What is GDPR?

The General Data Protection Regulation (GDPR) is a European Union (EU) regulation that replaces the Directive 95/46/EC and governs the current data protection framework in Europe. The GDPR regulates the processing of personal data of EU residents. It has far-reaching implications and a very broad scope resulting in impacting organizations which process personal data of EU residents, wherever they are located in the world. The regulation is meant to harmonize the EU data protection landscape and protect the rights and freedoms of EU individuals. It introduces the principle of accountability, which means organizations that handle EU residents’ personal data must be able to demonstrate compliance with the requirements of GDPR. The term personal data is defined as any information relating to an identified or identifiable person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier, and the Regulation itself mentions that online identifiers such as cookies can be considered personal data.

Does GDPR and ePrivacy Apply to Me?

You do not need to be headquartered in the EU for the GDPR and ePrivacy to apply to your organization. If you have customers from the EU visiting your site, you need to have GDPR and ePrivacy compliant processes built into your website for your EU visitors.

What is ePrivacy?

Current requirements for cookies in Europe are derived from the ePrivacy Directive (ePD), first introduced in 2002. Since the revision of the text in 2009, website operators in Europe have had to obtain the website visitor or app user’s consent to store or retrieve cookies or other tracking technologies on the person’s device (with the exception of strictly necessary cookies). Because the requirements are set forth in a Directive, it requires each Member State to transpose them into national law, which resulted in the same issue as the Data Protection Directive: a fragmented landscape, hard to navigate, especially for companies operating in different EU countries and globally. To ensure consistency with the new rules introduced by GDPR, the EU Commission introduced a proposal for ePrivacy Regulation (ePR) in January 2017 to replace the existing ePrivacy Directive. The main goals behind ePR were to
  • Ensure consistency between the ePrivacy rules and the General Data Protection Regulation
  • Updating the scope of the ePrivacy Directive in light of the new market and technological reality
  • Enhance security and confidentiality of communications
  • Address inconsistent enforcement and fragmentation
The text is still going through the legislative process and many updated versions to the original proposal have been introduced. One of the most debated aspect of the text is the current absence of legitimate interest as a valid legal basis to store or retrieve cookies. Consent is still the only option, which many organizations (in particular in the ad tech industry) argue is inconsistent with the new GDPR rules.

What do these regulations mean for my site?

As the owner/operator/publisher of a website available in Europe, you need to get user’s consent before storing cookies or other tracking technologies that are not strictly necessary on their device. Consent needs to be given for all types of cookies that are not strictly necessary when a user lands on a particular webpage and the website publisher is the person responsible for collecting the user’s consent (whether the cookie is a first party cookie or a third-party cookie). You can store cookies on a person’s device only after you provide the user with clear and comprehensive information about the purpose of the processing and obtain his/her consent. This is what gave rise to the use of various cookie notification banners and pop-ups found on many websites. Now that GDPR has entered into force, the “consent” that is required for cookies is to be understood as “GDPR consent”, meaning all four criteria for valid consent (freely given, specific, informed, and unambiguous) are needed. In practice, this means that implied consent (when cookies are dropped after the user continues browsing the website) which has been used by almost all websites since 2009 will likely not be considered valid in the GDPR era. Cookie preference centers allowing the user to choose which category of cookies he/she is consenting to will likely be the new norm. Are there any exceptions to requiring consent to drop cookies? The only allowable exception is when the use of the cookies are “strictly necessary” for the operation of the site. In general, consent is not required if the cookie is:
  • used for the sole purpose of carrying out the transmission of a communication, and
  • strictly necessary in order for the provider of an information society service explicitly required by the user to provide that service.
Cookies clearly exempt from consent according to the EU advisory body on data protection (WP29) include:
  • user‑input cookies (session-id) such as first‑party cookies to keep track of the user's input when filling online forms, shopping carts, etc., for the duration of a session or persistent cookies limited to a few hours in some cases
  • authentication cookies, to identify the user once he has logged in, for the duration of a session
  • user‑centric security cookies used to detect authentication abuses, for a limited persistent duration
  • multimedia content player cookies used to store technical data to playback video or audio content, for the duration of a session
  • load‑balancing cookies, for the duration of the session
  • user‑interface customization cookies such as language or font preferences, for the duration of a session (or slightly longer)
  • third‑party social plug‑in content‑sharing cookies, for logged‑in members of a social network.

Fines and Penalties

Organizations that do not comply with GDPR face heavy fines and penalties. Some violations are subject to up to 4% of the organization’s global annual turnover. Some non-monetary penalties, such as having a supervisory authority ordering you to stop a processing activity, can turn out to be even more costly for an organization than fines. Similarly, organizations face losing users themselves as consumers may avoid engaging with websites where they believe their privacy is at risk.

What are the different ways to approach cookie requirements?

There are several approaches to a cookie banner, and you can choose what’s best for your company depending on your level of risk tolerance. The below is listed from most risk-tolerant/least technical to lowest risk/most technical.
  • Notice Only drops all cookies on a user’s browser, shows a cookie notice but does not require action from the user.
  • Implied Consent drops only strictly necessary cookies, shows the cookie notice but does not force the user to interact. If a user keeps browsing or “clicks to continue,” the rest of the cookies are dropped.
  • Opt-out Consent drops all cookies first, then shows the cookie notice and forces users to accept or decline the use of cookies.
  • Opt-in Consent drops only strictly necessary cookies first, then shows the cookie notice and forces users to accept or decline the use of cookies before dropping any additional cookies.
There are several ways to approach cookie requirements:

Option A

Opt-Out Consent

What does it mean?

Drop all cookies when the user reaches the landing page, show the cookie notice and allow action on the notice.

Why Choose This?

  • Most common approach on websites today
  • Easies to implement technically
  • Least impact on user experience
  • Organization willing to accept higher level of risk
  • Bet that a warning will occur before actual enforcement
  • Waiting to see what ePrivacy Regulation will actually require when finalized

Option B

Implied Consent

What does it mean?

Drop strictly necessary cookies only when the user reaches the landing page, show a cookie notice indicating “Continue Browsing” or “Clicking ok” will amount to consent, and drop the rest of the cookies once one of these actions has been taken.

Why Choose This?

  • Increasingly adopted by organizations
  • Question of whether approach is compliant with the definition of consent under GDPR
  • More difficult to implement technically, need developer support to implement cookie blocking logic provided by OneTrust
  • Implement this as reasonable approach while waiting to see what new ePrivacy Regulation will actually require when finalized

Option C

Expressed Consent

What does it mean?

Drop strictly necessary cookies only when the user reaches the landing page, show a cookie notice with clear and comprehensive information about the purposes of processing the cookies, require an affirmative action from the user, and only after that drop the rest of the cookies.

Why Choose This?

  • Increasingly adopted by organizations taking a “privacy first” approach
  • Most in line with the definition of consent under GDPR
  • Likely to be what will be required under new ePrivacy Regulation
  • Already required in some jurisdictions (Netherlands, Italy)
  • Likely impact on user experience since requires action prior to progressing
  • Assume higher percentage of users who decline tracking which may have business impact
See GDPR and ePrivacy Terms and Definitions

Privacy Risk Assessment

Is Your Website Cookie Compliant?

With a few simple clicks in CookiePro, scan your website against our database of 9 million cookies to identify and auto categorize the tracking technologies on your site. Automatically generate a cookie policy based on the scan, and schedule an auto scan to keep it up-to-date.

Start Scan