The GDPR Cookies Policy
Most importantly, you must develop a Cookies Policy for your website. We'll explain why and show you how to create, display and get consent to your Cookies Policy in accordance with GDPR requirements.
The GDPR is an EU privacy law that came into effect on 25th May, 2018. It is one of the strongest data protection laws in the world.
The law tells businesses:
- What data they may collect about visitors to their site
- How to store this information
- How to use the information
- What Privacy Policies must exist
- What consent they need to obtain from site visitors to collect their data
In simple terms, the GDPR has reformed how businesses handle and process data. It replaces earlier data protection rules which weren't designed to cope with today's digitalized world, and the amount of data we share online.
You might be wondering why we need the GDPR. The reality is that companies need some customer data to run their business. Consumers, however, want more control over their own information. The GDPR supports this right to privacy while reflecting business realities.
Under the GDPR, consumers now control:
- Who collects information about them
- What information is gathered
- How this information is used
- Whether any third parties get access to this information
A person has the right to revoke consent at any time. If someone decides they don't want you handling or storing their data any longer, you must comply. This is in line with general EU principles of transparency, fairness, individual control, and decision-making based on full knowledge of the facts.
So, who does the GDPR apply to?
Who the GDPR Applies to
The simple answer is that the GDPR protects EU residents and citizens from losing control of their personal information. Your business can be anywhere in the world, but the GDPR applies if your business:
- Offers services and goods to EU citizens or residents
- Monitors visitor behavior and attracts EU citizens or residents
An example will help. Say you're based in Sydney, Australia, and you run a holiday resort. If anyone from countries such as Italy, France, or Germany visits your website, you're technically responsible for data captured about them.
You're liable under the GDPR whether you control stored records, or whether you simply gather the data in the first place.
The GDPR doesn't apply if you're gathering data for purely personal reasons. If you employ less than 250 employees, the requirements are less strict, but you're still answerable to the GDPR.
The GDPR and Personal Data
The GDPR doesn't simply apply to any data. It covers what's known as personal data. Personal data is, put simply, any data which identifies someone or can be used to identify someone. It can be something as obvious as a name, or something less obvious like an IP address or a pseudonym.
You shouldn't collect more personal data than you need to operate your business and understand consumer needs. For example, you don't need someone's Social Security Number if you're a fashion website.
Essentially, if you control or process personal data, it's covered by the GDPR.
Why are cookies relevant, then? It's a simple answer:
- Cookies can sometimes identify an individual, which makes them count as personal data
- Cookies collect and store information, so they're part of the data handling process
Cookies and the GDPR
Since cookies are so important to data collection, it's worth defining what they are.
When you visit a website, it asks your computer or mobile device to accept a cookie. The cookie is a very small piece of data which lets the website remember you and your actions. This helps identify browsing trends and patterns.
- Help businesses show customers relevant ads
- Let websites remember someone's unique preferences, which improves the visitor experience
- Identify a user
Cookies are a powerful marketing and commercial tool, and businesses rely on them. The GDPR makes it mandatory for businesses to be honest about the cookies they install and what data they track.
This first example is a clause on "Cookies and Other Tracking Technologies" from WebMD. The clause tells visitors what they need to know about cookies and what the website does with them.
- That cookies are used
- What data is collected by them
- What happens to the data, and if it's shared with anyone
- How users can change cookie settings or revoke consent
Many businesses do have two separate policies, however. What's the benefit of this?
- Cookies are very important to data processing, and dedicating a separate policy to cookies shows users that you take privacy seriously
- Shorter policies are easier for users to glance through and understand
- How you use the cookies, for example to keep a user signed in without re-entering their password each time they visit the site
- The types of cookies used on the site, whether they're for advertising, analytics, or customer convenience
- If information is transferred to or used by third parties
- How users can reject cookies, and how to turn them off
Consent, which is freely given in full knowledge of how cookies are used, underpins the GDPR cookie regulations.
Gymshark explains that cookies will be used for remembering the customer, and why this is important. In this case, the customer is remembered so they can access their wishlist the next time they visit the site:
It's also clear how to delete cookies and turn the feature off:
Obtaining Consent to Place Cookies
When you're obtaining consent to cookie placement, you should ensure that:
- You're honest about the cookies you're placing on devices
- It's clear why you need the information you're collecting
- The consent is unequivocally obtained, meaning users know exactly what they are consenting to before they proceed to use your site
- You use a banner, or a pop-up, because the user must engage with this notice before browsing the site
- It's easy to adjust, revoke, or deny consent
Make sure your GDPR Cookies Policy:
- Is clearly written
- Discloses what cookies you collect, what you use them for and if you share their data with any third parties
- Is displayed in a cookie consent banner or pop-up