- What types of cookies are being used?
- What the cookie is used for?
- How long does the cookie last? For example, is it a session cookie that only lasts for the browsing session or a persistent cookie that lasts beyond the session; and if so, what is the expiry date?
- Who serves the cookie? Is it a first-party or third-party cookie, and if it is a third-party cookie, who serves it?
- How to refuse the cookie at a later date
Digital agencies and website publishers should take particular care when using cookies for Real Time Bidding (RTB). RTB is a system used by ad exchanges to broadcast the personal data (often of a sensitive nature) of the individual browsing the website or using the app to thousands of organizations in order to solicit potential advertisers’ bids to deliver their ads on the website or app.
The ICO’s investigations into RTB have found that, in the vast majority of cases, cookies used for RTB do not comply with the ePrivacy Directive and the GDPR. The ICO highlighted the following deficiencies:
- Insufficient information provided to the data subject about the processing
- Data subject consent not obtained for the processing of non-special category data and instead relying on legitimate interests
- Explicit consent from the data subject not obtained for special category data (such as tracking online browsing about religious or health content)
- Failing to carry out a data protection impact assessment (DPIA)
- Sharing with large numbers of third parties the detailed profiles of individuals without their knowledge
- Bundling together a number of separate processing purposes under a single opt in
- Not checking that consent had actually been obtained from the individual and only relying on contractual clauses to this effect
- Using misleading and vague language on the first consent screen
- Using pre-ticked boxes for consent
However, in practical terms, for the majority of data controllers, the most important assessment is whether the cookie is “strictly necessary” or not. If it is strictly necessary, the cookie is exempt from consent. If the cookie is not strictly necessary, consent from the web user is required.
The requirement to provide certain information about the cookies you use on your site comes mainly from the current ePrivacy Directive. To comply with this Directive, you must explain what the cookies are being used for and obtain the user’s consent to store a cookie on the device.
- What types of cookies are used (such as, advertising or analytics)
- Who sets the cookie
- How a user can refuse the cookie
Cookie wallsEqually, the GDPR prohibits you from making consent a requirement of the service, so in stating that, in order to continue browsing, the website user has to accept cookies (known as a cookie wall), this would also be in breach of the GDPR.
The Dutch supervisory authority issued guidance that cookie walls are not compliant with the GDPR. It stated that it had increased monitoring of organizations using cookie walls and was instructing them to make the necessary changes to ensure GDPR compliance.
The ICO guidance is a little more permissive when it comes to cookie walls. The ICO refers to Recital 25 of the ePrivacy Directive that states that “access to specific website content may be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.”
The ICO also notes, in a blog post published by it on the same day as their guidance on cookie walls, that “we recognize there are some differing opinions as well as practical considerations around the use of partial cookie walls and we will be seeking further submissions and opinions on this point from interested parties.”
The Austrian supervisory authority, however, rejected a complaint that consent obtained through a cookie wall of an online newspaper was not freely given. The newspaper had provided a free online version of the newspaper and also a subscription version without advertising. It only allowed users of the free version to have access if they accepted cookies for advertising purposes.
The European Data Protection Board is advocating for a complete ban on the use of any cookie walls as part of the amendments to the ePrivacy Directive. So, we may only receive clarity on the matter of cookie walls when the new ePrivacy regulations come into force.
To ensure full compliance, you need a tool (discussed in the next section) that shows — before the cookies are fired — the cookies used on your site and allows website users to make granular choices regarding which cookies they’re happy to accept.Cookiebot's website for more information.)
The following figure shows the Cookiebot banner, which you can place at the top or bottom of your website.
Users can click the Show Details tab to see the additional information shown here. Clicking the About Cookies tab shows more information about the different types of cookies — for example, cookies for statistics or marketing.
With Cookiebot, users cannot accept and refuse individual cookies; rather, the choice is simply between Preferences, Statistics, and Marketing. With other, more expensive GDPR solutions, such as One Trust, you can allow your website users to make more granular choices about which cookies they’re happy to consent to.