Consent & Cookies: How Will GDPR and the ePrivacy Regulation Impact Websites?

Consent & Cookies: How Will GDPR and the ePrivacy Regulation Impact Websites?

Always be up to Date subscribe to updates - December 12, 2018

Consent & Cookies: How Will GDPR and the ePrivacy Regulation Impact Websites?

If you want to personalize your website’s content based on your site visitors’ data, you must understand two laws very well: 1) the GDPR and 2) the ePrivacy Regulation.

These laws govern consent and cookies:

  • The GDPR tells you how you need to get your visitors’ unambiguous “consent” before collecting, storing, or using their data.
  • And the ePrivacy Regulation tells you how you can work with cookies (that are used to collect visitor data).

GDPR vs ePrivacy Regulation:

The GDPR regulates the general handling of personal data and doesn’t directly address cookies.

The ePrivacy Regulation, on the other hand, focuses on cookie use, which is why it’s also known as the “Cookie Law.” Businesses in Europe must get explicit consent to use cookies and provide clear opt-outs to users under the proposed new law.

GDPR + ePrivacy Regulation = Cookies + Consent

While the GDPR doesn’t directly address cookies, it does re-define consent to say that any consent given must be “unambiguous.”

And because “consent” under the ePrivacy Regulation is interpreted by reference to the definition of “consent” under the GDPR, the GDPR implicitly requires that the cookie consent banners post-GDPR must now collect visitors’ unambiguous consent.

In general, we can use consent to serve the cookies (under the ePrivacy Regulation), but rely upon legitimate interests (or another lawful ground e.g. consent, contract, legal obligation, vital interests, public interest) to process the personal data collected using the cookies (under the GDPR).

Let’s now understand how you should approach cookies and consent under these two laws, so you can offer powerful, personalized, and compliant website experiences.

What are the Different Types of Cookies Used by Websites?

Cookies are small data files that a website stores on a user’s computer or mobile or tablet.

Websites use cookies to enhance a user’s browsing experience and for learning more about the user’s preferences and interests.

This cookie information is then used to personalize the user’s future visits to the same website, so website experiences feel more relevant. Cookie data can be used to offer content and advertising that’s aligned with the already established preferences of browsers.

There are four types of cookies based on the duration for which they’re stored or their source. These are:

  • Persistent Cookies: These are cookies that are stored on a users’ device in between browser sessions. These cookies help in remembering a user’s preferences or actions across a website (or in some cases across different websites). Persistent cookies may be used for a variety of purposes including remembering users’ preferences and choices when using a website or for running targeted advertising campaigns.
  • Session Cookies: These are cookies that expire as a browsing session ends. These cookies allow websites to link the actions of a user during a browser session (from when a user opens the browser window to when they exit the browser). They may be used for a variety of purposes such as remembering what a user has put in their shopping cart or enabling internet banking access or for facilitating use of webmail. These session cookies aren’t stored for a long-term. For this reason, session cookies may sometimes be considered less privacy intrusive than persistent cookies.
  • First Party Cookies These are cookies that are set by the website being visited by the user.
  • Third Party Cookies: These are cookies that are set by a domain other than the one being visited by the user. If a user visits a website and a separate company (the main website’s service provider) sets a cookie through that website, this would be a third party cookie.

The Different Cookie Categories:

You can loosely categorize these cookies into four categories using the recommendations by the International Chamber of Commerce in this ICC UK Cookie Guide. (Some cookies can appear in more than one category.)

Category 1: Strictly Necessary Cookies

These cookies are essential in order to enable you to move around the website and use its features, such as accessing secure areas of the website — for example, for logging into your account on an online shopping store.

Without these cookies, it’s not possible to access the services a website has to offer.

Consent rules for strictly necessary cookies: No consent is required for using strictly necessary cookies. However, it is important to help users understand these cookies and the reasons to use them.

Here are a few strictly necessary cookies The New York Times uses:

Necessary cookiesImage source

Category 2: Performance Cookies

These cookies collect information about how visitors use a website.

