Consent & Cookies: How Will GDPR and the ePrivacy Regulation Impact Websites?

Dionysia Kontotasiou
By
December 12, 2018 ·
Consent & Cookies: How Will GDPR and the ePrivacy Regulation Impact Websites?

Consent & Cookies: How Will GDPR and the ePrivacy Regulation Impact Websites?

If you want to personalize your website’s content based on your site visitors’ data, you must understand two laws very well: 1) the GDPR and 2) the ePrivacy Regulation.

These laws govern consent and cookies:

  • The GDPR tells you how you need to get your visitors’ unambiguous “consent” before collecting, storing, or using their data.
  • And the ePrivacy Regulation tells you how you can work with cookies (that are used to collect visitor data).

GDPR vs ePrivacy Regulation:

The GDPR regulates the general handling of personal data and doesn’t directly address cookies.

The ePrivacy Regulation, on the other hand, focuses on cookie use, which is why it’s also known as the “Cookie Law.” Businesses in Europe must get explicit consent to use cookies and provide clear opt-outs to users under the proposed new law.

While the GDPR doesn’t directly address cookies, it does re-define consent to say that any consent given must be “unambiguous.”

And because “consent” under the ePrivacy Regulation is interpreted by reference to the definition of “consent” under the GDPR, the GDPR implicitly requires that the cookie consent banners post-GDPR must now collect visitors’ unambiguous consent.

In general, we can use consent to serve the cookies (under the ePrivacy Regulation), but rely upon legitimate interests (or another lawful ground e.g. consent, contract, legal obligation, vital interests, public interest) to process the personal data collected using the cookies (under the GDPR).

Let’s now understand how you should approach cookies and consent under these two laws, so you can offer powerful, personalized, and compliant website experiences.

What are the Different Types of Cookies Used by Websites?

Cookies are small data files that a website stores on a user’s computer or mobile or tablet.

Websites use cookies to enhance a user’s browsing experience and for learning more about the user’s preferences and interests.

This cookie information is then used to personalize the user’s future visits to the same website, so website experiences feel more relevant. Cookie data can be used to offer content and advertising that’s aligned with the already established preferences of browsers.

There are four types of cookies based on the duration for which they’re stored or their source. These are:

  • Persistent Cookies: These are cookies that are stored on a users’ device in between browser sessions. These cookies help in remembering a user’s preferences or actions across a website (or in some cases across different websites). Persistent cookies may be used for a variety of purposes including remembering users’ preferences and choices when using a website or for running targeted advertising campaigns.
  • Session Cookies: These are cookies that expire as a browsing session ends. These cookies allow websites to link the actions of a user during a browser session (from when a user opens the browser window to when they exit the browser). They may be used for a variety of purposes such as remembering what a user has put in their shopping cart or enabling internet banking access or for facilitating use of webmail. These session cookies aren’t stored for a long-term. For this reason, session cookies may sometimes be considered less privacy intrusive than persistent cookies.
  • First Party Cookies These are cookies that are set by the website being visited by the user.
  • Third Party Cookies: These are cookies that are set by a domain other than the one being visited by the user. If a user visits a website and a separate company (the main website’s service provider) sets a cookie through that website, this would be a third party cookie.

You can loosely categorize these cookies into four categories using the recommendations by the International Chamber of Commerce in this ICC UK Cookie Guide. (Some cookies can appear in more than one category.)

Category 1: Strictly Necessary Cookies

These cookies are essential in order to enable you to move around the website and use its features, such as accessing secure areas of the website — for example, for logging into your account on an online shopping store.

Without these cookies, it’s not possible to access the services a website has to offer.

Consent rules for strictly necessary cookies: No consent is required for using strictly necessary cookies. However, it is important to help users understand these cookies and the reasons to use them.

Here are a few strictly necessary cookies The New York Times uses:

Here are a few strictly necessary cookies The New York Times uses
Image source

Category 2: Performance Cookies

These cookies collect information about how visitors use a website.

