HOW TO DO COOKIES… THE GDPR* WAY
‘The DPC will use its powers under the GDPR and the Data Protection Act 2018 to initiate inquiries and investigations and to carry out inspections where required’ .
Cue panic in the coming months.
Every website collects cookies. This post explains the regulations and detail behind this statement. But more importantly it cuts through all the legalese and technical explanations and sets out the three main steps you need to take to make sure your cookies permissions are done the right way.
In April this year the Data Protection Commission published a report along with guidance on cookies. Data Controllers were given 6 months to get their cookies in order. The official line is that after 5 October 2020, the DPC will commence enforcement action against controllers who fail to comply.
What exactly are cookies
Cookies are created when you visit a website to keep track of your movements within the site, help you resume where you left off, remember your registered login, theme selection, preferences, and other customisation. The website stores a corresponding file to the one they set in your browser and in this file they can track and keep information on your movements within the site and any information you may have voluntarily given while visiting the website, such as email address. Here’s a great 3 minute explainer if you want to learn more.
Every website is collecting cookies
Even the use of Google Analytics means you’re collecting cookies and you need to get consent to do so. If you want to manually check what cookies your website is collecting you can click on the padlock in your Chrome browser like this:
How to get your cookies right
If you’re here to just get the lowdown on what you need to do to stay on the right side of the cookie law you need to know 3 things.
1. Make sure your cookies solution doesn’t serve up the cookies before the user consents.
Simply put you shouldn’t be able to scroll until you’ve dealt with the cookie banner. Continuing on to view the website doesn’t count as consent. If you’re not managing your own website your web developer should be able to sort this one for you. Web Developers are not GDPR experts and they may just give you a generic cookies solution that doesn’t tick all the boxes.
2. Split your cookies into categories. Sort the essential from the optional.
Some cookies are needed to make your website work— functional cookies. Some are put there by third parties and track you as you move around the internet. A good cookies solution should split them out for you into functional, statistical and marketing.
3. Your website visitor only has to accept the functional cookies.
This is the only box that can be pre-ticked and served up by default. Your website visitor can choose whether they want to accept the rest of the cookies or not. This is called consent. To do consent the right way make sure its an explicit “yes, I want these cookies”. Usually this a short description with an empty tick box such as the image below.
Next time you visit a website try just accepting the basic cookies and you’ll start to see the value of choice.
- Type of cookies
- Data which is tracked
- Time that cookies stay on a user’s browser
- Why the cookies are being used
- Where and with whom the data is being shared
How to reject cookies and change settings
Download the full guidance
Full cookies guidance from the Data Protection Commission can be found here.
*EPrivacy and GDPR - the background to cookie law
The regulations governing cookies are split between the GDPR and the ePrivacy Directive.
The proposed ePrivacy Regulation will replace the 2002 ePrivacy Directive (amended 2009), which gave us the Privacy and Electronic Communications Regulations (PECR).
The ePrivacy Regulation, is a law in the making by the EU Commission. Its purpose is to ensure the “respect for private life, confidentiality of communications and the protection of personal data in the electronic communications sector” in the EU.
Once applied, the ePrivacy Regulation will replace the ePrivacy Directive which governs cookies currently.