GDPR

Cookies Compliance: Best Practices


Introduction

Cookies regulation is governed by two laws; the EU ePrivacy Directive and the GDPR. These legislations are separate but complement each other and organisations must comply with both. When you are considering your use of cookies and other tracking technologies, the ePrivacy Directive should be your first port of call.

The ePrivacy Directive require that you obtain consent in order to gain any access to information stored in the device of a user, or to store any information on a person’s device. Hence, consent must be obtained to store a cookie on a user’s device.

GDPR subsequently defined and raised the bar for obtaining this consent by defining that the consent must be “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

Cookies are usually small text files stored on a device that can store information. They serve a number of important functions including to remember a user and their previous interactions with a website such as entering details into a form or placing items in a shopping cart. The information stored in cookies can include personal data, such as an IP address, a username, a unique identifier, or an email address. This is why they fall under data privacy laws

There are two exemptions where you do not need to obtain consent from the user to use cookies. These are:

  1. The communications exemption
    • This applies to cookies whose sole purpose is for carrying out the transmission of a communication over a network, for example if you use a load-balancing cookie to distribute network traffic across different servers
  1. The strictly necessary exemption
    • A cookie that is exempt under this criterion must simultaneously pass two tests:
      1. The service is delivered over the internet
      2. The service must have been explicitly requested by the user, and the use of the cookie must be restricted to what is strictly necessary to provide that service.

Dude Sitting

Cookies Best Practices 

Best Practice for cookies compliance is formed of two parts; a cookies policy (separate to your privacy policy) and a dynamic cookie management platform.

Cookies Policy

Your organization’s cookie compliance needs to speak to two regulations; GPDR & the ePrivacy Directive. Therefore, it is best practice to maintain separate cookies and privacy policies. A cookies policy is a declaration to your website users about:

  • What cookies are active on your website;
  • What data the cookies are tracking and for what purpose; and
  • Where in the world this data is sent.

Dynamic Consent Management

It is best practice to use a dynamic consent management tool, such as Dataships’ to manage and automate your cookie compliance, users consent & your records of compliance. There are four important considerations in the implication of such a tool: 

  1. Initial Cookie banner:

We recommend implementing a non intrusive cookie banner at the bottom of the user’s screen. This banner should contain a first layer of information about the use of cookies and should link to your Privacy Centre to provide further information:

 Cookie Banner 1

 

This cookie banner cannot ‘nudge’ a user into accepting cookies and if you use a button on the banner with an ‘accept’ option, you must give equal prominence to an option which allows the user to ‘reject’ cookies, or ‘manage cookies’ which brings them to an additional layer of information in order to allow them to do that.

  1. Second layer of information

This second layer should provide further details about the categories of cookies being used. Consent does not need to be given for each cookie, but it must be given for each purpose for which cookies are used. These categories must not contain pre-checked boxes signaling ‘consent’ for the use of cookies or be ‘toggled on’. The second layer should also contain a link to your ‘cookie declaration’ detailing all the cookies that are used by your site & for what purpose.

 Cookie Banner 2 

  1. Cookie Declaration

Dataships’ cookie tool works dynamically by continuously scanning your site for cookies and surfacing these dynamically in your cookie declaration. These appear under four headings which you can manage; necessary, preference, marketing and statistics. Here you give your users additional information as to the name of the cookie, the provider, its purpose, expiry and type. Users can then make an informed decision whether to accept or reject these cookies. This ensures you are complying with the transparency articles of the GDPR (Articles 12 – 13).

Cookie Declaration

  1. Duration

If you store a record that a user has given consent to the use of cookies, you should ask the user to reaffirm their consent no longer than six months after you have stored this consent state.

Common Mistakes

The 4 most common non-compliant cookie practices are as follows:

  1. Banners that are easily collapsed or ignored. This means banners that pop up when a user lands on a website and which subsequently disappear when a user scrolls, without any further engagement by the user with the banner or with information about cookies.

    Cookies ryan Picture1
  2. Banners that rely on ‘implied consent’. This means that wording in your cookie banner or notice which inform users that, “by their continued use of your website – either through clicking, using or scrolling it - that you will assume their consent to set cookies”.

 Ryan COokies pic 2

  1. ‘Accept only’ banners. This mean a banner that merely gives the user the option to click ‘accept’ to say yes to cookies and which provides no other option – e.g. banners with buttons that read ‘ok, got it!’ or ‘I understand’.

    Ryan cookies pic 3

  2. Pre-checked boxes. This means using a cookies consent tool that has pre-checked boxes, sliders or other tools set to ‘ON’ by default to signal a user’s consent to the use of cookies.

    Ryan cookies pic 4

Conclusion

Cookies can be a confusing and frustrating topic for both business owners and consumers. The unintended consequence of GDPR has unfortunately led to an inferior user experience in the case of a lot of websites. However, at the core of cookies legislation is putting the power and decision making ability back in the hands of the consumer. At Dataships, we firmly believe that transparency is at the heart of every good data relationship and by offering your users an un-intrusive and respectful way of allowing them to manage their cookie preferences you are building trust with that user and forming the foundation of a healthy Dataship for years to come!

We have attempted to design our tool in this fashion and we hope you agree. As always, if you have any further questions, please don’t hesitate to reach out to us at michael@dataships.io, or ryan@dataships.io.

Thanks for reading!

To read more view our comprehensive guide to GDPR

If you found this article useful subscribe to your mailing list below to receive more free resources on to help you build healthy Data Relationships with your users:

 

Subscribe to the Dataships blog

Similar posts