Last updated on 19 June 2020 by Robert Bateman (Privacy and Data Protection Research Writer at TermsFeed)
The EU General Data Protection Regulation (GDPR) came into full force in May of 2018. Businesses have been scrambling to comply - rewriting their Privacy Policies, deleting all traces of unnecessary personal data, and emailing their existing customers to refresh marketing consent.
Perhaps the most noticeable sign of privacy practices changing, though, has been the treatment of cookies.
The GDPR contains over 50,000 words, and only one of them is "cookie." Despite this, the GDPR has significant implications for your website's Cookies Policy.
The law isn't spelled out in simple terms, and many websites remain non-compliant. It's very easy to get this wrong. But when you understand the law, it's not that hard to get it right, and we're here to help with that.
You may be reading this from outside the EU and wondering why you should care about complying with a foreign law. Well, whether you're physically present in the EU or not, the GDPR applies if you're:
"Profiling" means collecting information about people's activities and characteristics in order to predict their behavior.
This is a lot less sinister than it might sound - many website admins want to know what sorts of people are visiting their website so they can target their ads towards a particular group of consumers.
These are exactly the sorts of things that cookies can help you to do.
It doesn't matter if you're a multi-million dollar transnational corporation or a local charity that runs analytics or ads on its website - if you want people to visit your website from inside the EU, you need to obey EU privacy law.
Under Article 12 of the GDPR, you're required to provide information about all the personal data you process "in a concise, transparent, intelligible and easily accessible form, using clear and plain language."
Here's how Invesco does this by combining its Privacy Notice and Cookies Policy into one legal agreement:
Your Cookies Policy will need to comply both with the GDPR and another EU law, the ePrivacy Directive. These two laws work in tandem to create some quite demanding conditions around cookies.
Your Cookies Policy should be tailored to your website. Some websites use only very basic session cookies that perform essential functions. Some websites have sophisticated marketing cookies that allow them to target their users with ads.
Here are some sections you should include in your Cookies Policy.
All privacy information must be given in "clear and plain language." You can't assume that your users will know what a "cookie" is. This is especially important if your website is geared towards children.
The first thing you should do is explain what cookies are, and what they do.
Here's how The Independent does this:
Here's a less clear example from The Arts Council:
This isn't necessarily a bad way of explaining what cookies are, but imagine you're someone who's never heard the word "cookie" used outside of a culinary context before.
The Independent's explanation would be a lot easier to understand.
It's impossible to avoid using technical language entirely, but do your best to put it all in a simple context.
Using simple language, break down the types of cookies that you use, and the purposes for which you use them. This should include any essential session cookies for which you won't be seeking consent.
Here's an example from Macmillan:
Be very specific here and list out all the ways you will be using cookies.
Article 13 of the GDPR requires that you disclose "the recipients or categories of recipients of [your users'] personal data." This means you must let your users know if their data will be shared with any third parties.
It's very common for websites to allow third parties to place cookies on visitors' devices that collect information. If you use a tool like Google AdSense, Google's Terms and Conditions require that you inform your users that Google places targeted ads on your website:
There could be many other instances in which your users might come into contact with third-party cookies, as explained by Three:
You'll notice that Three informs its users how to control consent for individual third-party cookies, as is required by Google.
If your website interacts with social networks, this might also have implications for your Cookies Policy as something you should disclose.
Here's how Rock Hopper HR makes its users aware of this:
Analytics is a way for you to track how users interact with your site. There are several different analytics services, and many different ways you can use analytics - all with different implications for your users' privacy.
Here's how HarperCollins does this:
GOV.UK lists the names of the Google Analytics cookies it uses and informs its users how to withdraw consent for Google Analytics:
Remarketing (also known as "retargeting") is a very powerful advertising tool. It allows you to "follow" users who have left your website and display your ads on other sites they visit.
If you use remarketing, this requires a special mention in your Cookies Policy.
Here's what Google Ads has to say about this:
This is how Launchmetrics complies with Google's requirements:
Many websites use other technologies to track and identify their users, such as web beacons and pixel tags. These are not cookies, but they have privacy implications and they interact with cookies. These technologies should also be discussed in your Cookies Policy.
Here's how Ever Accountable does this:
Let users know:
We've seen examples of Cookies Policies that name the cookies used by analytics services and third parties. It's also good practice to include a full list of all the different cookies you use on your website, including first-party cookies, together with an explanation of what each one does.
Here's an excerpt from Fitbit's list:
Many websites include a "privacy center" or a control panel where users can allow, refuse and withdraw consent for various types of cookies. Here's an example of one such interface from the BBC:
Note that "strictly necessary" cookies cannot be turned off. We'll discuss this in more detail below.
