Whether you launch your website to promote your business and brand in Europe, or operate an e-commerce platform to sell your products or services, chances are that cookies or similar technologies egJavascripts, Flash cookies, HTML5-local storage and/or web beacons or tracking pixels) are part of your web operations.
What are cookies?
Cookies are small files that can contain information and are stored on a user’s device (when visiting a website. Each cookie is associated with a specific web domain, which can either be the domain corresponding to the website the user is visiting (first party cookie) or a domain corresponding to a third-party’s website (third-party cookies). The cookie is dropped and/or updated every time the user’s browser interacts with such domain.
Cookies can be used for a broad range of purposes (tracking the user’s online behaviour to help improve the website or for advertising purposes, ensuring security and preventing fraud, memorising a shopping cart or users’ preferences in terms of language, version or features of the website…etc). They enable companies to gather valuable insights into user behaviour, and tailor marketing efforts accordingly. However, their use comes with significant regulatory challenges under the ePrivacy Directive and, where the cookies involve processing personal data, the GDPR.
Note that for now at least, the EU rules are mirrored in the UK under the UK GDPR and the Privacy of Electronic Communications Regulations (PECR).
Here are ten key steps to help ensure compliant use of cookies on your website.
Conduct a cookie audit – what cookies are you using/do you want to use?
Conducting a comprehensive audit of the cookies used on your website is crucial to help you identify and comply with your obligations, in particular any consent requirement and your information obligations. You need to understand what cookies are being used and for what purposes. Are they first-party or third-party cookies, persistent or session cookies? What data do they hold or otherwise process? What is the lifespan of the cookie? And crucially, do they use personal data? You should also consider whether or not you really need to use them.
Do you need consent?
Under Article 5(3) of the EU ePrivacy Directive, prior consent is required before you can store information or gain access to information already stored in the terminal equipment of a user, except if such storage or access is (i) for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or (ii) is strictly necessary to provide a service explicitly requested by the user (for example to memorise a shopping cart). In practice, a single cookie may serve different purposes and only some of those purposes may benefit from the consent exemption.
In addition, most cookies involve the processing of personal data, in which case they are subject to GDPR which brings in additional information as well as consent requirements.
You are most likely to be using:
- Functional cookies – these are essential for the functioning of your website, for example to remember passwords, keep track of online shopping carts or memorise language preferences. You can place them without obtaining consent from users but you still need to tell users about them.
- Analytical cookies - these help improve your website, for example, the Google Analytics-cookie. This helps you to get more insight in statistics and can optimise the usage of your website, resulting in an enhanced level of interaction. Users must be informed about the use of analytical cookies and user consent is generally required for those which use personal data.
- Tracking cookies – these are used to gain insight into users’ online behaviour and use personal data so prior user consent will be required.
Understand what constitutes consent
Under GDPR and the ePrivacy Directive, for consent to be valid, it must be:
- Specific - consent must be collected separately for each category of cookies.
- Freely given - in order to be freely given, consent must be genuinely optional.The user should be in a position to refuse the use of non-essential cookies (see more below)
- Informed - the user must be informed of the purpose of each category of cookies for which consent is sought in a clear and intelligible manner in such a way that they are in a position to understand what they are agreeing to.
- Unambiguous - consent must result from a positive action from the user ie a box to be ticked or clicking on an “accept” or equivalent button. You should not pre-enable non-essential cookies and it should be as easy to refuse as to give consent so the consent mechanism should not use dark patterns eg by highlighting the acceptance button over the refusal button.
- Easily withdrawn - consent must be capable of being withdrawn as easily as it is given.
How to collect consent
Have a proper cookie notice/banner
Part of obtaining valid consent is to provide clear and transparent information. Often, this is provided using a cookie banner or notice which might link to more detailed information. An effective cookie banner should:
- provide information about the purpose of the cookie
- deselect consent by default (ie use an ‘opt-in’-model and not an ‘opt-out’)
- use clear language
- ensure it is not easier to accept cookies than to reject them, (for example by including a 'reject all' button alongside any 'accept all' one)
- not use online choice architecture to hide certain choices
- not require extra clicks for refusal
- be transparent about revoking consent
- not confuse permission with legitimate interests.
Use a CMP
The choices made by a user need to be collected, recorded and acted upon so when designing your website, it is key to implement a consent management platform (CMP). Whether you use your own one or that of a third-party provider, you must ensure that the CMP allows you to collect valid user consent before cookies are dropped.
