Websites: Cookies and similar technologies
Most websites make use of specific information technologies that collect and process information related to the webpage or to the visitor. These tools can be referred to as cookies or other tracking technologies and serve as a memory tool, able to recognize users’ online behaviour and remember their actions.
Since usage of these information technology tools could be privacy-intrusive for the website visitor, you will have to take into account a number of consent and information obligations before placing your first cookie: provide clear and understandable information to the individuals concerned, obtain their consent (not always necessary) and refrain from using personal data in a manner that is incompatible with the initial purpose of collection.
What are cookies?
Cookies are virtually invisible text files that a website may store on its visitors’ computers or mobile devices at the time they access the website. Cookies allow the website to track, collect, and store any (personal) data that companies request.
Cookies, as such, are a storage medium and are therefore not personal data in themselves. Nevertheless, cookies identifiers are personal data because personal data can be stored in them. When cookies can identify an individual, they are considered personal data. As ‘personal data’, their processing is subject to the GDPR and needs to be grounded on a legal basis and respect the data protection rules and principles.
to improve the performance of functions and services,
to improve user experience or
to monitor users’ digital behaviour to serve them targeted advertising.
Below, a list the most common types of cookies:
Obligation to obtain consent
Cookies are mainly regulated by the ePrivacy Directive. Based on this directive, consent from the user for the storage of, or access to, certain types of cookies is required. Consent under ePrivacy Directive should be interpreted in line with the GDPR (freely given, specific, informed, unambiguous and based on an affirmative action). Additionally, in case you make use of any type of tracking devices, you must be able to prove that you have obtained your visitors’ consent.
Ask for consent the first time you set cookies, you do not have to repeat it every time the same person visits your website. However, devices may be used by different people so you may want to repeat this process at regular intervals.
Exemptions from the consent obligation
Consent is not required for the implementation of all cookies. The ePrivacy Directive provides an exemption for:
Cookies used for the sole purpose of carrying out the transmission of communication
Cookies that are strictly necessary to provide a service over the internet that is explicitly requested by the user. The implementation of the cookies needs to be essential to provide the user with the service in question. Cookies that are solely helpful or convenient – or that are also used to achieve other objectives – cannot be considered as strictly necessary cookies and thus can only be stored onto the user’s device based on valid consent.
The following cookies can be exempted from the consent requirement, provided that they are not used for additional purposes:
User input cookies (session-id), for the duration of a session or persistent cookies limited to a few hours in some cases;
Authentication cookies used for authentication services, for the duration of a session;
User centric security cookies used to detect authentication abuses, for a limited persistent duration;
Multimedia content player session cookies, such as flash player cookies, for the duration of a session;
Load balancing session cookies, for the duration of a session;
User-Interface customization persistent cookies, for the duration of a session (or slightly more);
Third party social plug-in content sharing cookies, for logged in members of a social network if they are not also used for user tracking purposes.
An example of a good cookie notice can be found here.
A limited storage period should be set for each (type of) cookie. It is also recommended to periodically review the cookies you use because the storage period of cookies or other tracking technologies must be proportionate and limited to what is necessary to achieve the planned purpose. The storage period can also not exceed the period for which valid consent was given.
Time for action!
Check what cookies or other tracking technologies your online service already uses or intends to use and identify what information is processed by each cookie
Confirm the purposes of each cookie and remove cookies you do not need
Identify strictly necessary cookies, communication cookies and cookies for which consent is required
Implement a GDPR-compliant consent mechanism, including the ability to refuse non-essential cookies
Keep records of users’ consent to implementing cookies for an appropriate period of time
Ensure compliance with the GDPR where information obtained and processed through cookie storage can be considered as personal data
Avoid the use of third-party cookies or other tracking technologies as much as possible