GDPR compliance and use of cookies

GDPR and cookies

When we roam the internet, we almost can’t avoid the pop-up asking if we want to accept cookies. Mostly we just say yes to get away from the pop-up and this is usually no problem. But the cookies actually hold a lot of user information if we look a bit more into it. Cookies collect personal data as part of GDPR regulations, which means they can gather sensitive information and require user consent for processing. Website owners have obligations to handle personal data lawfully and obtain explicit consent from users for such data processing. If you want to understand more about what personal data includes and how it's protected, explore our guide here.

So, that is what we’re going to do! Read on and learn more about how cookies and are connected and what to be cautious of when you decide on how much information cookies should be allowed to collect.

What are cookies and how do they work?

We should first and foremost take a closer look at cookies and what they actually do to our user experience.

Cookies are small text files that websites store on your browser. They only work within a browser and save information from it, allowing them to track your activity on that browser if you have accepted the cookies.

Cookies are generally speaking a harmless feature and actually have a pretty crucial function for the best user experience. They e.g. save information about your shopping basket if you’re doing some online shopping, they generally save information and, furthermore, ensure that a website functions as it should, that graphics are good and that you have a smooth experience. Cookies often relate to identifiable individuals, or 'data subjects,' under GDPR regulations. It is important to obtain explicit consent from users for processing personal data, and data controllers and processors must ensure compliance with these laws.

We can divide cookies into several categories which you perhaps have noticed when asked about accepting or declining the use of cookies. You can accept the necessary cookies, which are the cookies that ensure a smooth experience and good graphics etc. Then you have the statistic cookies that track your activity online and use this for statistical purposes, usually for the company who owns the website, so they know how users interact with their website. There are also advertisement cookies that use the information to target advertisements and specify them to your interests instead of giving you general ads.

Cookie consent and different purposes

We’ve already touched upon the use of cookies and their purpose, but we can take an even more detailed look:

• You can accept session cookies that expire once you close the browser, you’re active on – once you close it, your settings and information will be deleted.

• Opposite session cookies, we have persistent cookies that save the information even if you close the browser. Your information will be stored for a longer period of time, and this duration can vary – this is an aspect we’ll get back to.

• There’s also a difference between first-party cookies and third-party cookies. First-party cookies are cookies made from the website’s provider and are directly linked to the website. Third-party cookies are placed onto your device by a third party (e.g. an advertiser or statistical system).

It is crucial to obtain prior consent for the use of cookies. Consent must be clear, informed, and obtained through active user behavior, ensuring compliance with EU guidelines.

You might have met people complaining about the risk of using cookies and that they steal information etc., and here they’re usually talking about cookies used for marketing, advertisement, and third-party cookies.

These cookies contain a lot of information about your online activity and how you use the internet - that can be compromised and potentially used against you. The responsibility of your data is put into question when it comes to these types of cookies, and it has become a lot more complicated as to who should be held accountable for it – this is one of the reasons why third-party cookie use has been in decline since its emergence.

Understanding the GDPR and cookies

The General Data Protection Regulation (GDPR) is a comprehensive set of regulations implemented by the European Union (EU) to protect the privacy and personal data of EU citizens. The GDPR defines “personal data” as any information relating to an identified or identifiable natural person. This broad definition means that cookies, which can track and store user information, are considered personal data under GDPR.

The GDPR aims to give individuals more control over their personal data and to ensure that organizations process this data responsibly. Since cookies can collect a significant amount of personal data, such as browsing history and preferences, they fall under the purview of GDPR. This means that websites must handle cookies with the same level of care and transparency as any other form of personal data. If you want a quick overview of what GDPR covers and why it matters, learn more in our five-minute guide.

The connection between cookies and general data protection regulation

You might have caught onto the connection between cookies and the GDPR, as cookies store a very large amount of user data. This data can be personal information, and as soon as it becomes personal, the GDPR comes into play. Data protection authorities provide guidance and recommendations on cookie consent mechanisms, ensuring compliance with regulations like the GDPR. Especially regarding the persistent cookies that store your information for a longer period of time.

Succeeding the integration of technology into our everyday lives, the EU has introduced the ePrivacy Directive that works as a supplement to the GDPR. The ePrivacy Directive has its main focus on cookies and the digital processing of personal data – and will thus protect people’s online privacy. The European Data Protection Board (EDPB) has updated guidelines related to consent mechanisms for cookie usage, clarifying the legal requirements for collecting consent and managing cookies on websites.

