie policy. Even though the strictly necessary cookies are exempted from needing user consent, the cookie policy should list these necessary cookies and inform their purpose. 

Cookie policy should be updated on a regular basis as the cookies used on a website may change along the way. It could be by adding a new feature or a service to the website. Like if you add a social media sharing plugin to your website, there are cookies that are installed by them that you will need to address in your privacy policy. This means that you need a regular check on the cookies of your website to make sure that it is GDPR compliant all the time.

Some of the examples of cookie policies that check the above criteria are listed below:

Wrapping Up

There is no escaping the fact that websites, whether or not based in the EU need an update to their cookie policies and they need to comply with the law. All the websites now have to keep in mind the fact that it is the users' data that are collected and they should have the absolute control over it. The cookies policies of a website should be then crafted with the users in mind.

Please note that while we make it a point to deliver the most accurate information possible, this article, however, should not be treated as legal advice. The website owners should seek legal advice if needed to know what is best for their website or app depending on which further actions may be required to fully comply with the law.

Make Your Website GDPR Compliant With CookieYes

CookieYes is a new and easy solution to make your website comply with the GDPR Cookie Law from Cookie Law Info. Join the 500,000+ website using our solutions now!

Share this post