Analytics solutions such as Google Analytics, Clicky Analytics, Adobe Analytics and more use such cookies. These cookies don’t collect information that identifies a visitor and all the information these cookies collect is aggregated and therefore anonymous. It’s only used to improve how a website works.

Consent rules for performance cookies:

Consent can be written into terms and condition – by using the site you consent to the use of these types of cookies.

Because GDPR focuses on the processing of private or personally identifiable data, and because it’s not possible to identify the data subject from data that has undergone pseudonymisation,  performance cookies (such as those of Google Analytics data) don’t concern GDPR to a very great degree. You can include the consent rules for these cookies into your terms and condition. Essentially, you get the users’ consent to work with these cookies when they use your website.

“This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.” — Recital 26 of the GDPR

Here are some examples of National Geographic’s performance cookies:

National Geographic’s performance cookies
Image Source

Category 3: Functionality Cookies

These cookies allow a website to remember the choices you make (such as your user name, language or the region you are in) and provide enhanced, more personal website experiences. For instance, a website may be able to provide you with local weather reports or traffic news by storing region details within a cookie.

These cookies can also be used to remember the changes you’ve made to text size, fonts and other customizable parts of the web pages you visit. They may also be used to provide services you’ve asked for such as watching a video or commenting on a blog. The information these cookies collect may be anonymised and they can’t track your browsing activity on other websites.

Consent rules for functionality cookies: Just like in the case of performance cookies, consent for functionality cookies, too, can be written into terms and condition – by using a site you consent to the use of these types of cookies or a notice can be applied when a user makes changes to settings on a website. But many companies proactively let their users opt-in or out of the functionality cookies.

Here are some examples of functional cookies Clym uses:

functional cookies Clym uses
Image Source

Functional cookies are also referred to as preference cookies.

Category 4: Targeting Cookies or Advertising Cookies

These cookies are used to run personalized promotions and advertising campaigns based on personal interests and preferences.

They’re also used to limit the number of times you see an advertisement as well as help track a campaign’s performance.

They’re usually placed by advertising networks with the website operator’s permission. These cookies remember your website visits and this information is shared with other organisations such as advertisers. Quite often targeting or advertising cookies will be linked to site functionality provided by the other organisation.

Consent rules for targeting or marketing or advertising cookies: Specific consent must be sought for these types of cookies because they collect the most information about users.

Here are some examples of advertising/targeting cookies HTC uses:

advertising/targeting cookies HTC uses
Image source

Want a handy guide of the different types of cookies and how to use them to avoid privacy hassles? We have turned this blog into an infographic for you. Download it here

Convert’s Cookies: Balancing Privacy and Innovation

At Convert, we use only first-party performance cookies which are described below:

_conv_v

  • Cookie name: _conv_v
  • Purpose: This cookie is a visitor centric cookie. It is a string of star(*) separated pieces; each piece is a string that contains key and value strings glued together by colon (:).
  • Duration: 6 months
  • Domain source: convert.com
  • Category: Performance
  • Data that is stored: session count, current session timestamp, first session start timestamp, number of pageviews, previous session start timestamp, project level segment IDs, json structure with all experiences-goals presented to the visitor
  • Privacy Policy mentions this cookie: Yes

_conv_s

  • Cookie name: _conv_s
  • Purpose: This is the session centric cookie. It is a string of star(*) separated pieces; each piece is a string that contains key and value strings glued together by colon (:).
  • Duration: 20 minutes
  • Domain source: convert.com
  • Category: Performance
  • Data that is stored: session ID, number of pageviews in current session, session hash for performance issues
  • Privacy Policy mentions this cookie: Yes

_conv_r

  • Cookie name: _conv_r
  • Purpose: This cookie holds the referral data for the current visitor.
  • Duration: This is overwritten each time visitor comes from a new referrer.
  • Domain source: convert.com
  • Category: Performance
  • Data that is stored: source name, referral medium, referrer search terms
  • Privacy Policy mentions this cookie: Yes

Both the GDPR and ePrivacy Regulation focus on the users’ consent about collecting or using their data. And because cookies are the primary tools for collecting user data, a good cookie policy can go a long way in helping you comply with them.

