The General Data Protection Regulation (GDPR), a data privacy law in place since May 2018, has changed how personal data is handled and protected. It's a key law from the European Union (EU) that lets people have more say over their personal information. GDPR sets strict rules for how data should be managed and affects organizations worldwide if they deal with the data of EU residents. It focuses on the importance of consent, transparency, and the right to privacy, setting a new global standard for data protection, which has transpired into many other data privacy laws around the globe.
GDPR has also had a big impact on the way online data protection is ensured by businesses during the many online activities taking place on a daily basis on their websites, but it's especially noticeable in how websites use cookies. Cookies are tiny data bits stored on your device to remember your online choices and activities, which is crucial for things like custom content and ads. Under GDPR, the scrutiny on cookies, especially those tracking users across the internet, has increased.
In this article we are exploring the nuances of the GDPR’s impact on the way cookies are used and managed by covered entities, and we try to shed some light on the challenges and obligations that website owners, marketers, and developers face in this new regulatory landscape. Our aim is to offer you some insights into facilitating compliance while maintaining effective user engagement and to highlight the broader implications for privacy and consent in the digital age.
Cookies are small text files stored on a user's device by websites to remember information about the user. They help with things like logging in, keeping items in the shopping cart, helping advertising platforms show ads that match users' interests, or reminding users about unfinished purchases. When you visit a website, it can send cookies to your device for the short term or keep them longer to remember your preferences and visit habits. This helps websites tailor content just for you, secure your visit, and ensure everything works as it should.
But, there's a catch for businesses: under GDPR laws, any cookie that can figure out who you are needs special handling. Cookies are split into categories like necessary, performance, and advertising, each with its own rules. For instance, essential cookies are responsible for your website’s basic functionalities like remembering that you are logged in or what’s in your shopping cart, therefore these cookies do not require prior consent from you.
GDPR cookies are classified into necessary, performance, functionality, and targeting/advertising, each with its own set of compliance requirements. This is in line with the more general classification of cookies into first-party, third-party, essential, non-essential, and so on. We have made it easy for you to understand the differences between the different types of cookies in our two-part guide on cookies, which you can find in Understanding Cookies Part 1 and Understanding Cookies Part 2.
GDPR cookies are classified based on their purpose and necessity for the website's functionality.
Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
First-party cookies are set by the website a user visits directly, while third-party cookies are placed by a domain other than the one the user is visiting, often used for tracking and online advertising purposes. The GDPR mandates that both types of cookies, especially those that can identify users either directly or indirectly, must be managed in a way that complies with its privacy and consent requirements. This distinction emphasizes the need for website owners to be transparent about their use of cookies and to obtain consent appropriately.
However, understanding the connection between the GDPR and cookies, or, generally speaking, cookies from the point of view of data privacy regulations doesn’t need to be difficult. Clym offers your business a seamless way to handle your websites’ cookies in the form of a Consent Management Platform (CMP) that meets the GDPR consent banner requirements. In addition to this, we here at Clym provide you with informative articles on topics that are, for example, relevant to the way your business can understand the GDPR’s cookie guidelines.
According to the text of the GDPR law, getting consent for cookies is key. Before a website can use cookies, except for the really necessary ones, it must get clear permission from visitors. Just moving around on a website doesn't count as saying yes to cookies.
Visitors must have a simple way to say yes or no to them, and changing their mind later should be just as easy. Your website has to make sure your visitors know what they're agreeing to by explaining what cookies do, why they're used, and how long the information will be kept. All this information has to be easy to find and understand, like in a cookie policy or cookie banner.
Being open about cookie use is not just about following the rules; it's also about earning trust of visitors.
There are three main aspects you need to keep in mind when thinking about website compliance under the GDPR:
In short, this means the following:
If your business is covered by the GDPR, it's important to find the right balance between following the law and giving your website visitors a good experience. You need to make sure that asking for permission to use cookies is clear and easy for people to understand. This might mean you have to think again about how you ask for and handle this permission, making sure it's both legal and focused on the user.
Remember, it's not just about getting permission once. You have to be careful about how you collect and use data. Make sure you're not grabbing more information than you need, get clear permission for different types of cookies, and let people easily change their minds or say no to cookies. Staying on the right side of GDPR means keeping up with both the law and new technology, making sure you're always respecting your visitors' choices.
To navigate these challenges, adopting best practices is key:
Here’s why:
When you look at how websites have changed because of GDPR, there's a lot to learn. For example, many now let you pick exactly which cookies you're okay with. This means they're following the rules and making sure you're in charge of your information.
Big websites have gotten better at asking for your permission about cookies, making it easier for you to say yes or no to different types. They've set up ways for you to easily manage your cookie preferences, showing they care about following GDPR and giving you control over your data.
It's also clear that following GDPR's rules on cookies is super important. Authorities in the EU have been strict with websites that don't ask for permission the right way or try to trick people into saying yes. These actions remind everyone that being clear and honest about cookies and respecting what users want is essential. If websites don't do this, they could get fined and lose trust of users.
Take Facebook's case as a great example. Back in February 2018, a court in Brussels said Facebook wasn't following Belgium's privacy and cookie rules. The problem started way back in 2015, and when they couldn't fix things through talks, it ended up in court. Facebook had to stop using certain cookies and tracking without telling people clearly. They also had to stop collecting data from "like" buttons on other websites because it could invade your privacy. Plus, the court said Facebook had to delete any data they got the wrong way from people in Belgium.
This shows how serious GDPR is about cookies and privacy. For your business, it means you really need to be clear about how you use cookies and make sure people can choose what they're comfortable with. This way, you can avoid trouble and make your website a place where users feel safe and respected.
While the case is not directly related to the GDPR as it began before the new Regulation was in place, it most likely created a precedent for enforcing such laws. For a long time, few people thought about the risks of using cookies.
GDPR requires websites to collect explicit consent to utilise all cookies other than the necessary cookies which enable your website to function properly. GDPR has strict requirements for what counts as consent, requiring a “clear affirmative act” that users are opting-in to having their data collected. It’s no longer good enough to use a pre-checked box or a banner that tells the user that by continuing to use the website, they agree to cookies.
Additionally, when companies request consent, they must do so in a way that is “clear, concise, and not unnecessarily disruptive”, meaning that your site can’t bury a consent mechanism in the middle of a lot of legal jargon.
Finally, under GDPR, websites must provide a way for users to withdraw their decision to grant data collection consent, aka the “right to be forgotten”.
Clym offers you a comprehensive solution for managing your website's cookie compliance in alignment with global privacy laws. Featuring a user-friendly Cookie Consent Banner and a robust Consent Management Platform (CMP), Clym ensures your website meets global data privacy compliance standards while prioritizing user privacy.
Our platform simplifies compliance by automatically categorizing cookies and storage according to privacy regulations, allowing users to adjust their preferences seamlessly.
With Clym, your business can maintain data governance effortlessly, ensuring ongoing compliance and peace of mind for legal teams by minimizing the risk of non-compliance.
See us in action today by booking a demo or contacting us to discuss your specific needs.