Incorrect management of website cookies is one of the most common areas of GDPR non-compliance. Businesses of all sizes and sectors are required to abide by the GDPR’s rules on the application of non-essential cookies and management of consent. But what does this mean for your website and your cookies?
In this Tacita Tips we’ll be looking at some common questions that can help you to audit your website cookies.
Do website cookies count as personal data?
What are 'essential' and 'non-essential' cookies?
The GDPR permits businesses to apply only ‘essential’ cookies to users device without first gaining the user’s explicit consent.
‘Essential’ cookies are identified as cookies that are required for a website to function. These include cookies to monitor session logs, keep users logged in between pages, and even logging cookie preferences!
Marketing cookies employed by third parties such as those from Hubspot, Google Analytics, and Facebook are classified as ‘non-essential’ cookies. These cannot be applied to user’s devices without their explicit consent.
What is 'explicit consent'?
The GDPR requires that users provide ‘explicit consent’ before non-essential cookies are applied to a users device. This means that the user must permit their application through some form of affirmative action. This includes (but is not limited too) ticking option boxes, clicking ‘I confirm’, or using consent sliders.
This does not permit the use of ‘implicit consent’ tools. These include cookie banners that state: ‘By using this website you allow us to place cookies on your device’ or pre-ticked preference boxes.
Any consent that is registered using these mechanisms is deemed invalid under the GDPR. Therefore personal data is being processed illegally.
How do we inform users about cookies?
You must provide your website users with the ability to select their cookie preferences if:
- They are accessing the website for the first time;
- The user has not logged their preferences on previous visits; or
- The retention period for the cookies has been exceeded and the users consent is required again.
You also must provide data subjects with the option to change their preferences at any time
Do we need a cookie statement?
Yes. A cookie statement is a piece of text that explains what cookies are in place, how they operate, and their retention schedule (how long they are applied for). Some cookie management services provide this as part of the implementation service.
Don’t let your business be caught out by poor cookie management. By following Tacita’s recommendations above you can ensure that your business can become and stay GDPR compliance confident!