The General Data Protection Regulation (GDPR) is the main law covering the way organizations handle personal data relating to individuals in the European Union. It is a regulation rather than a directive, which means it took legal effect across the 28 European Union member countries without having to be built into domestic legislation.
The law applies to both controllers and processors of personal data. Controllers are the people or organization who decide how and why data is processed. Processors must directly comply with the GDPR, but controllers are also legally responsible for making sure the processors they use comply with the GDPR.
The GDPR applies whenever you collect personal data about somebody who is in an EU country. It doesn't matter if you are based outside the EU or where you physically store or process the data.
Let's find out how it affects your Cookies Policy.
- 2. Should I Have A Separate Cookies Policy Even Though the GDPR Doesn't Require It?
- 2.1. Better Visibility
- 2.2. More Manageable Information
- 2.3. Other Regulations
- 3. What Should I Include in a Cookies Policy?
- 3.1. Introduction
- 3.2. What Cookies You Use and Why
- 3.3. How to Opt Out
- 3.4. Reminder
- 4.1. Footer Links
- 4.2. Menu Link
- 4.3. Pop-Up Notice
- 5. GDPR and Consent
- 6. Create your Cookie Consent
- 7. Summary
The GDPR dictates some information that you must provide to anyone whose personal data you are collecting. The GDPR also says that any information you provide must:
"be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used."
The way the GDPR applies to cookies is not as obviously clear-cut. The wording of the legislation says that cookies are relevant where they could be:
"combined with unique identifiers and other information received by the servers [that] may be used to create profiles of the natural persons and identify them."
In other words, if a cookie (by itself or combined with other information) makes it possible to identify an individual, it counts as personal data that falls under the protection of the GDPR.
Should I Have A Separate Cookies Policy Even Though the GDPR Doesn't Require It?
For several reasons, having a separate Cookies Policy makes sense.
More Manageable Information
Even where the GDPR doesn't apply to cookies, you may still be covered by other legislation.
For example, in the United Kingdom, the directive covering cookies was adopted through the Privacy and Electronic Communications Regulations.
While the European rules are arguably the most stringent, other countries either have or may introduce regulations for cookies. The nature of the internet means your business or website may be affected by such regulations regardless of where you are physically based.
Having a separate Cookies Policy will greatly reduce the risk that you inadvertently breach any of these laws and regulations, particularly if you move from a domestic business to an international one.
What Should I Include in a Cookies Policy?
Sage gives an overview of cookies before going into the specifics of which cookies it uses:
This section tends to be more standard across the board and defines what cookies are and generally what they do.
What Cookies You Use and Why
In theory you could have separate sections with one detailing the specific range of cookies you use and the other explaining why you are using them. In practice this can be unwieldy and leave the user having to cross-reference back and forth to make sense of things.
Instead it's usually better to detail each cookie individually and briefly explain what the cookie is for and what information it covers. It's also worth detailing whether it's you who creates and operates the cookie or if a third party does it.
Pearson uses drop-down links to cover its wide range of cookies in an accessible manner:
You can structure this section any way you want to, as long as it's informative and easy to read. The drop-down styling here is helpful and makes things seem more organized for readers, but it isn't necessary.
How to Opt Out
Give clear details of how a user can opt out of cookies. In particular, say what the user needs to do to opt out of one cookie or type of cookie while still accepting the others.
It's perfectly fine - and in fact a good idea - to make clear what the consequences of opting out of a cookie will be. You shouldn't exaggerate or mislead, but it's fine to point out that functionality could be restricted.
Amazon not only explains why blocking its cookies will make its site effectively unusable but also details why:
Medela gives a clear overview of cookies, pointing to third party guides rather than attempting to cover all browser instructions (which could become outdated):
Conde Nast uses a more detailed approach, covering how to opt out of receiving cookies from specific sources, as well as how to block them within a web browser:
The more informative you are with this clause, the better. Make it easy for your users to opt out if they'd like to.
Another benefit to placing a link here is that people are accustomed to seeing footer links and intuitively know to look there for legal information or other important links.
It's worth thinking about your audience. Tech-lovers may be more familiar with "conventions" such as three dots or lines being the icon for revealing a drop-down menu. More casual or less confident internet users might need clearer signposting.
Facebook's Lite Messenger app uses two layers of drop down menu to reduce clutter:
Consider naming your menu something like in the image above, or something like Settings, Legal Agreements or something else that lets users know that they can find important things in the menu.
Here's how the BBC uses a pop-up notice to display useful cookies information as well as a link to a Settings interface and the full Cookies Policy:
It's better to display your Cookies Policy too much than to not display it enough. The best way to approach displaying it is by adding a static footer link that's always there, as well as using pop-ups and other one-off display methods at relevant times (like right before you place a cookie on a user's device).
GDPR and Consent
A pop-up screen is particularly useful if you are seeking active consent (such as asking users to click to say they are happy to have the cookie) rather than implied consent (telling the user to stop using the site if they don't want to accept cookies).
Remember that if you are using a cookie that collects or uses personal data of an individual in the EU, that cookie's use will fall under GDPR jurisdiction. The same applies if the cookie can combine with other data (such as an IP address) to identify an individual, in which case the GDPR classifies the cookie as personal data.
In such cases, you must use the cookie in a way that complies with GDPR. This means:
- Making sure the user is fully informed about the cookie and related personal data
- Collecting active consent from the user to place the cookie and process the related personal data
- Allowing the user to withdraw their consent at any time
- Allowing the user to ask you to delete the related personal data later on
The specific wording in the GDPR about active consent is that the consent must be "clear and affirmative." This means the user must carry out an action such as clicking an acceptance button to confirm they are happy to proceed. It also means that the user is confirming they've had the opportunity to see the relevant information to make that choice.
Choosing the information you show at the point of asking the user for consent to cookies is a balancing act. You don't want to miss out important details that mean the user's consent is not genuinely informed. On the other hand, you don't want to overwhelm the user with information to the point they just click through to make it go away.
If relevant, this summary could include boxes for the user to accept some cookies while opting out of others. Again, the full details could go in a drop-down options menu.
FedEx combines all of these techniques in a clear but detailed pop-up:
However, you don't need to be this elaborate when requesting consent for cookies. Here's a simpler way that the University of Brighton gets consent for cookies with a clearly-labeled "Accept Cookies" button:
Create your Cookie Consent
Let's recap what you need to know and do when it comes to the GDPR and cookies.
- The GDPR applies whenever you handle personal data about somebody in a European Union country.
- Use a clickwrap checkbox format to get the best form of consent.