Since the introduction of cookies, legislators have been wary of them. Cookies and GDPR together are at the forefront of the conversation today.
Disclaimer: This post does not constitute legal advice. Please consult a qualified lawyer for legal advice relating to your business and GDPR.
What are cookies?
Software engineers introduced cookies into the Internet back in the mid-1990s. They designed cookies to help websites remember things such as a customer’s username and password or what’s in their shopping cart. This makes getting things done on the web faster and easier for the customer and helps websites deliver a smoother experience.
Are cookies a security risk?
This Slate article dates from 2005. It attempts to demystify cookies, but in doing so, it unwittingly points out some of the reasons they make consumers nervous today.
Cookies are not software. They can’t be programmed, can’t carry viruses, and can’t unleash malware to go wilding through your hard drive. Only the Web site that sent you the cookie can read it. As soon as you leave a site, its cookie sits dormant, waiting for your return.
The author’s point in this paragraph is more relevant than ever, and brings us to where we are today:
The exceptions are third-party cookies—also known as “tracking cookies”—placed by an entity (usually a marketing or advertising company) that’s interested in tagging visitors. Often they make sure a user won’t be hit with the same ad twice; others guarantee that someone who says they have an interest in sports gets different ads than someone who likes gadgets. But third-party cookies could also be used to compile a dossier of surfing habits. Say you visit a Web site with cookies served by a marketing company like DoubleClick. The cookie it dispatches will come alive every time you visit another site that does business with DoubleClick. That means it could track you over dozens of sites, logging every article you read, every ad you click on, and every gadget and gizmo you buy without your knowledge or approval.
Cookies are indeed set every day and on the majority of websites you visit to track your online behavior and target ads. For example, if you have not opted out of targeted ads on Facebook, you will see ads based on demographic information you provide to Facebook, pages you “like” or “follow” on Facebook, and your Facebook friends’ likes and dislikes. These ads may also be based on tracking cookies set by websites you visit. Check out this explanation from CBS, and Facebook’s own explanation here.
When did concerns about cookies begin?
In 1980, before cookies were a twinkle in Lou Montulli’s eye, the OECD issued “Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data”. These were merely guidelines at the time, and not laws, but the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data was signed in 1981, requiring signatories to create relevant legislation. The European Union adopted the Data Protection Directive in 1995. It’s clear that privacy has long been a concern in Europe, and cookies fall under this umbrella.
In 2002, the European Union launched the Directive on Privacy and Electronic Communications, a policy requiring end users’ consent for the placement of cookies, and similar technologies for storing and accessing information on users’ equipment. In particular, Article 5 Paragraph 3 mandates that storing data in a user’s computer can only be done if the user is provided information about how this data is used, and the user is given the possibility of denying this storing operation.
So concern about cookies is really nothing new. It falls under concerns about privacy, which have existed since the beginning of the computer age.
How do cookies and GDPR fit together?
Today, with the General Data Protection Regulation (GDPR) in Europe, which came into effect in May 2018, people are more aware than ever that they can opt out of being tracked for marketing purposes. Americans aren’t covered by the GDPR, but they may choose to opt out of being tracked when given the option because they find the targeted ads increasingly “creepy.” The ads seem to know where you have been, what you’ve searched for online, and some would say, what you’ve been thinking about!
The Privacy and Electronic Communications Regulations (PECR) and EU ePrivacy Directive (ePR) both set forth regulations for users’ privacy rights in the context of electronic marketing, cookies, the security of communication services, and so forth.
In July 2019, the ICO released updated guidelines about cookies, PECR, and GDPR.
What do we need to do to comply?
The rules on cookies are in regulation 6. The basic rule is that you must:
- tell people the cookies are there;
- explain what the cookies are doing and why; and
- get the person’s consent to store a cookie on their device.
As long as you do this the first time you set cookies, you do not have to repeat it every time the same person visits your website. However, bear in mind that devices may be used by different people. If there is likely to be more than one user, you may want to consider repeating this process at suitable intervals.
What does this mean for me?
Unfortunately, this new guidance seems to indicate that cookie banners are now definitively the order of the day. As explained in the ICO’s new guidance,
To comply with the information requirements of PECR, you need to make sure users will see clear information about cookies. In any case, doing so will increase levels of user awareness and control, and also assist in gaining valid consent.
You also need to tell people about the purposes and duration of the cookies you use.
You need to provide information about cookies in such a way that the user will see it when they first visit your service. This is usually done within the cookie consent mechanism itself.
It seems that the dreaded “cookie banners” are therefore the best way to accomplish this.
If you aim to comply with GDPR, you need to ensure that non-necessary cookies, meaning those that correspond to analytics tracking, for instance, do not fire until the visitor agrees to be tracked.
As an example, these two cookie banners explain the purpose of cookies and provide the user with options to allow or disallow specific cookies:
What if my analytics information is anonymized?
Anonymizing web visitor analytics information so that specific individuals cannot be identified is always a good idea for data privacy in general.
However, anonymizing the data doesn’t get you off the hook for PECR. See “Do the rules still apply if the data is anonymous?” from the ICO. If you are subject to the GDPR, then you still need to comply with PECR as well.
I’m in the US, and so is my intended audience. Do I need a cookie banner?
We’ve addressed GDPR’s territorial scope in a previous post.
To reiterate: Based on the Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), as a US-based business not targeting EU-based clients, you’re unlikely to be required to comply with the GDPR and PECR (the “cookie law”). Website data analytics alone are not enough to determine that your organization is subject to the GDPR.
If, on the other hand, you do plan to market and sell products or services to Europeans, then you do need to comply with GDPR more generally, and specifically with the PECR, or “cookie law.”
The EDPB also wishes to underline that the fact of processing personal data of an individual in the Union alone is not sufficient to trigger the application of the GDPR to processing activities of a controller or processor not established in the Union. The element of “targeting” individuals in the EU,either by offering goods or services to them or by monitoring their behaviour (as further clarified below), must always be present in addition.
If you need some general suggestions for making your organization and your website compliant with GDPR, we can help. However, we always recommend you consult a qualified lawyer for specific legal advice for your situation.