Getting cookie consent right under GDPR

Getting cookie consent right under GDPR.

While it seems that GDPR has been a really long time coming, we are finally in May 2018, the month that sees the long awaited changes to data protection laws come into force. One growing aspect of compliance that is starting to prove tricky, if not extremely hard to understand; is that of how to deal with Cookie compliance under the GDPR.

So what does the law actually state has to happen when it comes to Cookie usage and how is this going to impact your website. And furthermore, what will you have to do to ensure compliance?

The GDPR Law itself

The main issues that surround how Cookies are going to be affected by the GDPR is that they initially come under their own separate section of data protection law called the PECR. The Privacy and Electronic Communications Regulations have been around for a good 15 years now with the most recent revisions being made in 2016. This is the same law that affects email, texts and other electronic communications specifically; but will also be governed by the GDPR when these electronic methods of communication will affect personal data.

According to CookieLaw, some of the top issues that GDPR will raise for Cookie consent are as follows:

  • Cookies can be personal data
    • The law states that any information that can potentially be used to identify or single out a specific individual will qualify as personal data – even if pseudonymous or doesn’t directly identify an individual.
  • Implied consent is no longer going to be compliant
    • Under GDPR, users now have to make a conscious affirmative action in order to comply with their personal data being processed.
  • Advice to adjust browser settings won’t be enough
    • This doesn’t give someone enough choice in what they can and can’t opt-in to, or out of
  • ‘By using this site, you accept cookies’ statements will not be compliant
    • Again, this does not provide a “genuine and free choice”
  • Sites will need an always available opt-out
    • Even if you do gain consent from someone, you will have to give them an option to opt-out easily at any time if they change their mind
  • Soft opt-in is likely the best consent model
    • As explained by CookieLaw, this means giving an opportunity to act before the cookies are first set on a website. Then, if there is fair notice then continuing to browse a site can be valid consent via affirmative action.
  • You need a response to Do Not Track browser requests
    • A DNT:1 signal is a valid browser setting communicating visitor preference. This can also be seen as an action enabled by the user exercising their “right to object to profiling”.
  • Consent will need to be specific to different cookie purposes
    • If you use different types of cookies on your site that process data for different purposes then valid consent will be needed for each purpose. This means granular levels of control for targeting cookies, analytics cookies and strictly necessary cookies in order for the website to perform as needed.

As you can see, there are a number of different issues presented here that could mean wholesale changes to the way that websites across the world look, act and function due to the GDPR.

How does this change things?

So with this in mind, are we going to see a world where splash pages are reintroduced where users will have to select each separate cookie that they want to accept or reject (which will most likely lead to a largely wide scale rejection) before being able to visit the website. And with wide scale rejection of all cookies apart from the most necessary for the site to function, this will massively affect all analytics and online advertising using tracking cookies such as Facebook’s pixel and Google’s remarketing.

Could this have further knock on effects toward analytics and even paid advertising? Remarketing, targeting and analytics Cookies are deemed as “non-essential” therefore you must gain consent in order to use them due to the legal basis for processing needed. If businesses are starting to realise that their remarketing efforts are fruitless due to the majority of people not consenting to have these Cookies placed in their browser then it isn’t too far fetched to suggest that remarketing may start to die out. As it stands, we at Project Simply have experienced approximately a 50% opt-in rate on our new GDPR compliant forms; and this is so that the user can continue to receive more relevant, interesting content from us. A Cookie; arguably; doesn’t really hold much benefit to the end user so it is quite reasonable to assume that not many people are going to opt-in.

And what to do with Analytics? If people aren’t opting in to using Cookies then it is fair to say that webmasters will never again have full transparency of the users on their website. Sure, it has never been 100% accurate using Analytics services but with the GDPR implementation, it is going to be even more likely that you won’t ever see a full picture again. Providing that all websites are compliant with the GDPR and don’t store relevant Cookies without asking someone first… but that’s a different blog post.

So how do I remain compliant with my site’s Cookies under GDPR?

While all of this may seem quite complex and full on at first glance, we think that in practice, GDPR cookie consent isn’t going to require or warrant wholesale changes to your website’s infrastructure. Nor will it mean a pop-up, blocking entry to the site until someone has selected their cookie preferences.

What you need to do is, as aforementioned, follow the soft opt-in route. For this you will need to provide a banner or pop-up on your site that allows users to opt-in, on a granular level (e.g. separate opt-ins for non-essential Cookies like analytics and targeting Cookies) and then you can only apply those Cookies to that user if they opt-in. If they ignore the banner and don’t make a selection on it, you are able to provide a notice on the banner explaining that if they continue to browse the site on multiple occasions, you will presume that they consent to using Cookies. You could then potentially automatically assign consent to the user if they were to visit the site on more than one occasion, if they don’t eventually choose their preferences anyway. This is just our take on it, though – we strongly suggest that advice from the ICO is gained in every separate instance.

Privacy Policy

You will also need to link to your Privacy Policy in order to explain exactly which Cookies you are using, what you are using them for and how someone can easily opt-out of them being stored in their browser. It is also important to explain to people why they have to allow the essential Cookies in order for the website to work but also let them know that they are able to edit their browser settings to block Cookies; even though this may cause parts of the site to not work properly.

Getting help

All of this seem a little overwhelming or just not know where to start at all? In the weeks running up to the “go live” date of the GDPR, we are offering a Personalised User Engagement, Web and GDPR Audit.

Our personalised User Engagement, Web and GDPR Audit will assess your current position, where changes are needed and gives practical implementation steps on what to do and when to help you be compliant. We will then put this into a tidy Launchpad for you to kick on with.

As always, this doesn’t constitute legal advice and it is advised that you seek guidance from the ICO about all issues to do with GDPR and data protection.