Jan 17, 2019 12:00:00 AM | Data Privacy The beginner's guide to cookies - use, necessity and compliance

Cookies are an indispensable tool for the online marketing strategies of all organisations (large and small). Cookies play an important role not only in targeting advertisements to audience easily, but also for analysing the effectiveness of the marketing campaigns run by organisations. Please see our blogpost on Online Marketing for more details. 

In this blog post we will provide certain insights on different types of cookies, their regulation from the perspective of the GDPR and ePrivacy Directive, and the practical steps to consider before implementing cookies on your website.

What is a cookie?

According to Information Commissioner’s Office (“ICO”), “a cookie is a small file, typically of letters and numbers, downloaded on to a device when the user accesses certain websites. Cookies are then sent back to originating website on each subsequent visit. They allow a website to recognise the user’s device.” Bear in mind that there are different types of cookies serving different purposes and storing personal data for different durations.

What are the different types of cookies?

Cookies are mostly used for tailoring website campaigns, reading online user behaviour and targeting advertisements. The cookie stores the information about the user’s visit, the amount of time spent, and the items viewed on a particular website to render the aforementioned services.

Cookies can be categorised based on their lifespan and the domain to which they belong. The lifespan of a cookie can also help us determine the necessity or not, of a particular cookie.

Based on the lifespan, cookies may be of the following types:

1. Session cookies: They are usually strictly necessary cookies that enable the transmission of communication or enable a user to move from a page to another of a website, and are automatically deleted when the browser is closed by the user or when the session expires; and
2. Persistent cookies: They remain on the computer/hard drive of the user for a pre-determined period of time.

Based on the domain to which they belong, cookies may be of the following types:

1. First party cookies: They are set by the web server of the visited page and share the same domain;
2. Third-party cookies: They are set by a third party and stored under a domain that is different to that of the visited page.

What laws should you bear in mind while applying cookies?

Since cookies are unique identifiers of a computer, the online movements of that particular computer can be traced, and personal data can be collected, thereby attracting the applicability of the European personal data protection regime. This includes the general law on data protection, i.e., the GDPR, and the law regulating privacy in electronic communications, i.e., Directive 2002/58/EC as amended by Directive 2009/136/EC (‘ePrivacy Directive’) and its local implementation legislation in each State. 

What is the lawful basis for processing personal data using cookies? 

In most cases, the ePrivacy Directive mandates prior consent for processing personal data using cookies and similar tracking technologies. It clarifies however, that the standard of consent should be the same as that provided in the GDPR. For more information on consent, please see our blogpost on consent.

As per Article 5(3) of the ePrivacy Directive “[…] the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller [...]” 

By this provision, all cookies when placed on a user’s device/browser, whether first party or third party, must be preceded by informed consent of the user. Applications using cookies or similar technologies should also be compliant with the ePrivacy Directive. Please note however, that there are certain cookies that are exempted from the consent requirement under the ePrivacy Directive and/or the local ePrivacy law of the State. 

Are there instances where cookies can be placed without prior consent of users? 

Yes; strictly necessary cookies (usually session cookies) can be placed without consent since they facilitate the very transmission of a communication or delivery of a service. 

This exception is embodied in Article 5(3) of the ePrivacy Directive which states as follows:

“[…] This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.”

For example, first party cookies which keep track of the user input while filling e-shopping carts for the duration of that session is necessary for the delivery of a service. Therefore, it would be exempted from the consent requirement. However, even then, sufficient information about these cookies must be provided to the users.

States may allow additional exceptions to the consent requirement in their local ePrivacy implementation legislation. For instance, under the Dutch Telecommunicatiewet, technologies that are used to collect information on the quality and effectiveness of a requested service and have little or no effect on the privacy of the user of the service, do not require consent. In fact, the Dutch supervisory authority provides specific guidelines to use the popular Google Analytics service in a privacy friendly way. These differences between State implementation laws are set to be ironed out with the much-anticipated enforcement of the ePrivacy Regulation. 

What should I do if I place a cookie on a user’s computer?

As stated above, ordinarily prior consent of the user is required before placing a cookie or any other similar identifier on the user’s computer. The challenging part of placing cookies on an individual’s computer is putting in place measures that will ensure that the consent from the user is received in accordance with the GDPR. GDPR defines consent as ‘any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed’. Please refer to our blogpost on ‘consent’ for more information.

Based on the requirements of consent, the user should indicate his or her consent either by expressly clicking a button or taking similar action, or by implicit consent. However, implicit consent is difficult to achieve since you need to make sure the user is provided with clear and relevant information about his/her access to the site. ICO states that “to be confident in this regard the provider must ensure that clear and relevant information is readily available to users explaining what is likely to happen while the user is accessing the site and what choices the user has in terms of controlling what happens.” Implicit consent should be the product of a shared understanding between you as a website owner and the users.

Browser settings can be an option for obtaining consent if they can allow the subscriber to indicate their consent for the cookies. However, considering the current technology, most of the browsers are not capable of providing such an option. Therefore, you cannot solely rely on browser settings, although this may change when the ePrivacy Regulation is in force.

A recent incident that demonstrates the trickiness behind obtaining consent compliant with the standards of the GDPR is that of Washington Post’s use of cookies on its website. Washington Post obliged readers to consent to third party tracking and targeted advertising or obtain a premium subscription by paying a certain fee. On 19th of November 2018 ICO warned the Washington Post that its approach to obtaining user consent was violative of Article 7(4) of the GDPR, since it did not allow the readers to give consent freely, by making access to their services conditional to such consent.

Practical Tips: Where should I start?

Some practical steps that one could take while using cookies are as follows:

1. First of all, start by examining the type of cookies and similar technologies that you use and how you use them. Identify the cookies that need consent and the cookies that are not very necessary anymore.
2. Then assess how intrusive your use of cookies is, and where you need consent. Please note that the more intrusive your cookies are, the more you need to think of changing the way you use it. You can decide the intrusiveness of your cookies by checking their impact on the privacy of individuals. ICO suggests dividing cookies between privacy neutral cookies and more intrusive uses of technology. This way you can focus more on the intrusive ones.
3. Afterwards, consider the options for obtaining consent from the user. Determine the most pragmatic yet compliant way of obtaining consent.