What does GDPR mean for your cookie consent policy?
Cookies are a tricky topic for web professionals. Essential to the sites that use them, annoying to the consumers who agree to them, and misunderstood by plenty of people on both sides, they’re at the core of many ongoing debates about online privacy. Cookies are only addressed once in the European Union’s recently enacted General Data Protection, but what little the GDPR has to say can have an important impact on organizations that do business online.
By getting your site in compliance with existing regulations, you can not only keep yourself that much further ahead of oncoming legal changes, but also give your users some peace of mind. An IBM-sponsored survey recently collected answers from 10,000 consumers around the world—75% of which said they won't purchase a product if they don't feel like they can trust the company with their data.
What Does the GDPR Say About Cookies?
Recital 30 of the GDPR is the only section of this lengthy document that directly addresses cookies, stating that:
"Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them."
What this means for website owners and other data controllers and processors is that many, if not most, cookies are regarded as a mean of collecting personally identifiable data. That makes them subject to the GDPR’s sweeping guidelines governing the handling and storage of personal data, which could impact organizations on several fronts.
What Are the New Cookie Standards, If Any?
Is Consent Required for All Cookies?
The European Commission’s official Internet Handbook lists the cookie types that are “clearly exempt from consent”, including:
- User‑input cookies (session-id) such as first‑party cookies that keep track of the user's input when filling in online forms, shopping carts, etc., for the duration of a session or persistent cookies limited to a few hours in some cases
- Authentication cookies, which identify the user once they have logged in, for the duration of a session
- User‑centric security cookies, used to detect authentication abuses such as multiple failed login attempts, for a limited persistent duration
- Multimedia content player cookies, used to store technical data to play back video or audio content, for the duration of a session
- Load‑balancing cookies, which help distribute server requests evenly to keep service running smoothly, for the duration of session
- User‑interface customization cookies such as language or font preferences, for the duration of a session (or slightly longer)
- Third‑party social plug‑in content‑sharing cookies, for logged‑in members of a social network
Of course, the GDPR isn’t the only piece of legislation that EU data controllers and processors need to keep in mind. 2011’s ePrivacy Directive (which introduced those omnipresent cookie banners) and the GDPR will likely soon have company on the regulatory front. The EU’s ePrivacy Regulation is a proposed replacement for the 2011 Directive and is rumored to be the most stringent regulation so far regarding cookies. It’s too early to say what impact it could have on how organizations handle cookies, but it seems quite likely that more restrictions are on the horizon.