The ePrivacy Directive has, among other things, focused on timed cookies and the duration they possess user data. According to the ePrivacy Directive, a website should not possess user data longer than 12 months – this can be challenged since most users have to take action and remove the persistent cookies themselves. If you’re curious about what the ePrivacy Directive covers and how it complements GDPR, explore our guide here.

Cookies and cookie compliance is not really mentioned in the GDPR except in Recital 30 where it essentially states that cookies are equal to personal data, meaning that cookies are subject to the GDPR.

Compliance and cookies that collect personal data

The ePrivacy Directive actually led to the proliferation of consent pop-ups (i.e. the one we cannot avoid when we go to any website), ensuring that websites obtain explicit user consent before placing cookies on devices. Consent must be specific, informed, and freely given.

This ensures that the user gives consent to the collection of data and we can furthermore choose how much data we share, as well as what type of data the website is allowed to collect.

The directive made it a lot clearer as to what the website is allowed to do with our data and what the purpose of the data sharing is.

To the website providers, the directive also means that they are secured in cases where a user might claim they didn’t give consent. The pop-up functions as a document of approval which we essentially sign when we agree or disagree to the use of cookies (and which cookies we accept or decline).

The website saves these settings, and they can thus show the approved consent in any case where it’s questioned.

One of the most important things the GDPR and the ePrivacy Directive have given us, is the right to withdraw consent – at any moment and given time. This transparency helps users as well as service providers to make the consent clear and more importantly, easy to withdraw.

GDPR requirements for cookies

Under the GDPR, websites are required to obtain explicit consent from users before placing cookies on their devices that collect personal data. This means that websites must inform users about the types of cookies used, their purposes, and obtain their consent before any cookies are set or read on their devices. This process is often facilitated through cookie consent banners or pop-ups that appear when a user first visits a website.

The GDPR also mandates that websites provide users with granular choices on which cookie categories they wish to opt into. For example, users should be able to choose whether they want to accept only necessary cookies or also allow cookies for analytics and advertising purposes. This ensures that users have control over their personal data and can make informed decisions about their privacy.

Implementing a cookie policy

A cookie policy is a document that explains to users how a website uses cookies, what types of cookies are used, and how users can manage their cookie preferences. A well-crafted cookie policy is essential for GDPR compliance and helps build trust with users by being transparent about data collection practices.

The cookie policy must clearly explain the types of cookies used, such as session cookies, persistent cookies, first-party cookies, and third-party cookies. It should also detail the purpose of each type of cookie, such as improving website functionality, tracking user behavior, or personalizing content. Additionally, the policy should provide information on third-party cookies and the third parties responsible for them, ensuring users are aware of any external entities that may have access to their data. Finally, the policy should explain how users can manage their cookie preferences, including how to accept, reject, or delete cookies.

Managing cookie consent

Managing cookie consent involves obtaining clear and informed consent from website visitors for the use of cookies that collect their personal data. This can be achieved through the use of a cookie consent banner that informs users about the types of cookies used and provides them with the option to accept or reject cookies. The banner should be designed to be user-friendly and provide all necessary information in a clear and concise manner.

The GDPR requires that websites provide users with the ability to withdraw their consent at any time, and that opting out must be as easy as it was to opt in. This means that users should be able to change their cookie preferences or revoke their consent without any hassle. Websites must also ensure that they have appropriate security measures in place to protect the personal data collected through cookies. By adhering to these requirements, websites can ensure they are compliant with GDPR and respect the privacy of their users.

The future of digital security and appropriate security measures

The ePrivacy Directive was introduced at the beginning of the 2000s which means that a lot has changed since then. Data protection authorities play a crucial role in shaping future regulations and ensuring compliance with new standards.

The EU has therefore suggested a reform of the ePrivacy Directive to make an ePrivacy Regulation that considers all the newer aspects of online security of our personal data.

The new regulation should simplify cookies, protect users from spam, have stronger rules and e.g. get people’s permission to send marketing messages instead of the user actively unsubscribing or cancelling the direct marketing.

This all implies that there is a better and more secure future for the personal data that we have online. Until the regulations are fully developed and hopefully officially introduced to the ePrivacy Directive, all we can do is consider which cookies we accept as well as remember our rights according to the GDPR, whether it’s what we accept or if we wish to withdraw our information from a website.