Updated: Apr 13, 2020
There have been a lot of talks regarding consent and cookies under GDPR and what changes website owners need to make. We are going to discuss some of those within this article.
First off, let us define what an internet cookie is. Internet cookies are very small files downloaded to a user’s device when visiting a website.
Presently, websites have been using a specific form of cookies. These cookies normally contain essential data for the website to work as the name of the site and the unique user ID of an individual. Banks, online publishers, blogs and every other commercial website have been using them for activities such as website analytics (counting the site visit and their behaviour), targeted advertising, and authentication via recording a user’s preference.
Before GDPR, there was the EU Cookie Law which applies to every member states of the European Union and every website outside the vicinity who have users within the member states.
There are two types of cookies: the essential and the non-essential. Essential cookies are significant data to provide information that is requested by users. Those that fall outside it are called the non-essentials. This includes identifiers used for analytics and cookies by affiliates/advertisers.
The EU cookie law targets non-essential cookies. Websites compliant to this law and would display a banner on the upper and lower part of their website where they have a statement that informs the user that the website is using cookies. Some familiar phrases brought by the law is “By using this website, you accept cookies” or something along that line. While this may have been informative to users regarding the presence of cookies, this does not, however, provide its users with the freedom to opt-out from and THIS is what GDPR aims to provide, the right to be informed and be given a choice.
In Recital 30 of the GDPR, it had a statement regarding cookies which writes:
NATURAL PERSONS MAY BE ASSOCIATED WITH ONLINE IDENTIFIERS…SUCH AS INTERNET PROTOCOL ADDRESSES, COOKIE IDENTIFIERS OR OTHER IDENTIFIERS…. THIS MAY LEAVE TRACES WHICH, IN PARTICULAR WHEN COMBINED WITH UNIQUE IDENTIFIERS AND OTHER INFORMATION RECEIVED BY THE SERVERS, MAY BE USED TO CREATE PROFILES OF THE NATURAL PERSONS AND IDENTIFY THEM.
Simply put, cookies exist to uniquely identify a person/user and are therefore considered as personal data. With this in mind, identifiers used for analytics and advertising, as well as cookies used for functional services will be affected.
As aforementioned, GDPR wants to provide a choice for its users. Just because users visit a certain website does not necessarily mean that they agree to all the cookies used by the website. The phases present at present are not event comprehensive enough and its only intention is to just inform the user about the cookies being used and does not give them the option to agree or disagree to these cookies being used.
Just like every regulation which involves consent in GDPR, the consent in cookies has to be clear and positive. Good ways to be compliant with this is providing an opt-in box or provide the users with a setting from the menu and avoid pre-ticked boxes as much as possible on the website’s consent form.
Again, websites must not forget about providing their visitors with the freedom to opt-out! Users should be able to refuse consent. This would mean having the same, easily searchable, boxes that can be clicked in giving consent.
To sum up the foregoing, there still isn’t a vivid picture of how this consent brought by GDPR affect websites and cookies as per se but is definitely a significant step for any transactions of businesses.
To ensure that your website is compliant, you must make sure that you inform the visitor/user of your website ALL the cookies that you use and no less. You then give them the freedom to choose the cookies that they allow to be used on them. Albeit, there are cookies that are really needed to get a website running and cannot be opted out by users. Websites should fully inform users about what will happen should they agree or disagree to a specific cookie without failing to give them the option to still revoke consent.
Another dilemma here is for the functional cookies which are being provided by third parties like advertisers. If you use a link to, let’s say, share a video on your website from another site, they too will need identifiers. If these are not present, the video on the link will most definitely not work. But even then, this should be optional to the users. It would also help to include a list of names of the files that will be stored by your website on the computer of the user to build a trust particularly to the [people who are savvy computer users.
In conclusion, the changes that will be brought upon by the consent will be quite a challenge for owners of websites. Not to mention how the average computer user with little-to-no knowledge of the GDPR would react to the handful of questions thrown to them about consent. This will, without a doubt, confuse them at first glance so the job of every website owners is to create a consent form that everyone can easily understand and be able to provide information about the cookies. Hard indeed but this a positive step towards better changes that can be of benefit to both the website owners and the users in the near future.