What is GDPR?
The General Data Protection Regulation (GDPR) is a European Union (EU) regulation that replaces the Directive 95/46/EC and governs the current data protection framework in Europe. The GDPR regulates the processing of personal data of EU residents. It has far-reaching implications and a very broad scope resulting in impacting organizations which process personal data of EU residents, wherever they are located in the world. The regulation is meant to harmonize the EU data protection landscape and protect the rights and freedoms of EU individuals. It introduces the principle of accountability, which means organizations that handle EU residents’ personal data must be able to demonstrate compliance with the requirements of GDPR.
The term personal data is defined as any information relating to an identified or identifiable person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier, and the Regulation itself mentions that online identifiers such as cookies can be considered personal data.
Does GDPR and ePrivacy Apply to Me?
You do not need to be headquartered in the EU for the GDPR and ePrivacy to apply to your organization. If you have customers from the EU visiting your site, you need to have GDPR and ePrivacy compliant processes built into your website for your EU visitors.
What is ePrivacy?
Current requirements for cookies in Europe are derived from the ePrivacy Directive (ePD), first introduced in 2002. Since the revision of the text in 2009, website operators in Europe have had to obtain the website visitor or app user’s consent to store or retrieve cookies or other tracking technologies on the person’s device (with the exception of strictly necessary cookies).
Because the requirements are set forth in a Directive, it requires each Member State to transpose them into national law, which resulted in the same issue as the Data Protection Directive: a fragmented landscape, hard to navigate, especially for companies operating in different EU countries and globally.
To ensure consistency with the new rules introduced by GDPR, the EU Commission introduced a proposal for ePrivacy Regulation (ePR) in January 2017 to replace the existing ePrivacy Directive. The main goals behind ePR were to
- Ensure consistency between the ePrivacy rules and the General Data Protection Regulation
- Updating the scope of the ePrivacy Directive in light of the new market and technological reality
- Enhance security and confidentiality of communications
- Address inconsistent enforcement and fragmentation
The text is still going through the legislative process and many updated versions to the original proposal have been introduced. One of the most debated aspect of the text is the current absence of legitimate interest as a valid legal basis to store or retrieve cookies. Consent is still the only option, which many organizations (in particular in the ad tech industry) argue is inconsistent with the new GDPR rules.
What do these regulations mean for my site?
As the owner/operator/publisher of a website available in Europe, you need to get user’s consent before storing cookies or other tracking technologies that are not strictly necessary on their device.
Consent needs to be given for all types of cookies that are not strictly necessary when a user lands on a particular webpage and the website publisher is the person responsible for collecting the user’s consent (whether the cookie is a first party cookie or a third-party cookie).
You can store cookies on a person’s device only after you provide the user with clear and comprehensive information about the purpose of the processing and obtain his/her consent. This is what gave rise to the use of various cookie notification banners and pop-ups found on many websites.
Now that GDPR has entered into force, the “consent” that is required for cookies is to be understood as “GDPR consent”, meaning all four criteria for valid consent (freely given, specific, informed, and unambiguous) are needed.
In practice, this means that implied consent (when cookies are dropped after the user continues browsing the website) which has been used by almost all websites since 2009 will likely not be considered valid in the GDPR era. Cookie preference centers allowing the user to choose which category of cookies he/she is consenting to will likely be the new norm.
Are there any exceptions to requiring consent to drop cookies?
The only allowable exception is when the use of the cookies are “strictly necessary” for the operation of the site. In general, consent is not required if the cookie is:
- used for the sole purpose of carrying out the transmission of a communication, and
- strictly necessary in order for the provider of an information society service explicitly required by the user to provide that service.
Cookies clearly exempt from consent according to the EU advisory body on data protection (WP29) include:
- user‑input cookies (session-id) such as first‑party cookies to keep track of the user’s input when filling online forms, shopping carts, etc., for the duration of a session or persistent cookies limited to a few hours in some cases
- authentication cookies, to identify the user once he has logged in, for the duration of a session
- user‑centric security cookies used to detect authentication abuses, for a limited persistent duration
- multimedia content player cookies used to store technical data to playback video or audio content, for the duration of a session
- load‑balancing cookies, for the duration of the session
- user‑interface customization cookies such as language or font preferences, for the duration of a session (or slightly longer)
- third‑party social plug‑in content‑sharing cookies, for logged‑in members of a social network.
Fines and Penalties
Organizations that do not comply with GDPR face heavy fines and penalties.
Some violations are subject to up to 4% of the organization’s global annual turnover. Some non-monetary penalties, such as having a supervisory authority ordering you to stop a processing activity, can turn out to be even more costly for an organization than fines. Similarly, organizations face losing users themselves as consumers may avoid engaging with websites where they believe their privacy is at risk.
What are the different ways to approach cookie requirements?
There are several approaches to a cookie banner, and you can choose what’s best for your company depending on your level of risk tolerance. The below is listed from most risk-tolerant/least technical to lowest risk/most technical.
- Notice Only drops all cookies on a user’s browser, shows a cookie notice but does not require action from the user.
- Implied Consent drops only strictly necessary cookies, shows the cookie notice but does not force the user to interact. If a user keeps browsing or “clicks to continue,” the rest of the cookies are dropped.
There are several ways to approach cookie requirements: