Consent & Cookies: How Will GDPR and the ePrivacy Regulation Impact Websites?
December 12, 2018 –
These laws govern consent and cookies:
- The GDPR tells you how you need to get your visitors’ unambiguous “consent” before collecting, storing, or using their data.
- And the ePrivacy Regulation tells you how you can work with cookies (that are used to collect visitor data).
The GDPR regulates the general handling of personal data and doesn’t directly address cookies.
GDPR + ePrivacy Regulation = Cookies + Consent
While the GDPR doesn’t directly address cookies, it does re-define consent to say that any consent given must be “unambiguous.”
And because “consent” under the ePrivacy Regulation is interpreted by reference to the definition of “consent” under the GDPR, the GDPR implicitly requires that the cookie consent banners post-GDPR must now collect visitors’ unambiguous consent.
In general, we can use consent to serve the cookies (under the ePrivacy Regulation), but rely upon legitimate interests (or another lawful ground e.g. consent, contract, legal obligation, vital interests, public interest) to process the personal data collected using the cookies (under the GDPR).
Let’s now understand how you should approach cookies and consent under these two laws, so you can offer powerful, personalized, and compliant website experiences.
What are the Different Types of Cookies Used by Websites?
Cookies are small data files that a website stores on a user’s computer or mobile or tablet.
This cookie information is then used to personalize the user’s future visits to the same website, so website experiences feel more relevant. Cookie data can be used to offer content and advertising that’s aligned with the already established preferences of browsers.
There are four types of cookies based on the duration for which they’re stored or their source. These are:
- Persistent Cookies: These are cookies that are stored on a users’ device in between browser sessions. These cookies help in remembering a user’s preferences or actions across a website (or in some cases across different websites). Persistent cookies may be used for a variety of purposes including remembering users’ preferences and choices when using a website or for running targeted advertising campaigns.
- Session Cookies: These are cookies that expire as a browsing session ends. These cookies allow websites to link the actions of a user during a browser session (from when a user opens the browser window to when they exit the browser). They may be used for a variety of purposes such as remembering what a user has put in their shopping cart or enabling internet banking access or for facilitating use of webmail. These session cookies aren’t stored for a long-term. For this reason, session cookies may sometimes be considered less privacy intrusive than persistent cookies.
- First Party Cookies These are cookies that are set by the website being visited by the user.
- Third Party Cookies: These are cookies that are set by a domain other than the one being visited by the user. If a user visits a website and a separate company (the main website’s service provider) sets a cookie through that website, this would be a third party cookie.
The Different Cookie Categories:
You can loosely categorize these cookies into four categories using the recommendations by the International Chamber of Commerce in this ICC UK Cookie Guide. (Some cookies can appear in more than one category.)
Category 1: Strictly Necessary Cookies
These cookies are essential in order to enable you to move around the website and use its features, such as accessing secure areas of the website — for example, for logging into your account on an online shopping store.
Without these cookies, it’s not possible to access the services a website has to offer.
Consent rules for strictly necessary cookies: No consent is required for using strictly necessary cookies. However, it is important to help users understand these cookies and the reasons to use them.
Here are a few strictly necessary cookies The New York Times uses:
Category 2: Performance Cookies
These cookies collect information about how visitors use a website.
Analytics solutions such as Google Analytics, Clicky Analytics, Adobe Analytics and more use such cookies. These cookies don’t collect information that identifies a visitor and all the information these cookies collect is aggregated and therefore anonymous. It’s only used to improve how a website works.
Consent rules for performance cookies:
Consent can be written into terms and condition – by using the site you consent to the use of these types of cookies.
Because GDPR focuses on the processing of private or personally identifiable data, and because it’s not possible to identify the data subject from data that has undergone pseudonymisation, performance cookies (such as those of Google Analytics data) don’t concern GDPR to a very great degree. You can include the consent rules for these cookies into your terms and condition. Essentially, you get the users’ consent to work with these cookies when they use your website.
“This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.” — Recital 26 of the GDPR
Here are some examples of National Geographic’s performance cookies:
Category 3: Functionality Cookies
These cookies allow a website to remember the choices you make (such as your user name, language or the region you are in) and provide enhanced, more personal website experiences. For instance, a website may be able to provide you with local weather reports or traffic news by storing region details within a cookie.
These cookies can also be used to remember the changes you’ve made to text size, fonts and other customizable parts of the web pages you visit. They may also be used to provide services you’ve asked for such as watching a video or commenting on a blog. The information these cookies collect may be anonymised and they can’t track your browsing activity on other websites.