Analytics solutions such as Google Analytics, Clicky Analytics, Adobe Analytics and more use such cookies. These cookies don’t collect information that identifies a visitor and all the information these cookies collect is aggregated and therefore anonymous. It’s only used to improve how a website works.

Consent rules for performance cookies:

Consent can be written into terms and condition – by using the site you consent to the use of these types of cookies.

Because GDPR focuses on the processing of private or personally identifiable data, and because it’s not possible to identify the data subject from data that has undergone pseudonymisation,  performance cookies (such as those of Google Analytics data) don’t concern GDPR to a very great degree. You can include the consent rules for these cookies into your terms and condition. Essentially, you get the users’ consent to work with these cookies when they use your website.

“This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.” — Recital 26 of the GDPR

Here are some examples of National Geographic’s performance cookies:

Performance CookiesImage Source

Category 3: Functionality Cookies

These cookies allow a website to remember the choices you make (such as your user name, language or the region you are in) and provide enhanced, more personal website experiences. For instance, a website may be able to provide you with local weather reports or traffic news by storing region details within a cookie.

These cookies can also be used to remember the changes you’ve made to text size, fonts and other customizable parts of the web pages you visit. They may also be used to provide services you’ve asked for such as watching a video or commenting on a blog. The information these cookies collect may be anonymised and they can’t track your browsing activity on other websites.

Consent rules for functionality cookies: Just like in the case of performance cookies, consent for functionality cookies, too, can be written into terms and condition – by using a site you consent to the use of these types of cookies or a notice can be applied when a user makes changes to settings on a website. But many companies proactively let their users opt-in or out of the functionality cookies.

Here are some examples of functional cookies Clym uses:

Functionality CookiesImage Source

Functional cookies are also referred to as preference cookies.

Category 4: Targeting Cookies or Advertising Cookies

These cookies are used to run personalized promotions and advertising campaigns based on personal interests and preferences.

They’re also used to limit the number of times you see an advertisement as well as help track a campaign’s performance.

They’re usually placed by advertising networks with the website operator’s permission. These cookies remember your website visits and this information is shared with other organisations such as advertisers. Quite often targeting or advertising cookies will be linked to site functionality provided by the other organisation.

Consent rules for targeting or marketing or advertising cookies: Specific consent must be sought for these types of cookies because they collect the most information about users.

Here are some examples of advertising/targeting cookies HTC uses:

Targeting CookiesImage source

Convert’s Cookies: Balancing Privacy and Innovation

At Convert, we use only first-party performance cookies which are described below:

_conv_v

  • Cookie name: _conv_v
  • Purpose: This cookie is a visitor centric cookie. It is a string of star(*) separated pieces; each piece is a string that contains key and value strings glued together by colon (:).
  • Duration: 6 months
  • Domain source: convert.com
  • Category: Performance
  • Data that is stored: session count, current session timestamp, first session start timestamp, number of pageviews, previous session start timestamp, project level segment IDs, json structure with all experiences-goals presented to the visitor
  • Privacy Policy mentions this cookie: Yes

_conv_s

  • Cookie name: _conv_s
  • Purpose: This is the session centric cookie. It is a string of star(*) separated pieces; each piece is a string that contains key and value strings glued together by colon (:).
  • Duration: 20 minutes
  • Domain source: convert.com
  • Category: Performance
  • Data that is stored: session ID, number of pageviews in current session, session hash for performance issues
  • Privacy Policy mentions this cookie: Yes

_conv_r

  • Cookie name: _conv_r
  • Purpose: This cookie holds the referral data for the current visitor.
  • Duration: This is overwritten each time visitor comes from a new referrer.
  • Domain source: convert.com
  • Category: Performance
  • Data that is stored: source name, referral medium, referrer search terms
  • Privacy Policy mentions this cookie: Yes

7 Cookie Policy Best Practices For Any Website: Rules Regarding Cookie Use

Both the GDPR and ePrivacy Regulation focus on the users’ consent about collecting or using their data. And because cookies are the primary tools for collecting user data, a good cookie policy can go a long way in helping you comply with them.

