GDPR compliance and use of cookies

It's hard to avoid pop-ups asking if we want to accept cookies. Read on to learn more about how cookies and GDPR intersect.

18-04-2024 - 6 minute read. Posted in: gdpr.

GDPR compliance and use of cookies

When we roam the internet, we almost can’t avoid the pop-up asking if we want to accept cookies. Mostly we just say yes to get away from the pop-up and this is usually no problem. But the cookies actually hold a lot of user information if we look a bit more into it.

So, that is what we’re going to do! Read on and learn more about how cookies and GDPR are connected and what to be cautious of when you decide on how much information cookies should be allowed to collect.

Unfolding cookies

We should first and foremost take a closer look at cookies and what they actually do to our user experience.

Cookies are small text files which websites can attach to your browser on your device. They cannot function outside a browser, and they store information from said browser and can thus track your movement on the specific browser (if you have accepted the cookies).

Cookies are generally speaking a harmless feature and actually have a pretty crucial function for the best user experience. They e.g. save information about your shopping basket if you’re doing some online shopping, they generally save information and, furthermore, ensure that a website functions as it should, that graphics are good and that you have a smooth experience.

We can divide cookies into several categories which you perhaps have noticed when asked about accepting or declining the use of cookies. You can accept the necessary cookies, which are the cookies that ensure a smooth experience and good graphics etc. Then you have the statistic cookies that track your activity online and use this for statistical purposes, usually for the company who owns the website, so they know how users interact with their website. There are also advertisement cookies that use the information to target advertisements and specify them to your interests instead of giving you general ads.

Cookie’s different purposes

We’ve already touched upon the use of cookies and their purpose, but we can take an even more detailed look:

  • You can accept session cookies that expire once you close the browser, you’re active on – once you close it, your settings and information will be deleted.
  • Opposite session cookies, we have persistent cookies that save the information even if you close the browser. Your information will be stored for a longer period of time, and this duration can vary – this is an aspect we’ll get back to.
  • There’s also a difference between first-party cookies and third-party cookies. First-party cookies are cookies made from the website’s provider and are directly linked to the website. Third-party cookies are placed onto your device by a third party (e.g. an advertiser or statistical system).

You might have met people complaining about the risk of using cookies and that they steal information etc., and here they’re usually talking about cookies used for marketing, advertisement, and third-party cookies.

These cookies contain a lot of information about your online activity and how you use the internet - that can be compromised and potentially used against you. The responsibility of your data is put into question when it comes to these types of cookies, and it has become a lot more complicated as to who should be held accountable for it – this is one of the reasons why third-party cookie use has been in decline since its emergence.

The connection between cookies and GDPR

You might have caught onto the connection between cookies and the GDPR, as cookies store a very large amount of user data. This data can be personal information, and as soon as it becomes personal, the GDPR comes into play. Especially regarding the persistent cookies that store your information for a longer period of time.

Succeeding the integration of technology into our everyday lives, the EU has introduced the ePrivacy Directive that works as a supplement to the GDPR. The ePrivacy Directive has its main focus on cookies and the digital processing of personal data – and will thus protect people’s online privacy.

The ePrivacy Directive has, among other things, focused on timed cookies and the duration they possess user data. According to the ePrivacy Directive, a website should not possess user data longer than 12 months – this can be challenged since most users have to take action and remove the persistent cookies themselves.

Cookies and cookie compliance is not really mentioned in the GDPR except in Recital 30 where it essentially states that cookies are equal to personal data, meaning that cookies are subject to the GDPR.

Compliance and cookies

The ePrivacy Directive actually led to the proliferation of consent pop-ups (i.e. the one we cannot avoid when we go to any website). This ensures that the user gives consent to the collection of data and we can furthermore choose how much data we share, as well as what type of data the website is allowed to collect.

The directive made it a lot clearer as to what the website is allowed to do with our data and what the purpose of the data sharing is.

To the website providers, the directive also means that they are secured in cases where a user might claim they didn’t give consent. The pop-up functions as a document of approval which we essentially sign when we agree or disagree to the use of cookies (and which cookies we accept or decline).

The website saves these settings, and they can thus show the approved consent in any case where it’s questioned.

One of the most important things the GDPR and the ePrivacy Directive have given us, is the right to withdraw consent – at any moment and given time. This transparency helps users as well as service providers to make the consent clear and more importantly, easy to withdraw.

The future of digital security

The ePrivacy Directive was introduced at the beginning of the 2000s which means that a lot has changed since then.

The EU has therefore suggested a reform of the ePrivacy Directive to make an ePrivacy Regulation that considers all the newer aspects of online security of our personal data.

The new regulation should simplify cookies, protect users from spam, have stronger rules and e.g. get people’s permission to send marketing messages instead of the user actively unsubscribing or cancelling the direct marketing.

This all implies that there is a better and more secure future for the personal data that we have online. Until the regulations are fully developed and hopefully officially introduced to the ePrivacy Directive, all we can do is consider which cookies we accept as well as remember our rights according to the GDPR, whether it’s what we accept or if we wish to withdraw our information from a website.

Author Caroline Preisler

Caroline Preisler

Caroline is a copywriter here at Moxso beside her education. She is doing her Master's in English and specializes in translation and the psychology of language. Both fields deal with communication between people and how to create a common understanding - these elements are incorporated into the copywriting work she does here at Moxso.

View all posts by Caroline Preisler

Similar posts