Is a GDPR cookie policy really required?

Is a GDPR cookie policy really required? Cookie Policy Advice

To be compliant with the Privacy and Electronic Communication Directive (also knows as Cookie Law or ePrivacy directive ) and the General Data Protection Regulation (GDPR) it is important to consider your use of cookies and cookie requirements for your website.

In this Article we will discuss the importance of a Cookie Policy, what a Cookie Policy should contain, the various cookie requirement around the world and how CookieScan can help your business reach compliance with Data Protection regulations and cookie requirements.

Why do you need a cookie policy?

Every website needs cookies in order to function. Some cookies are essential for the general running of the website and some cookies. combined with unique identifiers, are used to identify the website visitor for marketing purpose and to track the activity of the user during and after their visit to the website.

By law, all website users have the right to decide their cookie preference settings, this gives the user more control of their personal data privacy online and how the personal information collected from them will be used.

A Cookie Policy provide detailed information about how the data collected from the cookies on your website will be used, your purpose for collecting, and how long the Cookies remain on the users device. This Policy should be easily accessible to the site user and explain clearly how cookies are used and the rights of the user to choose their cookie preferences and give cookie consent.

When is a cookie policy needed?

If you have cookies operating on your website, you need a Cookie Policy! The Cookie Law (ePrivacy Directive) requires websites to alert users of the presence of cookies and explain the kind of cookies being used. Explicit Consent from the user is required, the user must be able to refuse or accept cookies placement on their device.

The best way to provide this option to the user is through the use of a cookie Banner. The banner will alert the user of the websites use of cookies and enable them to choose their cookie preferences by an affirmative action, such as accepting, declining, choose their own preferences, or another method that requires the user to proceed to use the site.

Can a Cookie Policy and Privacy Notice be one combined document?

The purpose of these notice's are different. A Privacy Notice explains the different ways you collect and manage a user's personal data. A Privacy Notice explains: the personal information you collect from the user, your purpose for processing, if you share the users personal data with third parties, how long you keep the users personal data for and the rights of the user to make a Subject Access Request (DSAR).

Whereas, a Cookie Policy explains detailed and specific information about the cookies that operate on the website. A Cookie Policy explains: what cookies are operating on the site, what cookies will remain on the users device, what the function of the cookies is, and life of the cookie.

Logically it would make sense to have these as two separate Notices as they are very different. Make sure to display both your Privacy notice and Cookie Policy links in a place on your website that is easy to find and visible to the user. This needs to be accessible on every page of the site, so the footer of the website is usually the most common place you will find these notices.

CookieScan makes compliance with Cookie requirements easy!

CookieScan will carry out a scan of all the cookies operating on your site, our database will automatically categories your cookies, and build you own compliant Cookie Notice and Cookie Banner for your website. This platform will regularly update your cookies descriptions if they change and the use of our portal will help you easily manage your account.

What does GDPR say about cookies?

There is no mention of "cookies" within the General Data Protection Regulation (GDPR). However, the use of consent in GDPR is applied to the cookie law, so they work hand in hand. The EU cookie law sets specific guidance in relation to privacy and electronic communications around the use of cookies, whereas the GDPR gives guidance on the general collection of personal data.

The EU cookie law takes into account GDPR's standards for consent, which means that cookie explicit consent is needed for certain cookies that are put onto a users browser and you are required to maintain a record of the consent given by the user.

Get all you consent worries out of the way by using CookieScan. CookieScan will collect the consent provided by your website users and record them for you. If needed you can request the consent log for your site, very handy if you have to defend your company against a wrongful marketing complaint.

Are cookies personal data under GDPR?

Cookies are classed as Personal Data because they can uniquely identify a user and some create individual profiles based on the users preferences. Due to this, the e-Privacy Directive and GDPR go hand in hand. As the users personal information is being collected through the use of cookies, the requirements of user consent under GDPR applies to every websites use of cookies.

Cookie requirements differ around the world based on the Laws and requirements in each jurisdiction. Lets have a look at the rules on cookie consent in some major markets around the world.

Europe

In Europe, the general Data protection Regulation and the ePrivacy Directive sets out rules on how businesses request and obtain cookie consent. The Spanish data protection authority (AEPD), The Irish Protection Commissioner, Belgian Data Protection Authority, French CNIL and the Swedish DPA (Inspektionen) to name a few, set their own guidance on the use of cookies and consent requirements, ensuring compliance with GDPR. The guidance states that consent must be expressed through a positive action of the user. Even if a user continues viewing a website after being informed of the use of cookies, you can no longer interpret this as valid consent. You need to collect consent through an opt-in mechanism – eg ticking a box (bearing in mind that pre-ticked boxes are prohibited) or sliders deactivated by default. Cookie consent is required by the use of a cookie banner and cookie policy to explain how cookies are used on the site.

