The EU law on the handling of personal data, the General Data Protection Regulation, is often referred to by its acronym GDPR.
In this article, we give a comprehensive introduction to the GDPR and cookies.
We'll take a hands-on look at what the rules mean for you and your website - how to achieve GDPR cookie compliance and offer your end-users real cookie consent.
The GDPR is a EU regulation that represents the most significant initiative on data protection in 20 years.
The purpose is to protect “natural persons with regard to the processing of personal data and on the free movement of such data”, e.g. the website user.
Cookies are mentioned once in the 88 pages long regulation. However, those few lines have a significant impact on the compliance of cookies:
(30): “Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers […]. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
In other words: when cookies can identify an individual, it is considered personal data.
The General Data Protection Regulation was adopted by both the European Parliament and the European Council in April of 2016 and came into force on May 25, 2018.
But its history is much longer. It began as a proposal way back in 2012 and negotiations for the GDPR text itself began on December 15, 2015 between the European Parliament, Council and the European Commission – also known as formal trilogue meetings.
Trilogue refers to a “discussion between three parties” and is a common practice in the European Union, described in the EU treaties. They are used if the Council does not agree to proposals by the Parliament, in which case trilogue negotiations begin.
In April of 2016, the GDPR text was adopted by the EU Council, with the only member state voting against it being Austria. According to Austria, the GDPR text didn’t go far enough compared to the 1995 directive.
Nevertheless, a week later it was adopted by the EU Parliament with and effective date of May 25, 2018.
The first 31 pages constitutes a sort of context basis for the regulation, to enlighten and elaborate on the issues and terms at hand. The regulation itself consists of 99 articles divided into 11 chapters spanning 57 pages.
A reason for the GDPR to only mention cookies once is that the ePrivacy Regulation is underway – a lex speciallis to the GDPR, i.e. a specification and elaboration of the parts of the existing regulation that concern electronic communication.
Among some of the most important passages to read, if you are interested in reading the GDPR text in full, are –
The GDPR text itself can be a bit inaccessible for a person not familiar with legal texts and legislation, so if you prefer to read in summary about its requirements for website owners and operators, check out our own blogpost on how to achieve GDPR compliance.
Cookies are small files that are automatically dropped on your computer as you browse the web. In and of themselves they are harmless bits of text that are locally stored and can easily be viewed and deleted.
But cookies can give a great deal of insight into your activity and preferences, and can be used to identify you without your explicit consent.
This represents a major breach from a legal point of view, and as data technologies grow more and more sophisticated, your privacy as a user is increasingly compromised.
Often, the cookies don’t even originate from the website you are visiting, but from third parties that track you for marketing purposes.
All of which is going on “behind the scenes”.
While not all cookies are used in a way that could identify users, the majority (and the most useful ones to the website owners) are, and will therefore be subject to the GDPR.
Cookies for analytics, advertising and functional services, such as survey and chat tools, are all examples of cookies that can identify users.
The problem with cookies is both one of privacy - what is being registered? - and one of transparency - who is tracking you, for what purpose, where does the data go, and for how long does it stay?
As a website owner, taking measures to comply means going through your data processes and making sure that the personal data is handled according to the new regulations.
For an instructive introduction, also try scrolling through the EU commission’s infographic.
The General Data Protection Regulation regards e.g. a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address as personal data.
If your website or organization processes data that is (a) directly personal, or (b) can be combined or singled out to identify an individual, then it must be revised to meet the requirements.
Map and evaluate the sensitive data in your organization, go through your security policies and make sure that the data is secure.
The two primary aspects to be aware of are:
One of the most tangible requirements of the GDPR is in the definition of what constitutes a proper GDPR cookie consent, meaning, that the consent has to be:
The above requirements render most of the cookie banners and notifications used prior to the implementation of the GDPR obsolete.
For instance, implied consent and consent given simply by visiting a site is not enough.
The same goes for pop-ups and banners stating ‘By using this site, you accept cookies’.
A simple ok button for accepting cookies is also not sufficient.
For example, this will not do:
Here is Cookiebot’s own GDPR and ePrivacy compliant notice asking for consent to set cookies:
It complies with the regulations, because of the following -
First and foremost, albeit invisible to the naked eye, all loaded scripts but the strictly necessary ones are paused until the consent to the cookies has been given.
This feature is called ‘prior consent’ and is a requirement of both the GDPR and the ePrivacy Directive. Under the GDPR, you must have consent to setting cookies that track personal data, whereas under the ePrivacy Directive, you need user consent before setting any kind of cookies other than the strictly necessary.
The information about the cookies is accurate and specific, and is presented in a clear and plain language, all requirements of the GDPR. If the user chooses to have the details shown, the notice folds out into a complete overview of all active cookies and online tracking in use on the website.
The list is based on a monthly scan of all of the pages of the website, that detects and identifies all of the cookies and known tracking technologies in use on the site. The cookies are listed complete with origin, duration and purpose descriptions.