Besides, by explaining what cookies you use, what data you store, and how you use your data, you can earn the confidence of your users and show them that their privacy actually matters.

Here are 7 ways to create a great cookie policy page.

Use user-friendly language

A compliant cookie policy must give the user a clear and accurate picture of how cookies are used on your website at any time. It’s an actual requirement that the cookie policy is written in plain and understandable language.

Check out the policy page examples from above and you’ll see how these organizations have written user-friendly versions of the policies that can otherwise sound like legal jargon and be very difficult to understand for general users.

Say no to implied consent – get it with an affirmative action

The biggest change for cookie and online tracking in regard to the GDPR is that consent must be given by a clear affirmative action.

EU citizens have grown accustomed to – albeit probably slightly annoyed by – the banners on all websites, stating the use of cookies, sometimes asking you to check the ok button, but giving no true choice.

With the regulation, this is not sufficient. The consent has to be given as an affirmative, positive action, and rejecting cookies must be an actual option.

So many companies have now already started letting their users reject the cookies they don’t feel comfortable with. On Clym, for example, all the cookies are disallowed by default. A user can choose to allow the ones they want:

Let your users withdraw their consent at any time

Users must have the power to withdraw their consent whenever they want — the consent is theirs to give or withdraw after all!

It’s therefore important to make sure your users have access to their current consent state at all times and can change the settings or withdraw their consent entirely.

If you take another look at the National Geographic cookies page, you’ll see they let users opt-out of them with just a click.

Performance Cookies

Clicky Analytics, too, offers one-click opt-out option to users to stop being tracked by any website using its analytics solution.

Image Source

So think about adding an opt-out page to your website and let your users manage their consent.

Renew consent every year

This is pretty straightforward but can be easy-to-miss. Every 12 months, renew the user’s consent for allowing all the cookies and data.

Don’t assume the consent to be “eternal!”

Seek consent before using the cookies

With the GDPR and the ePrivacy Directive, the user consent must be given prior to the setting of the cookies.

Under the GDPR, you need prior consent to setting cookies that track personal data, whereas the ePrivacy Directive is even more far-reaching, and requires that you get consent for setting all except for the strictly necessary cookies.

So, make sure you aren’t using any “implied consent” for setting up cookies.

Record your users’ consent (as evidence … just in case!)

All consents must be securely stored so that they can be used as evidence, in case of control.

More than anything else, get accountable for all the cookies on your website:

Every website uses a host of solution providers. And many of these service providers use cookies. It doesn’t matter if you use first-party cookies or third-party ones, under the newer stringent privacy laws, you can be subjected to controls and be required to account exhaustively for the data processes that are going on in connection with your website.

This is easier said than done as most websites have a large number of third-party cookies flowing through their system.

But a message saying “We aren’t responsible for any … ” or “Our service providers have their own data … ” or “We aren’t liable for the … ” might give you some peace of mind … but they might not be good defenses.

One tip that we can give you about this is to only partner with a service provider that understands and respects user privacy laws with the same diligence you display.

That’s the only way forward for a progressive, privacy aware business.

The Ultimate Privacy Vendors List


Originally published December 12, 2018 - Updated February 14, 2019
Dionysia Kontotasiou

Written by Dionysia Kontotasiou

Dionysia K is Convert's Head of Integration and Privacy. Fresh off the GDPR compliance stretch you can find Dionysia helping customers with their technical queries and making homemade pizza in her spare time.
Guest Post Form

We have brought thought leaders, influencers, visionaries and veterans to our tribe. Now it’s your turn. If you have something worthwhile to share with a large community of savvy testers, go ahead and pitch your post idea. We’re listening.

Fill out our guest post form

CATEGORIES Blogs

COMMENTS

Leave a Reply

Your email address will not be published. Required fields are marked *

[hclightbox id='5' text='Anchor text']