INTRODUCTION TO COOKIES AND GDPR
As you may know, a cookie is a small file that is created on a website and sent to your device. These are designed to perform a wide range of roles, from saving your session on a shopping site to authentication, remembering your preferences, recording site visitors or providing targeted advertising. Most business websites use them.
Broadly speaking, cookies fall into 2 categories. Essential cookies are required for correct operation of a website and provide information required by a user. Any other cookies are classed as non-essential and are used for analytics, advertising, 3rd parties and identifying returning visitors.
THE CURRENT POSITION
COOKIES AND GDPR
In the GDPR, cookies are referred to in Recital 30, which says:
NATURAL PERSONS MAY BE ASSOCIATED WITH ONLINE IDENTIFIERS…SUCH AS INTERNET PROTOCOL ADDRESSES, COOKIE IDENTIFIERS OR OTHER IDENTIFIERS…. THIS MAY LEAVE TRACES WHICH, IN PARTICULAR WHEN COMBINED WITH UNIQUE IDENTIFIERS AND OTHER INFORMATION RECEIVED BY THE SERVERS, MAY BE USED TO CREATE PROFILES OF THE NATURAL PERSONS AND IDENTIFY THEM.
Basically – cookies are now deemed as Personally Identifiable Information (PII). Like any other PII, consent from the subject must be given before use. This must be an informed choice so a simple opt-in or implied consent will no longer apply.
Cookies in use should be listed (a link to a policy page is a practical solution) as well as an opt-in / out choice for non-essentials cookies. If consent is not given non-essential cookies cannot be used. A technical solution will also be required to control cookie behaviour.
- Let your users know what types of cookies you use and for what reasons
- Display a clear policy that explains cookie use and options available to the user
- Categorise all of the cookies in use on your site and give the user a choice for each
- Review cookie use regularly
We are considering putting together a compliance support pack to help small business website owners with GDPR compliance, comprising of document templates, checklists, technical audits and GDPR compliant solutions for common website technologies such as forms, cookie management, email opt-ins and consent forms. Get in touch if this is something you might be interested in – anticipated cost will be £499.
Disclaimer: Obviously we are a technology company, not a law firm and offer advice only to be helpful. We recommend you seek legal advice and cannot be held liable for issues resulting from any information provided.