A cookie is a little piece of data stored on a user's device by a web server.
Depending on the cookie's purpose, it may contain personal data and so be subject to the GDPR's regulations (General Data Protection Regulation).
In this article, we'll go over your regulatory obligations and teach you how to comply with GDPR cookie regulations.
What does the GDPR say about cookies?
It's necessary to clarify how cookies might be deemed personal data in order to comprehend how they intersect with the GDPR.
Cookies usually do not contain any information that would be considered personal data. The majority of them, for example, lack names and phone numbers. However, it's worth considering the GDPR's definition of personal data, which may be found in Article 4 of the Regulation. Personal information is defined as:
Any information about an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to that natural person's physical, physiological, genetic, mental, economic, cultural, or social identity.
Because they contain information about an individual or their interactions with a website, some cookies are referred to as "online identifiers." This comprises data used to save user preferences, login information, and track their behaviour for analytics.
The GDPR applies to these sorts of cookies, and businesses must adopt necessary procedures to protect personal data.
Cookie consent and the GDPR’s lawful bases
There is a long-held belief that under the GDPR, organisations must obtain consent from individuals before processing personal data. In fact, organisations can choose from six legal bases, with consent being the least preferable.
Because the GDPR's criteria for gaining and retaining consent are more stringent than those of its predecessors, this is the case. 'By using this website, you accept cookies,' for example, organisations can no longer tell website visitors.
There is no legal consent if there is no real and free decision. Simply going to a website does not constitute consent, and you must provide the option to accept or refuse cookies.
In general, genuine interests would provide a better legal basis for organisations. This is the widest of the GDPR's processing grounds, and it applies whenever a company uses sensitive data in a way that the data subject would reasonably expect.
'Interests' can relate to nearly anything here, including the business interests of an organisation or a third party, as well as broader societal benefits.
What about the PECR?
When it comes to legitimate interest, there is a substantial proviso for UK-based organisations in the form of the PECR (Privacy and Electronic Communications Regulations).
Electronic marketing, cookies, and the security of public electronic communication services are all covered under the PECR. Its regulations take precedent over the UK GDPR (the domestic version of the Regulation that was approved following Brexit).
Because the PECR requires the use of permission far more frequently than the GDPR, this is critical.
Consent must be "provided by a clear affirmative act indicating a freely given, explicit, informed, and unequivocal signal of the data subject's assent," just as the GDPR requires.
In the following section, we'll show you how to navigate these rules at the same time.
How to stay compliant when processing personal data gained via cookies
The key to complying with GDPR and PECR is to limit the amount of data you process and your risk landscape. As a result, you should begin by performing an audit to ensure that you understand what each cookie does, whether it's required, and when it's used.
Only cookies that are considered personal data must be addressed for GDPR compliance. To put it another way, any information that can be used to identify a person.
The PECR, on the other hand, applies to all cookies, including those that have been anonymized.
As with the GDPR, you can only use cookies to acquire personal data if you have a legitimate cause for doing so.
You must also tell users about the sorts of cookies you use – or intend to employ – and the data they collect. You might use the information for marketing, improving security, analysing website performance, or tailoring the site to the user's tastes, for example.
When people visit your website, you can utilise a banner or splash page to tell them about the cookies you gather.
Non-essential cookies, which are often those connected to user experience rather than website speed, must also be highlighted in your banner. Advertising cookies, cookies that automatically fill in login credentials, and analytics cookies, for example, are not required.
The banner should give consumers the option of customising their cookie options for non-essential cookies.
Another thing to consider is if you're utilising session cookies or persistent cookies. Persistent cookies remain on the user's computer after it has been shut off.
Session cookies, on the other hand, are retained in the browser's memory for a limited time and then removed when the browser is closed. Because they are frequently connected with critical site functions, they are excluded from a company's PECR consent obligations.
Until the user gives their approval, organisations must switch off optional cookie collecting by default. They must also provide a checkbox or slider for users to manage their cookie options.
Implementing an effective cookie compliance process
Given that organisations must comply with both the GDPR and the PECR, cookie compliance will be more difficult than other areas of data protection.
A detailed examination of your organization's cookie gathering methods is the first step toward effective compliance.
You must determine how and when cookies are collected, review how you tell website visitors about your practises, and assess the options provided to individuals to change their preferences.
This data must then be compared to your regulatory compliance criteria in order to detect any practises that aren't up to par.
Given the complexity of this process, plus the stakes for non-compliance, it’s understandable that many organisations would seek expert advice.
With DQM GRC’s GDPR Cookie Compliance Service, you get the support you need to ensure that you meet your compliance requirements.