Where Does GDPR Mention Cookies?
GDPR almost gives a blink-and-miss mention to cookies. It is mentioned in the Recital 30 of the GDPR document, which clearly states that data subjects may leave ‘online identifiers’ like cookies. Such identifiers when seen in conjunction with other information collected by the servers can identify the user. As the organisation has information that can identify a person uniquely, the data collected by cookies is personal data and hence, it is protected by GDPR.
What Should Organisations Do?
Cookie policies should be transparent and easy to read for the users. If an organisation does not already have that in place, then they should. Here are a few questions their cookie policies should be able to answer.
Question 1: What type of cookies does the website use and how long they will exist on the data subject’s devices?
The Eu cookies privacy law directive should detail the types of web cookies the website is using – Session, Permanent or Third party. Session cookies expire once the browser is closed, permanent cookies remain even after the browser is closed, and third-party cookies that collect user data for research or other purposes.
Question 2: What kind of data are they tracking and why?
Question 3: Who will have access to the data?
The policy should also elaborate on the third parties that will have access to the data and where it will be stored or processed.
Question 4: What can the user do?
It is imperative for the user to be in control of their data under GDPR. So, the practitioner should tell the user about rejecting the cookies policy or changing their tracking status.