The CMP is not only necessary to collect consent, it must also allow users to reconsider their choices and change their cookies preferences at any time. It should allow users to withdraw consent, after which the cookies for which consent has been withdrawn should no longer be placed, updated or read from the user's browser.
Consent must be sought from any first-time visitor on a website. User choice regarding cookies should be recorded in such a way that they are not requested to make this choice again each time they visit the website. It is up to the website publisher to determine an appropriate interval between when users are required to select their preference and when the privacy preference selection expires (after which point users are given the opportunity to consent or refuse consent again). Some regulators have set a recommended retention period for users' cookie choices (eg six months in France).
Secure your relationship with third parties involved in the deposit and management of cookies
You may want to use third parties to place cookies or otherwise track user behaviour when they navigate your website (eg analytics cookies may be used by audience measurement services providers, cookies can be used to collect and memorise user privacy preferences by CMP providers, cookies may be dropped by streaming video service providers whose content you have decided to include on your website…).
Although these are third-party cookies, you must ensure your partners do not use your website to set cookies that do not comply with applicable regulations. This makes it important to obtain all relevant information about the functioning of those cookies from the partner so you can confirm they are compliant and give your users the required accurate information about them before they are dropped.
To the extent the cookies involve the processing of personal data, you should also determine whether your provider acts as your processor or a controller, and whether data is transferred outside the European Economic Area as this will trigger additional regulatory requirements (see here for more).
Be careful when using Google Analytics 4 (GA4)
If you use GA4, it is important to be aware of its settings. If you are using the most basic functions of GA4 (eg anonymisation of IP-addresses), it can be argued that you do not need consent from users, but you still need to inform them about what you are doing. If you are using the user_ID, Google Signals and/or other marketing-functionalities in GA4, then you are required to obtain consent from the users. The use of GA4 is controversial, (with regard to data transfers as well as consent) and you should consult guidance from the European Data Protection Board and the European Data Protection Supervisor as well as your national regulator where available. It would be wise to err on the side of caution and obtain consent for all uses of GA4.
Beware cookie walls/'pay or consent' models
You cannot use so-called 'cookie-walls' that only allow you to visit your website when users give their consent to your use of their personal data because the lack of choice means any consent is not freely given. Some businesses including Meta, have moved to a 'pay or consent' model in the EU in relation to using personal data for behavioural advertising (which will involve using tracking cookies). This model requires you to consent to behavioural advertising in return for a free service or pay for an ad-free version. A recent EDPB opinion said that the model is not necessarily unlawful, provided there is a genuinely equivalent and free alternative to a service, rather than a binary choice between a paid for ad free service and one supplied conditionally on user consent to behavioural advertising or tracking.
Watch out for special category data
Certain types of data are classed as requiring additional protection. This special category data covers data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. In principle, special category data may not be processed (and thus not collected through cookies). There are certain exceptions to this rule, one of which is where the user has given has given explicit consent for the processing for a specific purpose and there is no legislation that prevents such consent from being given by the user.
Be wary of combining information from different sources
A common pitfall is combining information from different sources to create profiles of website users/your customers (for example, combining information on previous purchases with targeted advertising offerings). However, this is only possible in very specific instances as it can seriously impact user privacy. You should take advice on this issue.
Be ready to demonstrate your compliance
Accountability is a cornerstone of GDPR and data protection laws. It requires you to document and demonstrate your compliance.
When it comes to cookies, it means that, not only should you be able to prove that you have collected user consent but also that the consent you have obtained is valid. This can be achieved by keeping a timestamped record of all information relating to the user’s consent (eg settings and layout of the CMP and information provided at the time consent was collected).
To the extent a cookie involves the processing of personal data, additional documentation needs to be kept and handed over to regulators on request. This may include data processing records, data processing agreements, joint-controllership agreements and/or data transfer agreements.
Staying up to date
Cookies have been an area of regulator scrutiny because they are so ubiquitous. Partly due to this, models are changing, for example, Google is moving to away from third-party cookies to its privacy sandbox (although there are controversies around that), and IAB Europe has developed a transparency and consent framework (TCF) for behavioural advertising although that too has its issues. The important thing is to keep reviewing not only your use of cookies and similar technologies, but also, regulator views and alternative options.