GDPR For Dummies
Book image
Explore Book Buy On Amazon
The function of your cookie policy is to provide clear and comprehensive information to your website users about the cookies you’re using and what type of cookies they are (functional or session, for example).

Assess your cookies

To create your cookie policy, you need to know what cookies you’re using on your website and what their purpose is. A small-business owner may not know the answer, especially if a website developer set up their website.

If you don’t know what cookies are on your website and what they’re for, ask your web developer or use a cookie audit tool, such as cookiechecker. Ghostery is another tool that can help with this — it's a free browser plugin that also categorizes the cookies, such as advertising, analytics and the like. For other options, search the internet using the term “tool to show cookies on websites." Resources such as cookiepedia can also be helpful to find out more about what different types of cookies do.

In order to write your cookie policy, you need to know:
  • What types of cookies are being used?
  • What the cookie is used for?
  • How long does the cookie last? For example, is it a session cookie that only lasts for the browsing session or a persistent cookie that lasts beyond the session; and if so, what is the expiry date?
  • Who serves the cookie? Is it a first-party or third-party cookie, and if it is a third-party cookie, who serves it?
  • How to refuse the cookie at a later date
In addition, when you have the list of cookies your website uses, assess how intrusive the cookies are — how they follow users about for their online browsing, in other words. First- party cookies, such as shopping cart cookies are less intrusive, for example, than third-party persistent tracking cookies, which monitor your website users’ online behavior on a long-term basis. If you’re using more intrusive cookies, obtaining informed consent for the use of those cookies is all the more important for you.

Guidance on the use of cookies from the United Kingdom's Information Commissioner's Office (ICO) is that “you should take particular care to ensure clear and specific consent for more privacy-intrusive cookies, such as those collecting sensitive personal data like health details, or used for behavioral tracking."

Digital agencies and website publishers should take particular care when using cookies for Real Time Bidding (RTB). RTB is a system used by ad exchanges to broadcast the personal data (often of a sensitive nature) of the individual browsing the website or using the app to thousands of organizations in order to solicit potential advertisers’ bids to deliver their ads on the website or app.

The ICO’s investigations into RTB have found that, in the vast majority of cases, cookies used for RTB do not comply with the ePrivacy Directive and the GDPR. The ICO highlighted the following deficiencies:

  • Insufficient information provided to the data subject about the processing
  • Data subject consent not obtained for the processing of non-special category data and instead relying on legitimate interests
  • Explicit consent from the data subject not obtained for special category data (such as tracking online browsing about religious or health content)
  • Failing to carry out a data protection impact assessment (DPIA)
  • Sharing with large numbers of third parties the detailed profiles of individuals without their knowledge
The French supervisory authority, CNIL, issued an enforcement notice in October 2018 to a French digital agency called Vectaury that had obtained personal data for hundreds of millions of people from the RTB system. The enforcement notice required Vectaury to cease processing geolocation data for advertising purposes without appropriate lawful grounds for processing. CNIL stated that “it is clear that Vectaury is unable to demonstrate that the data currently collected through real time bid requests are subject to informed, free, specific, and unambiguous consent.” Vectaury was non-compliant in:
  • Bundling together a number of separate processing purposes under a single opt in
  • Not checking that consent had actually been obtained from the individual and only relying on contractual clauses to this effect
  • Using misleading and vague language on the first consent screen
  • Using pre-ticked boxes for consent
It is worth noting that Vectaury believed it was following the IAB framework, something that the IAB disputes by pointing out that Vectaury did not follow its policies correctly.

However, in practical terms, for the majority of data controllers, the most important assessment is whether the cookie is “strictly necessary” or not. If it is strictly necessary, the cookie is exempt from consent. If the cookie is not strictly necessary, consent from the web user is required.

You can also take this opportunity of auditing the cookies used on your website to tidy up your use of cookies and delete any you don’t really need.

Write your cookie policy

The General Data Protection Regulation (GDPR) requires data controllers to provide certain information to data subjects — via the privacy notice — about how they process personal data. You can provide information about cookies in your Privacy Notice. However, data controllers commonly have a separate cookie policy that specifies which cookies they’re using.

The requirement to provide certain information about the cookies you use on your site comes mainly from the current ePrivacy Directive. To comply with this Directive, you must explain what the cookies are being used for and obtain the user’s consent to store a cookie on the device.

The obligation under the ePrivacy Directive to obtain consent is only in relation to non-essential cookies. However, you should provide information for all cookies used, both essential and non-essential.

Neither the GDPR nor the ePrivacy Directive specifies the information that needs to be contained in the cookie policy. However, you should include, as a minimum, the following information you learned from your cookie assessment:
  • What types of cookies are used (such as, advertising or analytics)
  • Who sets the cookie
  • How a user can refuse the cookie
According to the ePrivacy Directive, the language in your policy must be clear and comprehensive. The ICO says this means the “text should be sufficiently full and intelligible to allow individuals to clearly understand the potential consequences of allowing the cookies should they wish to do so.” In other words, make sure users understand what the cookies do and what that means for them — for example, their browsing and shopping habits will be tracked, and they’ll see ads that reflect the tracking.

The ICO guidance also states that you must consider the general levels of understanding that website users hold about cookies. The understanding is still pretty low, so the cookie policy needs to be easy to understand, especially for people who have no technical background. Therefore, listing the types of cookies your website uses isn’t enough; you need to fully explain what each type of cookie is used for and how that affects the user.

When using a banner or pop-up to link to provide the requisite information and to gain consent, consider the user experience. Many users find pop-ups annoying and even confusing, so you may want to use them sparingly, if at all, or as unobtrusively as possible. See the next section for more about ways to communicate your cookie policy to users.

