There seems to be, however, a great deal of variation from site to site. So just what are the latest requirements for your website cookie banner and how can you ensure that your site is fully compliant? Here’s an essential guide.
What exactly are cookies?
Before delving deeper into the rules and regulations surrounding cookie banners, let’s make sure that we have a clear understanding of what exactly cookies are.
Cookies are also used to make the web experience more personal and to allow operators to monitor usage and performance (performance and functional cookies), which is generally seen as a positive thing.
Finally, some cookies collect data across many websites, creating behavioral profiles’ of people. As a common example, these profiles can then be used to decide what content or adverts to show you (targeting cookies). Whilst there is generally nothing malicious in this, it has been widely agreed for a long time that users have a right to be fully informed.
Before GDPR – The original Cookie Consent law
The requirements under PECR were to ensure that visitors could find out what cookies were in use, tell them how cookies would be used, obtain consent and give them some control.
In reality, whilst most websites did their best to comply at a minimum level, there is little record of any action being taken to enforce the requirement and it was very much approached as a check-box exercise.
GDPR and Cookies
When it comes to the new General Data Protection Regulation commonly known as GDPR, it is interesting to note that cookies are only actually mentioned once in the 88 pages that form the legislation. However, the exact wording is of crucial importance:
(30): “Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers […]. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
In the context of the legislation, this has to be interpreted as follows: when cookies can identify an individual, it is considered personal data and must be handled according to the wider legislation and the definitions contained within it.
Applying this definition, the problem with cookies is twofold. Firstly, cookies can provide a great deal of insight into your activity and preferences, and this data can be used to identify you without your explicit consent, effectively compromising your privacy as a user. Secondly, many cookies originate from third party websites, leading to the question of who has access to this data, where it goes and what it is used for.
If your website or organization processes data that is (a) directly personal, or (b) can be combined or singled out to identify an individual, then it must be revised to meet the requirements – and that includes how cookies are handled. It is worth noting that this is not limited to names, email addresses, etc either – IP addresses are equally considered to be personal data.
The new cookie notice – Requirements and best practice
In order to fully satisfy the requirements of GDPR, there are several key questions that need to be satisfied:
Is the visitor fully informed?
Most of the old-style cookie banners simply stated ‘Cookies are used on this website’ with an ‘OK’ button and vanished on scrolling. Some included a link for further information.
Under the new regulations, the cookie notice must inform the visitor, meaning that it is necessary to provide more detail as to what cookies are collected and why, in a way that allows the user to understand what they would be giving their consent for.
In the example at Influx.com, the banner shown below appears on the first load of the page. It gives the visitor a clear choice – accept and continue browsing or view cookie settings to exercise their right to control the use of personal data.
If the visitor wishes to get further information or manually update their settings, choosing the Cookie Settings option will then provide access to the Privacy Preference Centre, which gives all the information the visitor requires to make an informed decision, as well as a link to a comprehensive resource for further information.
Does the visitor have a true choice?
Firstly, only presenting an ‘OK’ button does not constitute a true choice of actions for the visitor and is not good practice. Not only does it not respect choice, it also implies that consent will be given – something that should be avoided. Finally, it should still be possible to use the website if non-necessary cookies have been rejected.
To use our cookie notice as an example once again, if the visitor decides they are not happy to proceed and instead chooses to visit the Privacy Preferences Centre, they are offered a genuine choice over which non-essential cookies are agreed to, including performance cookies, functional cookies and targeting cookies, all of which can be turned off as desired by the visitor.
Is consent given prior to the processing of personal data?
It may seem like an obvious consideration, but it is not always as clear-cut as it might first appear. To be truly compliant, the website shouldn’t allow any cookie related scripts to run until consent has been given.
Is the consent withdrawable?
According to GDPR, consumers have a right to withdraw consent at any time, and this extends to cookies. It must, therefore, be made clear how a visitor can change their mind and withdraw consent even if they have initially agreed.
Here at Influx, we are committed to helping both new and existing customers to be confident that their website is fully compliant with GDPR. To find out more about how our experts can help you, click here to contact us online or call us today on Manchester 0161 468 2612 or Shrewsbury 01743 626162