Requirements for GDPR Cookie Policies

For many businesses, the GDPR policy is a game changer in terms of customer data management. The EU’s General Data Protection Regulation (GDPR) was implemented to better protect customer data for all people residing in the EU. However, this regulation extends far beyond Europe’s borders. Because many websites are accessed by people who are covered by GDPR guidelines, you need to be aware of how this regulation will affect your business moving forward.

GDPR has specific provisions for how websites use cookies. These provisions are aimed at increasing the awareness customers have with regards to cookie use and data collection by websites.

What are cookies?

Cookies are essentially small pieces of code that collect and record data. When a customer visits your website, a cookie can be used to save the customer’s login information, browsing history, preferences, and even identity. Cookies can also be used to track the activity of different devices such as smartphones, tablets, and computers.

The working principle behind a cookie is its communication function. Cookies make it possible for your website to send a message (in the form of a file format named cookie.txt) to your customer’s browser. The user’s browser will then save this message and use it to communicate signals back and forth moving forward.

The two main types of cookies

The ultimate goal of using cookies is to understand website users better so you can customize their browsing experience and streamline your operations. Towards this end, there are two main types of cookies used.

1. Lifespan cookies

Lifespan cookies get their name from how long they remain embedded in a user’s browser. Some cookies last for only a single browsing session (session cookies)- while others remain present until the user deletes them (persistent cookies).

Persistent cookies will still be present even when the browser is closed and re-opened at a later time.

2. Domain cookies

Domain cookies are based on location rather than duration. In other words, domain cookies pertain to where user data is sent after collection. There are two subsets of domain cookies- namely first party and third-party cookies.

First party cookies limit data collection to your specific website. This means that all user data collected from your website visitors will remain within your website only. On the other hand, third-party cookies allow for data sharing across multiple domains. This means that other third parties that are on your web pages (such as advertisers) will also have access to user data.

Third party cookies have come under scrutiny in recent years. Why? Because they provide a platform through which user data is shared across multiple websites. If a user were to visit your website and you have external advertisers, that user’s data will also be accessed by these advertisers. Such data can then be used to create targeted ads. Using cookies to create targeted ads typically raises significant concerns with regards to privacy.

Understanding the new GDPR cookie policy

GDPR doesn’t address cookies as a separate issue. However, it does classify cookies under a type of personal data. According to GDPR, cookies can be used along with IP addresses, radio signals, and other techniques to identify a specific person and to create a profile regarding their behavior. Therefore, websites that use cookies are required to follow specific guidelines regarding disclosure to users, transparency, and ease of data access.

Your visitors should be informed about information that your website collects, and how such data will be used and shared moving forward. Furthermore, this information needs to be presented in a manner that’s easy to understand (using “plain and clear” language).

Preparing a cookie consent plan for your website

When informing website visitors about your cookie policy, you should clearly explain all data being collected- and what it will be used for. For example, many businesses collect data for two primary purposes: for business enablement or to create a streamlined experience.

Data collected for business enablement can be used to process payments more efficiently, to remember items added to cart, or to make logging into accounts easier. Cookies can also be used to create a better overall user experience by customizing product listings, setting language preferences, or remembering format choices. Regardless of your overall purpose, your cookie policy should clearly outline these intentions in a manner that users can easily understand.

Why does a cookie policy matter?

A cookie policy is an official way through which you inform website visitors about data collected (and how it’s used). Just placing an opt-in/consent notification isn’t enough to educate users about how you collect and use their data.

You should also add a link to your entire cookie policy, where you inform your website visitors about the domain types used, the lifespan of your cookies, how data is shared and sent, what your overall purpose is, and how users can opt-out even after opting in.

What you should know about the proposed update to the Cookie Law

The current ePrivacy directive has somewhat fallen behind privacy concerns of internet users. While it does contain a provision for prior consent, it places lots of burden on the user to ensure that they remain in control of their data.

By creating simple ways for users to control their data you can stay ahead of most changes that come about the regulation and easily adjust to new ones that come forth (like the California Consumer Privacy Act).