North America

Privacy Laws in the United states are weaker than other jurisdictions and consent for cookies is not required in most states! The Children's Online Privacy Act (COPPA) is a federal law in the US that regulates the activity of websites and online services aimed at children under 13 years old to protect them online. California state has their own data privacy act, the California Online Privacy Protection Act (CalOPPA). Though this act requires websites to disclose their use of cookies to the user, it does not require cookie consent.

Canada

Canada has two main privacy Laws. The first is the Personal Information Protection and Electrical Documents Act (PIPEDA) and the second is the Canada's Anti-Spam Legislation (CASL). Both laws do not require cookie consent as long as proper information and an opt-out process are provided for the user.

South and Central America

Most countries are a grey area for cookie consent, many privacy laws in south and central America do not reference cookies but do require personal data to be collected with express consent. On the other hand, the Federal Law on the Protection of Personal Data in Mexico, require cookie consent and a full cookie notice.

Africa

Africa as many laws on the collection of personal data in different countries. Many of these mirroring the EU law around consent and its meaning. For example, both Nigerian Data Protection Regulation 2019 and the South African Protection of Personal Information Act (POPIA) regulate the use of cookies, as they are "online Identifiers", qualify as personal data covered by cookie consent requirements.

Asia

There are many data privacy laws within Asia, but many do not reference the use of cookies. Japan's Act on the Protection of Personal Information (APPI) requires consent for the transfer of personal data rather than its collection. So, cookies collection of data might not require cookie consent but may require disclosure in a Privacy Notice.

Australasia

Australia main privacy Law is the Privacy Act 1988 and New Zealand's main law is the Privacy Act 1998. Neither of these laws make direct reference to the use of Cookies. However, Guidance on Australian law, from the Office of the Australia Commissioner suggests if a cookie identifies a person, the cookie might class as personal data. Therefore, it would be appropriate to have a cookie notice explaining the function of the cookie on your site. There is no guidance on cookie consent.

If your target audience is located in any of these jurisdictions then you need to ensure your website cookies are complying with these laws. The best option is to ensure your website has a Cookie Notice and Cookie Banner to comply with cookie consent. Get all you consent worries out of the way by using CookieScan. CookieScan will collect the cookie consent provided by your website users and record them for you. If needed you can request the consent log for your site, very handy if you have to defend your company against a wrongful marketing complaint.

What should a cookie policy contain?

The aim of the Cookie Policy is to inform website users what cookies operate on the sight and to enable website visitors to exercise their right to choose their own cookie preferences.

A Cookie policy should contain:

  • what types of cookies are set
  • how long they stay on a users browser (session, persistent etc)
  • what data they track from the user
  • the categories of personal information collected
  • for what purpose (functionality, performance, statistics, marketing etc)
  • where the data is sent and with whom it is shared (which third parties it is shared with)
  • how to reject cookies, and how to change the users preferences regarding the cookies.

A cookie Policy or Cookie Notice?

What is the difference between a Notice and a Policy? Simply, a Policy is an internal document focused on informing employees of internal procedures, whereas a Notice is an external document telling customers and other website visitors what your organisational procedures are. In this instance, you would have a Cookie Notice on your website that informs website visits how cookies are used on the site, what data they collect, and how long the cookie is stored on a users device. We would call this a Notice as it is external and targeted at website visitors and customers.

Summary

In this article we have considered the importance of a Cookie Policy, what a Cookie Policy should contain, the various cookie requirement around the world. you may be wondering what your next step should be for your website cookie compliance.

To get you on track to cookie compliance, CookieScan makes compliance with Cookie requirements easy! CookieScan will carry out a scan of all the cookies operating on your site, our database will automatically categories your cookies, and build you own compliant Cookie Notice and Cookie Banner for your website.

CookieScan will collect the cookie consent provided by your website users when they choose their cookie preferences and record them for you. If needed you can request the consent log for your site, very handy if you have to defend your company against a wrongful marketing complaint. This platform will regularly update your cookies descriptions if they change and the use of our portal will help you easily manage your account.

Ensure your website is GDPR and ePrivacy compliant

Create a FREE CookieScan account today and start managing your cookie consent.

Get Started