Cookies And Cookie Policy Under GDPR
Posted on April 11, 2018 by Dominika
You will have no doubt heard a lot of buzz around the introduction of the new General Data Protection Regulations (GDPR) on 25 May 2018. As a website owner, there are some specific considerations coming into effect as part of these new regulations. Under GDPR regulations, cookies are considered personal information as they are used to identify an individual. As you conduct your GDPR review and audit for your business this is how you must treat cookies.
Cookies and your cookie policy
Your website will almost certainly be using cookies to track visitors which means that you will need to make some changes to how these are used. Firstly, you will need to as a minimum have a soft opt-in for site visitors. If your website is aimed at consumers then we would recommend a specific click for consent option that allows you to provide evidence of an opt-in. In either case this means that you must as a minimum do the following;
- Ensure no cookies are dropped before a visitor has given express consent to accept your cookies.
- Tell your visitors what you use cookies for and then make it clear that if they proceed past the page they landed on, they are giving consent for you to drop a cookie(s) on their device – this is not recommended for B2C website as it will almost certainly not pass GDPR rules. Alternatively, you must give them the option to continue without accepting cookies although it should be noted that this will stop some websites from working properly or as intended. This should be made clear to your visitors at the outset if applicable.
- Give a link to your cookie and or privacy policy which should clearly detail what you are using cookies for and how a visitors data might be used.
- Finally, and this is really important, provide the ability for visitors to revisit your site and opt out of your cookie policy and be forgotten. Again this should be made clear at the point of entry to your website such that visitors are clear as to how this process works should they wish to opt out at a future date.
Privacy policy
Your privacy policy should detail everything regarding the use of cookies on your website, how they are used and what they are used for. If you use any forms on your website you should state what you do with this data, especially if you plan to share any data with third parties. If you are using data you collect to identify website visitors you must also make this clear. The privacy policy relates only to the use of the website or data collected via the website so is separate to your terms and conditions or other more general GDPR requirements.
Actions you will need to take
- Cookie audit – you will need to have an audit carried out to determine a list of the cookies used on your website along with what those cookies are used for. This information is needed for both your cookie policy as well as your privacy policy.
- Cookie policy and opt in/out modifications to website. Once the audit has been completed and the policy written you will need to implement the cookie opt in functionality on the website. No cookies are dropped on the landing page and this will ensure proper consent is received from your visitors as they proceed to use your website. Perhaps the most important part of GDPR however is the opt out functionality you will need to implement. Somewhere on your site, and we would probably recommend the privacy and or cookie policy pages, you must provide an opt out that will remove cookies from a previously opted in visitor and prevent further tracking. As previously noted, this may render your site inoperable to the visitor so you will need to cover this in your policy wording.
- Update privacy policy – this will be focussed on what data you are collecting, why you are collecting it and if applicable, who you are sharing it with. It will also need to give details of the person responsible for your policy such that you can be contacted.
Summary
Complying with GDPR for your website needn’t be a huge burden and is essentially an extension to the current DPA rules. As such, assuming you are already DPA compliant, you will have a good basis on which to work from. The main reason that there’s so much buzz around GDPR is that is comes with some potentially significant fines for non compliance. This might sound scary but everyone will be conscious of how important their own personal data is and should therefore be keen to extend the same sentiment towards how they manage personal information themselves.
Disclaimer
GDPR compliance is the sole responsibility of any business that falls under the jurisdiction of the regulations. The information contained within this article only covers a small part of the GDPR regulations and is our interpretation of the regulations regarding the use of cookies.