Besides, by explaining what cookies you use, what data you store, and how you use your data, you can earn the confidence of your users and show them that their privacy actually matters.

Here are 7 ways to create a great cookie policy page.

Use user-friendly language

A compliant cookie policy must give the user a clear and accurate picture of how cookies are used on your website at any time. It’s an actual requirement that the cookie policy is written in plain and understandable language.

Check out the policy page examples from above and you’ll see how these organizations have written user-friendly versions of the policies that can otherwise sound like legal jargon and be very difficult to understand for general users.

The biggest change for cookie and online tracking in regard to the GDPR is that consent must be given by a clear affirmative action.

EU citizens have grown accustomed to – albeit probably slightly annoyed by – the banners on all websites, stating the use of cookies, sometimes asking you to check the ok button, but giving no true choice.

With the regulation, this is not sufficient. The consent has to be given as an affirmative, positive action, and rejecting cookies must be an actual option.

So many companies have now already started letting their users reject the cookies they don’t feel comfortable with. On Clym, for example, all the cookies are disallowed by default. A user can choose to allow the ones they want:

On Clym, for example, all the cookies are disallowed by default

Users must have the power to withdraw their consent whenever they want — the consent is theirs to give or withdraw after all!

It’s therefore important to make sure your users have access to their current consent state at all times and can change the settings or withdraw their consent entirely.

If you take another look at the National Geographic cookies page, you’ll see they let users opt-out of them with just a click.

National Geographic cookies page, you'll see they let users opt-out of them with just a click.

Clicky Analytics, too, offers one-click opt-out option to users to stop being tracked by any website using its analytics solution.

Clicky Analytics, too, offers one-click opt-out option to users to stop being tracked by any website using its analytics solution
Image Source

So think about adding an opt-out page to your website and let your users manage their consent.

This is pretty straightforward but can be easy-to-miss. Every 12 months, renew the user’s consent for allowing all the cookies and data.

Don’t assume the consent to be “eternal!”

With the GDPR and the ePrivacy Directive, the user consent must be given prior to the setting of the cookies.

Under the GDPR, you need prior consent to setting cookies that track personal data, whereas the ePrivacy Directive is even more far-reaching, and requires that you get consent for setting all except for the strictly necessary cookies.

So, make sure you aren’t using any “implied consent” for setting up cookies.

All consents must be securely stored so that they can be used as evidence, in case of control.

More than anything else, get accountable for all the cookies on your website:

Every website uses a host of solution providers. And many of these service providers use cookies. It doesn’t matter if you use first-party cookies or third-party ones, under the newer stringent privacy laws, you can be subjected to controls and be required to account exhaustively for the data processes that are going on in connection with your website.

This is easier said than done as most websites have a large number of third-party cookies flowing through their system.

But a message saying “We aren’t responsible for any … ” or “Our service providers have their own data … ” or “We aren’t liable for the … ” might give you some peace of mind … but they might not be good defenses.

One tip that we can give you about this is to only partner with a service provider that understands and respects user privacy laws with the same diligence you display.

That’s the only way forward for a progressive, privacy aware business.

Privacy Vendor List
Privacy Vendor List
Originally published December 12, 2018 - Updated January 12, 2022

Mobile reading?

Scan this QR code and take this blog with you, wherever you go.

Authors
Dionysia Kontotasiou
Dionysia Kontotasiou

Convert's Head of Integration and Privacy, helping customers with technical queries.

Start Your 15-Day Free Trial Right Now.
No Credit Card Required

You can always change your preferences later.
You're Almost Done.
I manage a marketing team
I manage a tech team
I research and/or hypothesize experiments
I code & QA experiments
Convert is committed to protecting your privacy.

Important. Please Read.

  • Check your inbox for the password to Convert’s trial account.
  • Log in using the link provided in that email.

This sign up flow is built for maximum security. You’re worth it!