The cookies are grouped into four intelligible categories, that the user may check or uncheck.
Necessary cookies cannot be unchecked, because they are whitelisted and are necessary for the website to function properly. Cookie categories that don’t handle personal data may be pre-checked, whereas those that do, must be actively opted into by the user to be compliant.
In the example at hand, the preferences and statistics cookies on the site don’t handle personal data and may therefore be pre-checked. Marketing cookies do track personal data and are therefore by default unchecked.
The user has access to their state of consent on the website and can at any time change their mind about the consent and choose to withdraw it.
All given consents are securely stored as documentation that the consent has been given, also a GDPR requirement.
Every 12 months, upon the user’s first visit to the site, the consent pops up again asking for a renewal of the consent.
Read more in our article on GDPR cookie consent.
The GDPR and the EU ePrivacy Directive require prior, informed consent of your site users, and the GDPR requires you to document each consent.
At the same time you must be able to account for what user data you share with embedded third-party services on your website and where in the world the user data is sent to.
You can be subjected to controls and be required to account exhaustively for the data processes that are going on in connection with your website.
This is easier said than done, as most websites have a large number of third-party cookies flowing through their system.
The biggest change for cookie and online tracking in regard to the GDPR is that consent must be given by a clear affirmative action.
With the regulation, this is not sufficient. The consent has to be given as an affirmative, positive action, and rejecting cookies must be an actual option.
The user must have the power to withdraw his or her consent.
It is therefore important to make sure that users have access to their current consent state at all times and can change the settings or withdraw their consent entirely.
Every 12 months, the consent should be renewed upon the user’s first visit to the site.
On the other hand, though, the communication should be clear and easy to understand in order for the user to have a true choice.
With the GDPR and the ePrivacy Directive, the user consent must be given prior to the setting of the cookies. Under the GDPR, you need prior consent to setting cookies that track personal data, whereas the ePrivacy Directive is even more far reaching, and requires that you get consent for setting all but the strictly necessary cookies.
All consents must be securely stored so that they can be used as evidence in case of control.
We recommend not using templates and generators, because it is a GDPR requirement that the information about the cookies and tracking should be specific and accurate.
Firstly, all websites are different, and secondly, cookies can change without you even noticing, especially if you make use of third parties such as embedded content, ads, or analytics tools.
This way, the information you provide to your users about the cookies in use on your site is accurate and precise at all times.
To meet the requirements, you can either build your own consent setup based on the GDPR. Or you can sign up to Cookiebot, a fully GDPR compliant cookie and online tracking solutions.
A monthly report is generated about the cookies and data processing activity on the website, ensuring that the owner is in control at all times.
User consent is requested by means of a comprehensible banner, where the users can easily opt in and out of the various types of cookies.
The users can at any time access the consent setup and edit or withdraw their consent.
Every twelve months, the consent is automatically renewed upon the user’s first visit to the website.
The communication in the consent banner is user friendly and no-nonsense, offering true transparency but at the same time avoiding information overload.
The consent is requested prior to the setting of the cookies, except for the strictly necessary and therefore also legal ones.
All consents are automatically collected through a secured connection and stored as strongly encrypted keys.
On the overall, there exists four different types of cookies, depending on their duration and on their origin.
The GDPR affects all four types, and the origin and duration of the cookies must be presented for the user to accept in an affirmative and informed manner.
These cookies are temporary and expire once the user leaves the site. Session cookies are mainly used by webshops to hold items in the basket while the user is shopping online.
In general terms, if cookies track personal data, they are subject to the GDPR. Session cookies usually are of first party provenance and enable the necessary functioning of the website.
Therefore, they rarely are subject to the data protection regulation.
Permanent cookies are all those cookies that aren't deleted from the users' browser once they end their session on a website.
Their duration depends on the date of expiry written in them.
By law, they should be deleted every 12 months in the least, but a cookie might stay on the disk forever.
Permanent cookies can be set by the website itself or by third parties in operation on the website.
The data they store, and therefore, whether or not they are subject to the GDPR, depends on their purpose.
An example of permanent cookies are the ones holding data such as login details, contact information and account numbers, so that the users don’t have to type them in every time they use the site.
But permanent cookies can serve any number of purposes.
If the cookie tracks data deemed personal according to the definition of the GDPR, then it is subject to the regulation, and you must obtain compliant user consent prior to the use of the cookie.
First party cookies are issued from the website itself. These cookies often serve to give memory to the website about the user's data and preferences.
In general terms, most cookies of third party provenance are the ones tracking personal data. This, however, does not automatically whitelist first party cookies.
It depends on what data the cookie is tracking.
If the data can - by itself or combined - identify a specific individual, then it is personal data, and you need your users' consent for setting them.
Third party cookies are cookies that are set by third parties in operation on your website. If you are using analytics, are displaying ads, have embedded content, or your website is hosted, then you have third party cookies in operation on your website.
The headache for website owners is that third party cookies can be hard to have a complete and lasting overview over, as they tend to change often.