Post your cookie policy

You can choose to have a straightforward cookie policy on a web page on your website with a prominent link to it on each page of your website (through a banner or pop-up on your website, for example) or you can use a more sophisticated tool to show the cookie policy and obtain the necessary consent (see the section below for potential tools).

If the link to the cookie policy is in a banner that shows at the top or bottom of the web page, it must be easily viewable and above the fold (the section of the website page users can see without scrolling down).

Many websites merely have a link to a cookie policy that is just a plain link in the footer of each page of the website (without a banner or a pop-up). This isn’t likely to be prominent enough to be compliant.

In addition to the cookie policy, you need a separate cookie consent statement — either in a separately displayed cookie banner or a cookie pop up — that links back to the cookie notice, with a call to action to provide consent, such as “accept cookies” and “reject cookies” buttons.

The ICO guidance on the use of cookies states that:

  • Rather than just have a link that states “cookie policy,” you should make it clearer what the link is about by using words such as “Find out more about how our site works and how we put you in control.”
  • You must not have boxes that emphasize "agree" or "allow" (or presumably "accept") cookies, as opposed to "block" or "reject" cookies, as this influences website users to consent to the use of cookies. There must be an option of similarly prominent boxes of accept and reject.
  • The initial consent mechanism you use when people land on your landing page of your website must allow the user to make a choice about whether to accept the use of cookies or not; merely having a "more information" section where controls are located would not suffice.
The following figure shows an example of how a banner might display a link to a cookie policy. The banner pops out at the left side of the web page and provides a link that users can click to read more about the website’s cookies.

cookie banner The ICO’s cookie banner

Consent under the GDPR must not be opt-out consent, where you must take some action — click a button or select a check box — in order to block cookies. The GDPR insists on opt-in consent, where the user must take affirmative action in order to allow cookies. As such, cookie policies that state that by continuing to browse the website, the user consents to the use of cookies, will not be compliant.

Cookie walls

Equally, the GDPR prohibits you from making consent a requirement of the service, so in stating that, in order to continue browsing, the website user has to accept cookies (known as a cookie wall), this would also be in breach of the GDPR.

The Dutch supervisory authority issued guidance that cookie walls are not compliant with the GDPR. It stated that it had increased monitoring of organizations using cookie walls and was instructing them to make the necessary changes to ensure GDPR compliance.

The ICO guidance is a little more permissive when it comes to cookie walls. The ICO refers to Recital 25 of the ePrivacy Directive that states that “access to specific website content may be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.”

The ICO’s guidance is, therefore, that cookie walls are not permitted for "general access" to websites but that it is possible to restrict certain content if the user does not consent to the use of cookies. However, the ICO does go on to say that if the use of a cookie wall is “intended to require or influence users to agree to their personal data being used by [the data controller] or any third party as a condition of accessing your service, then it is unlikely that user consent is considered valid.”

The ICO also notes, in a blog post published by it on the same day as their guidance on cookie walls, that “we recognize there are some differing opinions as well as practical considerations around the use of partial cookie walls and we will be seeking further submissions and opinions on this point from interested parties.”

The Austrian supervisory authority, however, rejected a complaint that consent obtained through a cookie wall of an online newspaper was not freely given. The newspaper had provided a free online version of the newspaper and also a subscription version without advertising. It only allowed users of the free version to have access if they accepted cookies for advertising purposes.

The European Data Protection Board is advocating for a complete ban on the use of any cookie walls as part of the amendments to the ePrivacy Directive. So, we may only receive clarity on the matter of cookie walls when the new ePrivacy regulations come into force.

To ensure full compliance, you need a tool (discussed in the next section) that shows — before the cookies are fired — the cookies used on your site and allows website users to make granular choices regarding which cookies they’re happy to accept.

Tools to communicate your cookie policy and obtain consent

Some existing tools can enable you to be compliant to lesser or greater degrees. One such tool, Cookiebot, enables you to show the different types of cookies you use on your website and provides the website user with the option to continue to browse the website while using only necessary cookies (for which consent isn’t required). Cookiebot also appears to have the ability to prevent cookies from firing until consent is obtained, though you do have to add certain code to your other plugins. (Check out Cookiebot's website for more information.)

The following figure shows the Cookiebot banner, which you can place at the top or bottom of your website.

Cookiebot banner Cookiebot gives users a simple choice.

Users can click the Show Details tab to see the additional information shown here. Clicking the About Cookies tab shows more information about the different types of cookies — for example, cookies for statistics or marketing.

Users can choose to see more cookie information. Users can choose to see more cookie information.

With Cookiebot, users cannot accept and refuse individual cookies; rather, the choice is simply between Preferences, Statistics, and Marketing. With other, more expensive GDPR solutions, such as One Trust, you can allow your website users to make more granular choices about which cookies they’re happy to consent to.

Another affordable Wordpress plugin can be used to prevent cookies firing prior to consent being obtained (without having to add any code). This plugin also enables data subjects to access basic personal data about themselves (and update it) satisfying Recital 63, which states that best practice is for organizations to provide remote access to a secure self-service system where the data subject can have direct access to his or her personal data. In addition, the plugin provides a privacy policy and cookie policy generator that automatically updates on your site for new guidance or amendments to regulations.

About This Article

This article is from the book:

About the book author:

Suzanne Dibble is a business lawyer who has advised huge multi-national corporations, private equity-backed enterprises, and household names. Since 2010 she has focused on small businesses, combining her knowledge of large organizations with a deep appreciation for entrepreneurship, especially online businesses, to provide practical, relevant advice. See more at suzannedibble.com

This article can be found in the category: