Cookie Policies and GDPR: What do Businesses Need to Know?

Personal data and privacy laws have received a much-needed revamp after the General Data Protection Regulation came into force. They have been updated across the EU & businesses are compelled to be more open about how they treat the data of EU residents. GDPR considers any kind of data that can uniquely identify an individual as personal data and hence, cookie policies and GDPR come under its purview as well. This means that an organization’s cookie policy must adhere to the provisions of this latest data protection regulation.

Where Does GDPR Mention Cookies?

GDPR almost gives a blink-and-miss mention to cookies. It is mentioned in Recital 30 of the GDPR  document, which clearly states that data subjects may leave ‘online identifiers’ like cookies. Such identifiers, when seen in conjunction with other information collected by the servers, can identify the user. As the organization has information that can identify a person uniquely, the data collected by cookies is personal data and hence, it is protected by GDPR.

What Should Organisations Do?

They have to reassess their cookies and cookies policy. It is understandable that all the cookies used by an organization cannot be used for identifying the users. Cookies used for chats, surveys, advertising, which can uniquely identify users must follow the rules laid down under GDPR.

Every organization uses cookies to suit their own service delivery needs. Some businesses use them as an expression of consent to their Website Usage Terms and Conditions when visitors visit their website. Others would post a familiar message ‘By using this site, you accept cookies’, and so on. However, under GDPR, these websites will have to move from implied consent to direct consent from the user. EU & businesses must provide them with the means to opt out of using cookies as well as the ability to withdraw consent to use their data. Organisations need to take a harder look at their cookie policy and make it more aligned with the GDPR requirements.

What Should a Cookie Policy Look Like in the Era of GDPR?

Cookie policies should be transparent and easy to read for the users. If an organization does not already have that in place, then they should. Here are a few questions their cookie policies and GDPR should be able to answer.

 Question 1: What type of cookies does the website use and how long they will exist on the data subject’s devices?

The cookie policy should detail the types of web cookies the website is using – Session, Permanent or Third party. Session cookies expire once the browser is closed, permanent cookies remain even after the browser is closed. Third-party cookies that collect user data for research or other purposes.

Question 2: What kind of data are they tracking and why?

Cookie policy also needs to elaborate on the type of data the cookies will be picking up from the device. This must be justified by the purpose of data collection – whether the organization will be using the data. To improve their services, performance of the website, marketing, or something else.

Question 3: Who will have access to the data?

The policy should also elaborate on the third parties that will have access to the data and where it will be stored or processed.

Question 4: What can the user do?

It is imperative for the user to be in control of their data under GDPR. So, the policy should tell the user about rejecting the cookies or changing their tracking status.

A GDPR-compliant cookie policy can help the organisations to not only protect themselves against hefty fines but also make themselves more transparent to their consumers. It is an ethical business practice.