What is their purpose, where do they come from, what data are they collecting and where in the world is it sent to?
As a website owner, you are held accountable for the tracking of personal data from your website, and you have the obligation to inform your users about it and protect their data according to their state of consent.
You may take an audit of your website to get a picture of the cookies in use on your site.
The free audit scans up to five subpages of your site and sends you a report on all the cookies and tracking on these pages.
The aim of third-party cookies is often to collect certain information to carry out various research into behaviour, demographics and not least for targeted marketing etc.
Learn more in our article Tracking cookies and the GDPR.
The General Data Protection Regulation (GDPR) is an EU-wide legislation that regulates - among other things - how websites handle personal data.
It is the most significant initiative on data protection in 20 years and has major implications for any organization in the world, serving individuals from the European Union.
To give people control over how their data is used and to protect "fundamental rights and freedoms of natural persons", the regulation sets out strict requirements on data handling procedures, transparency, documentation and user consent.
As a data controller, any organization must keep record of and monitor personal data processing activities.
This includes personal data handled within the organization, but also by third parties - so-called data processors.
Data processors can be anything from Software-as-a-Service providers to embedded third party services, tracking and profiling visitors on the organization’s website.
Both data controllers and processors must be able to account for what kind of data is being processed, the purpose of the processing and to which countries and third parties the data is transmitted.
Data may only transfer to other GDPR compliant organizations, or those within jurisdictions deemed 'adequate', unless you have consent for it.
No processing of sensitive personal data is allowed without a person’s explicit consent. For non-sensitive data, implied consent will do.
In either case the consent must be freely given on basis of clear and specific information about data types and purpose – and always before any processing takes place, also known as ‘prior’ consent.
All consents must be recorded as evidence that consent has been given.
Individuals now have the "right of data portability", the "right of data access" along with the "right to be forgotten" and must be able to withdraw their consent whenever they want.
In such case the data controller must delete the individual’s personal data if it's no longer necessary to the purpose for which it was collected.
In case of a data breach, the company must be able to notify data protection authorities and affected individuals within 72 hours.
Furthermore, GDPR imposes an obligation on public authorities, organizations with more than 250 employees and companies processing sensitive personal data at a large scale to employ or train a data protection officer (DPO).
The DPO must take measures to ensure GDPR compliance throughout the organization.
In relation to Brexit, the UK government plans to implement equivalent legislation that will largely follow the GDPR.
In the General Data Protection Regulation, the data to be protected is defined as follows (our italics):
(26): The principles of data protection should apply to any information concerning an identified or identifiable natural person.
Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person.
To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly.
To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.
The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.
This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.
Sensitive personal data include data about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, a person’s sex life or sexual orientation, health data, genetic data and biometric data. An IP address or a name is considered personal data but NOT sensitive personal data. (see GDPR Article 9.2 (a) and Recitals 51 and 71 for more information).
To process data is to perform any kind of operation on personal data, whether automated or not. Examples of data operations mentioned in the GDPR are: collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmitting, disseminating or otherwise making available, aligning, combining, restricting erasing or destructing.
A data subject is the person whose data is being processed.
A data controller is the party that determines the purpose and means of the data processing. Within the context of for example a company or a website and its customers and users, the data controller is the company or website, that processes the data of its customers and users in order to optimise its services or whatever it is the company/website wants to accomplish by means of the data processing.
A data processor is the party which performs the data processing on behalf of the controller. When it comes to websites, data processors typically are tools and integrated third parties such as e.g. Google Analytics, Hotjar, social media buttons etc.
The recipient is the party to whom the data is disclosed.
A third party is someone other than the data controller or data processor who, under the direct authority of the controller or processor, is authorized to process personal data.
In the context of a website, third parties typically are the cookie setting agents other than the website itself, and the authorization originates in their being integrated into the website as tools, embedded content or services.
Consent of the person whose data is being processed means freely given, informed and unambiguous indication of his or her wishes by which he or she, by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Data portability is the right to receive one’s personal data in return from a data controller, in a structured, commonly used and machine-readable format, and have the right to transmit those data to another controller without any hindrance from the former (see Article 20 in the GDPR).
An EU legislation of this size and importance is the result of a lengthy process.
In January 2012, the European Commission proposed a comprehensive reform of the data protection rules from 1995, (the 95/46/EC DIRECTIVE), bringing Europe up to date with the digital age.
On 4 May 2016, the official texts of the Regulation and the Directive were published in the EU Official Journal in all the official languages.
The regulation was enforced on 25 May 2018.
Since this date, organizations who fail to meet the requirements or document their efforts to comply risk penalties of up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher.
Profiling is the use of personal data to evaluate certain personal aspects relating to a specific person, in particular to analyse or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Pseudonymisation is to process personal data in such a manner that it can no longer be attributed to a specific individual. To ensure correct pseudonymisation, it is important to take care that eventual additional information that could be used to re-identify the subject of the data, is kept separately and securely stored.
A filing system is any structured set of personal data which is accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.