Whether or not you provide such an interface, you should also explain how users can control their consent for cookies in your Cookies Policy.
Here's a section of Pearson's Cookies Policy which offers advice on controlling cookies via the settings of various browsers:
Users can select which browser they're using in the menu and get step-by-step instructions for how to do a cookies check. Here's what you'll be shown if you select the Google Chrome instructions:
Simpler websites may only need to provide basic information about controlling cookies if only basic cookies are used. Here's how DHL Interactive does this:
DHL only uses one type of cookie that's necessary for the website to function and is deleted as soon as the web browser is closed, so it can get away with a simpler Cookies Policy. In fact, here's its policy in its brief entirety:
Under Recital 25 of the ePrivacy Directive, "users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment." This means that you need to get consent before you can use most cookies.
When the EU says "consent," it really means it.
Some privacy laws, such as CAN-SPAM in the United States, allow businesses to assume that they have a person's consent unless they opt out. The GDPR doesn't allow "opt-out" consent. It operates a strictly "opt-in" model of consent.
Similarly, some privacy laws, such as Canada's Anti Spam Law, allow businesses to infer that they have a person's "implied" consent. For example, if they have an existing business relationship with that person. The GDPR doesn't recognize implied consent. It only recognizes "express" consent.
Under Article 7 of the GDPR, consent must be:
Most websites request cookie consent via a pop-up banner or landing page. It's important that you build facilities into your website that allow your users to accept, refuse and withdraw consent for different types of cookies.
The idea of freely-given consent has big implications for your Cookies Policy. Recital 42 of the GDPR states that consent is not freely given if it can't be refused or withdrawn without detriment.
Here's an example of a cookie consent landing page from Washington Post which seems to contradict this rule:
Unless you pay to subscribe, Washington Post only allows you to access its website if you consent to having advertising cookies placed on your device.
You may have some sympathy with what Washington Post is trying to do here. Their business model depends partly on ad revenue, after all. However, it goes against the spirit of this part of the GDPR to "barter" with people's privacy consent in this way.
Here's an example of a consent request that's far more in line with the GDPR's spirit and would constitute being "freely given."
Dream in Code's cookie consent notice gives users the option to accept or not accept cookies. They're also informed that they can change their minds at any time and change or withdraw their consent choice:
This example is a good transition into the next consent requirements.
Your users must consent to cookies via a clear, affirmative act. When you ask if they consent to cookies, they should be able to click "I accept" or "OK," or something to that effect.
This cookie banner from Shopify represents a very common approach to requesting "consent" which seems to contradict this:
The user has no way to meaningfully refuse consent, other than to navigate away from the website. This is not considered good practice under the GDPR. If you have a cookie banner like this, you ideally should change it to comply with the GDPR's consent requirements, like the previous example from Dream in Code.
The Article 7 of the GDPR says: "it shall be as easy to withdraw as to give consent." How does this work in practice?
It's difficult to obey the "letter of the law" on this one. You can do all the right things with your cookie banner, but it's probably going to have to be a little harder for your users to withdraw their consent than it was to for them to give it.
Here's one option from the BBC. A "Cookies" link is on persistent display in the website's footer:
Clicking the link takes you to this page, which allows you to opt in and out of different types of cookies:
This principle arguably applies in another way that is much easier to implement: refusing consent shouldn't be any more difficult than accepting consent.
Take a look at this cookie banner from Pandora, for example:
Visiting the "Information and Settings" page to adjust cookie settings and refuse consent is hardly back-breaking labor. But it is just a little bit more effort and inconveniencing to a website visitor than clicking "I'm fine with this."
Here's a good example of equally-weighted options from HellermannTyton:
Not all cookies require you to obtain consent in order to use them. The law is not black-and-white here, and the best you can do is adhere to authoritative guidance.
The UK's data protection authority, the Information Commissioner's Office, suggests that consent is "unlikely" to be required for cookies that are essential for you to provide a service or fulfill the request of a user.
Examples include cookies that:
It may be in your legitimate interests (or may even be a legal requirement) to use such cookies. Your users cannot meaningfully refuse consent for them without impeding the effective functioning of your website. Therefore, you only need to inform your users that you employ these cookies - you don't need to ask for their consent to do so.
An example of this would be the DHL Interactive cookie situation in an earlier example where only one necessary and temporary cookie is used. DHL Interactive would not need to obtain consent to use that one cookie for that necessary purpose.
Transparency and fairness is at the heart of the GDPR. Although it may seem arduous to comply with the EU's rules around cookies, it's the law - and you owe your users the respect of treating their privacy seriously.
Make sure you have a Cookies Policy that: