GDPR Deep Dive: What to do About Cookies

Dennis van der Heijden
February 15, 2018 ·
GDPR Deep Dive: What to do About Cookies

All cookies seem to work more or less the same. Tiny web file, stored by a user, tracks activity, etc. etc.

But some are more “private” than others.

And now, more than ever, that’s going to make a difference for your marketing stack.

The road to GDPR and ePrivacy compliance is a bumpy one. It requires your data processors to rely on “privacy by design”—and to ask consent if they’re using ANY personal data. That means any personal identifiers. That means  cookies, or IP addresses, or zip codes.

At Convert, we wanted to make sure no personal data would be stored in our systems, and that no person would be identified with use of cookie. It was the only way to keep the balance of business growth, strategic knowledge, and personal privacy of website visitors.

Because, did you ever wonder what would happen when you need ask explicit consent for you A/B testing tool?

If for your software to run—each and every user on your website needed to give consent to A/B testing.

How would you explain that clearly? Persuasively?

And how many of your users do you think would give the okay?

Software Vendors: If You Want to Save Your Business—It’s Time to Redesign Your Apps

The EU gave us clear guidelines on how cookies should be handled in GDPR —even without the new ePrivacy Regulations in place.

We really want to share a clear message with our web visitors: we care about your privacy.

And to do that, I expect, we’ll have to cancel 20% of the 72 software tools we use.

JUST because of lack of clarity on privacy. Or the lack of GDPR adjusted features. Or the lack of willingness to manage data of our customers, prospects, and other relations, transparently.  

GDPR Recital 30 states:

Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags.

This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

So they don’t want any unique identifiers. Not even in cookies—and surely not personal data.

Pre-GDPR A/B testing with ePrivacy Directive and the localized versions in Europe

The law currently in place, the ePrivacy Directive (which is soon to be replaced with new ePrivacy Regulations) helps us understand understand what sort of cookies A/B testing software relies on. They’re performance cookies:

Testing variations of design, typically using A/B or multivariate testing, to ensure a consistent look and feel is maintained for the user of the site in the current and subsequent sessions. If they fit this description they are performance cookies.

These cookies collect information about how visitors use a website, for instance which pages visitors go to most often, and if they get error messages from web pages. These cookies don’t collect information that identifies a visitor. All information these cookies collect is aggregated and therefore anonymous. It is only used to improve how a website works.

These cookies should not be used to re-target adverts, if they are, they should be placed in category of targeting cookies and advertising cookies according to the ICC UK Cookie guide Second edition November 2012 [PDF].

Cookies in the “performance segment” only collect information about website usage for the benefit of the website operator. They rely on aggregate data. They don’t directly “identify a visitor.” Consent for use of these types of cookies may be obtained, for instance, in the terms and conditions of the site—or when the user changes the the site settings.

The correct method to use here will depend on the nature of the website, and the precise function of the cookies involved. But in most cases, we can obtain consent with the words: “By using our [website][online service], you agree to the use of these types of cookies on your device.”

Although the new law (ePrivacy Regulations) is different, the old/current law ePrivacy Directive helps us understand where A/B testing software stood when cookies could be placed without user consent. We could do our work as normal, as long as we gave clear information to the end user.

Each country may have a slightly different description—but in general, Europe was on board with A/B testing. It helped the performance of the website (if you did not use it for behavioral targeting and personalization. And you didn’t share the information with others, or track across website).

Post-GDPR do we need consent for A/B testing?

Interestingly PageFair found that only 21% of consumers would opt-in on first-party analytics tracking.

This would mean ⅕ of current traffic would accept analytics if it would fall within the consent parameters.

So will you need consent for you A/B testing tool?

Most likely yes, you would need consent if your A/B testing software depends on IP-address, unique identifiers like Device IDs, UserID, TransactionID, CookieID or Pseudonymous data (meaning:  unrecognizable data + a key stored elsewhere, to make it readable again). These, under GDPR, are unique identifiers, and require explicit opt-ins.  

So when do you need to start with explicit consent? When does ePrivacy Directive switch to ePrivacy Regulations?

Warning: Latin words and legal terms.

The ePrivacy Regulation is the ‘principe lex specialis derogat legi generali’ or in short ‘lex specialis’ to the GDPR.

In plain English this means: if GDPR and ePrivacy are at odds, or GDPR lays out a guideline that needs further specification—the rules laid out in ePrivacy, are the ones you need to follow.  

Right now we just have a draft (names 1533) of the ePrivacy Regulations in debate. It still needs to see feedback from member EU delegates—so it doesn’t mirror exactly what will soon become law.

An “optimistic” forecast: Future of Privacy Forum Policy Counsel, Gabriela Zanfir-Fortuna, says that he expects an ePrivacy approval date towards the end of 2018. As to the implementation date, we really have no idea.

Less optimistically, he’s also suggested that ePrivacy Regulation “will likely require additional compliance.” And, Alex Propes (Director of the Interactive Advertising Bureau (IAB) of Public Policy) has said “that organizations can only target GDPR at the moment.”

Daniel Felz Associate at Alston & Bird shares an even more depressing view: “ePrivacy Regulation Trilogue Negotiations was Pushed back to Fall 2018; Final ePrivacy Regulation may not be in Place until 2020.” At a conference sponsored by the German Federal Society for Data Protection, a spokeswoman from Germany’s Economic Ministry was reported as stating that trilogue negotiations will not begin until the fall of 2018.  

Apparently, EU Member States are still discussing a number of open questions regarding ePrivacy Regulation issues.

In the meantime, obviously, the current ePrivacy Directive (Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002) remains in place, which is a matter of national legislation.

So that was a lot of law you threw at me. What does it mean for my business?

The GDPR is clear: no personal data without consent. And if you’re waiting for ePrivacy to swoop in with a loophole—you may be looking at a longggg wait.

So if your A/B testing software depends on personal data: IP-address, unique identifiers like Device IDs, UserID, TransactionID, CookieID or Pseudonymous data (that’s unrecognizable data + key on different spot to make it readable again) then that is personal data.

It remains key to include online data and identifiers, such as cookies and many others, in your GDPR strategy. Regardless of where, and how, the text will be adapted by future delegate discussions.

The old ePrivacy Directive gave you the obligation to put a “cookie wall” notice in place, and only focused on European companies.

Now GDPR applies to everyone that touches EU data—worldwide. And personal data is defined to include all sorts of new identifiers.

But the old ePrivacy directive says something else. It says “for this type of data, you just need a notice, and an opportunity to opt-out.”

So welcome to a legal vacuum.

The big question is: will you get fined within that gray area?

And the answer is: do you want to risk it?

Privacy authorities are going to have a heck of a time implementing GDPR. And the new ePrivacy laws might not be put in motion to 2019, or even 2020.

So, I don’t expect huge fines on May 25th, if your basic cookie wall is still live.

But it’s clear that finally, the laws are changing. And they’re going to keep changing—as we move into a world where data is worth more, and data subjects demand more.

So let’s get started now.

Originally published February 15, 2018 - Updated September 12, 2022
Mobile reading? Scan this QR code and take this blog with you, wherever you go.
Dennis van der Heijden
Dennis van der Heijden Co-founder & CEO of Convert, passionate community builder and out-of-the-box thinker. 

Start Your 15-Day Free Trial Right Now.
No Credit Card Required

You can always change your preferences later.
You're Almost Done.
I manage a marketing team
I manage a tech team
I research and/or hypothesize experiments
I code & QA experiments
Convert is committed to protecting your privacy.

Important. Please Read.

  • Check your inbox for the password to Convert’s trial account.
  • Log in using the link provided in that email.

This sign up flow is built for maximum security. You’re worth it!