Incorrect management of website cookies is one of the most common areas of GDPR non-compliance. Businesses of all sizes and sectors are required to abide by the GDPR’s rules on the application of non-essential cookies and management of consent. But what does this mean for your website and your website cookies?
In this Tacita Tips we’ll be looking at some common questions that can help you to easily audit your website cookies.
Do website cookies count as personal data?
In 2020, the EU commission ruled that, under GDPR, cookie IDs are considered personal data. A cookie ID is the identifier that is included within most cookies when set on a user’s browser. It is a unique ID that allows your website to remember the individual user and their preferences and settings, when they return to your website. Almost all websites use cookies, and these can be classified as ‘essential’ or ‘non-essential’
What are 'essential' and 'non-essential' website cookies?
The GDPR permits businesses to apply only ‘essential’ cookies to users device without first gaining the user’s explicit consent.
‘Essential’ or ‘necessary’ cookies are determined as cookies where:
- the cookie is for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
- the cookie is strictly necessary to provide an ‘information society service’ (eg a service over the internet) requested by the subscriber or user. Note that it must be essential to fulfil their request – cookies that are helpful or convenient but not essential, or that are only essential for your own purposes, will still require consent.
Marketing cookies employed by third parties such as those from Hubspot, Google Analytics, and Facebook are classified as ‘non-essential’ cookies. These cannot be applied to user’s devices without their explicit consent.
What is 'explicit consent'?
The GDPR requires that users provide ‘explicit consent’ before non-essential cookies are applied to a user’s device. This means that the user must permit their application through some form of affirmative action. This includes (but is not limited too) ticking option boxes, clicking ‘I confirm’, or using consent sliders.
This does not permit the use of ‘implicit consent’ tools. These include cookie banners that state: ‘By using this website you allow us to place cookies on your device’ or pre-ticked preference boxes.
Any consent that is registered using these mechanisms is deemed invalid under the GDPR. Therefore personal data is being processed illegally.
What is a record of consent?
Article 7(1) of the GDPR says:
“Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.”
This means you must have an effective audit trail of how and when consent was given, so you can provide evidence if challenged. You should keep this evidence for as long as you are still processing based on the consent, so that you can demonstrate your compliance in line with accountability obligations.
Good records will also help you to monitor and refresh consent as appropriate. You must keep good records that demonstrate the following:
- Who consented: the name of the individual, or other identifier (eg, online user name, session ID).
- When they consented: a copy of a dated document, or online records that include a timestamp; or, for oral consent, a note of the time and date which was made at the time of the conversation.
- What they were told at the time: a master copy of the document or data capture form containing the consent statement in use at that time, along with any separate privacy policy or other privacy information, including version numbers and dates matching the date consent was given. If consent was given orally, your records should include a copy of the script used at that time.
- How they consented: for written consent, a copy of the relevant document or data capture form. If consent was given online, your records should include the data submitted as well as a timestamp to link it to the relevant version of the data capture form. If consent was given orally, you should keep a note of this made at the time of the conversation – it doesn’t need to be a full record of the conversation.
- Whether they have withdrawn consent: and if so, when.
How do we inform users about cookies?
You must provide your website users with the ability to select their cookie preferences if:
- They are accessing the website for the first time;
- The user has not logged their preferences on previous visits; or
- The retention period for the cookies has been exceeded and the users consent is required again.
You also must provide data subjects with the option to change their preferences at any time
Do we need a cookie statement?
Yes. A cookie statement is a piece of text that explains what cookies are in place, how they operate, and their retention schedule (how long they are applied for). Some cookie management services provide this as part of the implementation service.
Can Third Parties help?
Yes! Cookie management and GDPR compliance can be greatly aided by employing third party software and tools. Most companies offer cookie management systems on £10-20 per month subscription basis.
Don’t let your business be caught out by poor cookie management. By following Tacita’s recommendations above you can ensure that your business can become and stay GDPR compliance confident!