Consent rules for functionality cookies: Just like in the case of performance cookies, consent for functionality cookies, too, can be written into terms and condition – by using a site you consent to the use of these types of cookies or a notice can be applied when a user makes changes to settings on a website. But many companies proactively let their users opt-in or out of the functionality cookies.
Here are some examples of functional cookies Clym uses:
Functional cookies are also referred to as preference cookies.
Category 4: Targeting Cookies or Advertising Cookies
These cookies are used to run personalized promotions and advertising campaigns based on personal interests and preferences.
They’re also used to limit the number of times you see an advertisement as well as help track a campaign’s performance.
They’re usually placed by advertising networks with the website operator’s permission. These cookies remember your website visits and this information is shared with other organisations such as advertisers. Quite often targeting or advertising cookies will be linked to site functionality provided by the other organisation.
Consent rules for targeting or marketing or advertising cookies: Specific consent must be sought for these types of cookies because they collect the most information about users.
Here are some examples of advertising/targeting cookies HTC uses:
Convert’s Cookies: Balancing Privacy and Innovation
At Convert, we use only first-party performance cookies which are described below:
- Cookie name: _conv_v
- Purpose: This cookie is a visitor centric cookie. It is a string of star(*) separated pieces; each piece is a string that contains key and value strings glued together by colon (:).
- Duration: 6 months
- Domain source: convert.com
- Category: Performance
- Data that is stored: session count, current session timestamp, first session start timestamp, number of pageviews, previous session start timestamp, project level segment IDs, json structure with all experiences-goals presented to the visitor
- Cookie name: _conv_s
- Purpose: This is the session centric cookie. It is a string of star(*) separated pieces; each piece is a string that contains key and value strings glued together by colon (:).
- Duration: 20 minutes
- Domain source: convert.com
- Category: Performance
- Data that is stored: session ID, number of pageviews in current session, session hash for performance issues
- Cookie name: _conv_r
- Purpose: This cookie holds the referral data for the current visitor.
- Duration: This is overwritten each time visitor comes from a new referrer.
- Domain source: convert.com
- Category: Performance
- Data that is stored: source name, referral medium, referrer search terms
Besides, by explaining what cookies you use, what data you store, and how you use your data, you can earn the confidence of your users and show them that their privacy actually matters.
Use user-friendly language
Check out the policy page examples from above and you’ll see how these organizations have written user-friendly versions of the policies that can otherwise sound like legal jargon and be very difficult to understand for general users.
Say no to implied consent – get it with an affirmative action
The biggest change for cookie and online tracking in regard to the GDPR is that consent must be given by a clear affirmative action.
With the regulation, this is not sufficient. The consent has to be given as an affirmative, positive action, and rejecting cookies must be an actual option.
So many companies have now already started letting their users reject the cookies they don’t feel comfortable with. On Clym, for example, all the cookies are disallowed by default. A user can choose to allow the ones they want:
Let your users withdraw their consent at any time
Users must have the power to withdraw their consent whenever they want — the consent is theirs to give or withdraw after all!
It’s therefore important to make sure your users have access to their current consent state at all times and can change the settings or withdraw their consent entirely.
If you take another look at the National Geographic cookies page, you’ll see they let users opt-out of them with just a click.
Clicky Analytics, too, offers one-click opt-out option to users to stop being tracked by any website using its analytics solution.
So think about adding an opt-out page to your website and let your users manage their consent.
Renew consent every year
This is pretty straightforward but can be easy-to-miss. Every 12 months, renew the user’s consent for allowing all the cookies and data.
Don’t assume the consent to be “eternal!”
With the GDPR and the ePrivacy Directive, the user consent must be given prior to the setting of the cookies.
Under the GDPR, you need prior consent to setting cookies that track personal data, whereas the ePrivacy Directive is even more far-reaching, and requires that you get consent for setting all except for the strictly necessary cookies.
So, make sure you aren’t using any “implied consent” for setting up cookies.
Record your users’ consent (as evidence … just in case!)
All consents must be securely stored so that they can be used as evidence, in case of control.
This is easier said than done as most websites have a large number of third-party cookies flowing through their system.
But a message saying “We aren’t responsible for any … ” or “Our service providers have their own data … ” or “We aren’t liable for the … ” might give you some peace of mind … but they might not be good defenses.
One tip that we can give you about this is to only partner with a service provider that understands and respects user privacy laws with the same diligence you display.
That’s the only way forward for a progressive, privacy aware business.