GDPR and cookie consent: What can you still collect?
With the internet becoming more regulated and secure for users, organizations and websites want to stay ahead of the regulations while providing their prospects and customers with the best digital experience in a compliant manner. Cookies are an essential tool that can help businesses get a detailed insight into their users' online activity. Hence they can aid businesses in presenting the correct propositions to their customers. Technically speaking, cookies are small text files that websites place on your device while browsing. They are processed and stored by your web browser. In and of themselves, cookies are harmless and serve crucial functions for websites.
However, cookies can store a wealth of data, enough to potentially identify you without your consent. Cookies are the primary tool that advertisers use to track your online activity so that they can target you with highly specific ads. Given the amount of data that cookies can contain, they can be considered personal data in certain circumstances and, therefore, subject to the GDPR. Despite their importance, the regulations governing cookies are split between the GDPR and the ePrivacy Directive. Before talking about what GDPR and the ePrivacy Directive have to say about cookies and their usage, it is important to understand about different types of cookies based on certain properties.
Types of cookies
There are three ways to classify cookies based on what purpose they serve, how much time they endure, and their provenance.
Session Cookies: These cookies are temporary and expire once you close the browser (or once the current session ends).
Persistent cookies: This category encompasses all cookies that remain on your hard drive until you erase them or your browser does, depending on the cookie’s expiration date. According to the ePrivacy Directive, they should last no longer than 12 months on your hard drive.
First-party cookies: As the name implies, first-party cookies are put on your device directly by the website you are visiting.
Third-party cookies: These are the cookies placed on your device, not by the website you are visiting, but by a third party like an advertiser or an analytic system.
Strictly necessary cookies: These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow webshops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies.
Preference cookies: Also known as “functionality cookies,” these cookies allow a website to remember choices you have made in the past, like what language you prefer, what region you would like weather reports for, or what your user name and password are so you can automatically log in.
Marketing cookies: These cookies track your online activity to help advertisers deliver more relevant advertising or limit how many times you see an ad. These cookies can share that information with other organizations or advertisers.
Statistics cookies: Also known as “performance cookies,” these cookies collect information about how you use a website, like which pages you visited and which links you clicked on. None of this information can be used to identify you. It is all aggregated and, therefore, anonymized. These are the main ways of classifying cookies, although there are cookies that will not fit neatly into these categories or may qualify for multiple categories. When people complain about the privacy risks presented by cookies, they are generally speaking about third-party, persistent, marketing cookies. These cookies might contain significant amounts of information about your preferences, demography, and geographical location. In principle, cookies are mentioned only once in the GDPR, but there are repercussions for websites that employ external third-party cookies. Recital 30 of the GDPR states that: “Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers […]”
“This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
When cookies can identify an individual via their device, it is considered personal data. This supports Recital 26, which states that any data that can be used to identify an individual directly or indirectly (whether on its own or in conjunction with other information) is personal data.
Consent after GDPR
Prior to the GDPR, many organizations relied on consent. Still, the strict rules for obtaining and maintaining consent mean that it should only be used where no other lawful basis applies. A significant repercussion of that is that organizations can no longer tell website visitors that “by using this site, you accept cookies”. If there is no genuine and free choice, then there is no valid consent. Simply visiting a site doesn’t count as consent, and you must make it possible to both accept or reject cookies. Websites must also provide an opt-out option. Even after getting valid consent, sites must allow people to change their minds. If you ask for consent through opt-in boxes in a settings menu, users must always be able to return to that menu to adjust their preferences. The ePrivacy Directive regulations and GDPR rules regarding cookie usage converge and become clearer as best practices are analyzed and further utilized. A correct and error-free understanding of compliance with cookies can help you gather data from multiple channels, like Wi-Fi analytics from your stores and enterprises, in a compliant manner. With more and more businesses relying on omnichannel data of their customers, employees and clients, it has become critical to know how cookies shall affect personal data and its usage.