PROCESSING SITUATIONS

BG1_edited.png

Websites: Cookies and similar technologies

Most websites make use of specific information technologies that collect and process information related to the webpage or to the visitor. These tools can be referred to as cookies or other tracking technologies and serve as a memory tool, able to recognize users’ online behaviour and remember their actions.

Since usage of these information technology tools could be privacy-intrusive for the website visitor, you will have to take into account a number of consent and information obligations before placing your first cookie: provide clear and understandable information to the individuals concerned, obtain their consent (not always necessary) and refrain from using personal data in a manner that is incompatible with the initial purpose of collection.

FORM (1).png

What are cookies?

Cookies are virtually invisible text files that a website may store on its visitors’ computers or mobile devices at the time they access the website. Cookies allow the website to track, collect, and store any (personal) data that companies request.

Cookies, as such, are a storage medium and are therefore not personal data in themselves. Nevertheless, cookies identifiers are personal data because personal data can be stored in them. When cookies can identify an individual, they are considered personal data. As ‘personal data’, their processing is subject to the GDPR and needs to be grounded on a legal basis and respect the data protection rules and principles.

There can be different reasons for companies to make use of cookies:

  • to improve the performance of functions and services,

  • to improve user experience or

  • to monitor users’ digital behaviour to serve them targeted advertising.

Below, a list the most common types of cookies:

COOKIES.png
FORM (3).png

Obligation to obtain consent 

Cookies are mainly regulated by the ePrivacy Directive.  Based on this directive, consent from the user for the storage of, or access to, certain types of cookies is required. Consent under ePrivacy Directive should be interpreted in line with the GDPR (freely given, specific, informed, unambiguous and based on an affirmative action). Additionally, in case you make use of any type of tracking devices, you must be able to prove that you have obtained your visitors’ consent.

! Scrolling down or swiping through a website or application cannot be considered to be a valid expression of consent to the use of cookies !

Ask for consent the first time you set cookies, you do not have to repeat it every time the same person visits your website. However, devices may be used by different people so you may want to repeat this process at regular intervals.

 

 

Exemptions from the consent obligation

Consent is not required for the implementation of all cookies. The ePrivacy Directive provides an exemption for:

  • Cookies used for the sole purpose of carrying out the transmission of communication

  • Cookies that are strictly necessary to provide a service over the internet that is explicitly requested by the user. The implementation of the cookies needs to be essential to provide the user with the service in question. Cookies that are solely helpful or convenient – or that are also used to achieve other objectives – cannot be considered as strictly necessary cookies and thus can only be stored onto the user’s device based on valid consent.

 

The following cookies can be exempted from the consent requirement, provided that they are not used for additional purposes:

  • User input cookies (session-id), for the duration of a session or persistent cookies limited to a few hours in some cases;

  • Authentication cookies used for authentication services, for the duration of a session;

  • User centric security cookies used to detect authentication abuses, for a limited persistent duration;

  • Multimedia content player session cookies, such as flash player cookies, for the duration of a session;

  • Load balancing session cookies, for the duration of a session;

  • User-Interface customization persistent cookies, for the duration of a session (or slightly more);

  • Third party social plug-in content sharing cookies, for logged in members of a social network if they are not also used for user tracking purposes.

BG2.gif

Information obligation

When you want to make use of cookies or other tracking technologies, you need to provide the user with clear and comprehensive information about this use. The information needs to be provided in a manner that is suitable for the user and before or at the time of requesting consent. This means that you will have to implement a cookie policy on your website, providing all the information that is necessary for users to take an informed decision on whether or not to consent to the use of cookies.

A cookie policy should:

INFO OBLIGATION.gif

! Make sure that the language used in the cookie policy, corresponds to the language of the people targeted by the website!

An example of a good cookie notice can be found here.

Good practice - Use a layered approach in order to keep the cookie policy short and simple: basic information about cookie usage should be contained in the first layer. This first layer should give the user the option to accept or refuse all cookies, or to configure options for the usage of different cookies (opt-out). When choosing the last option, the user should be directed to a more detailed cookie notice (second layer) with information (name, type of cookie, technical details, specific purpose and retention period) for each (group of) cookies.

Storage period

A limited storage period should be set for each (type of) cookie. It is also recommended to periodically review the cookies you use because the storage period of cookies or other tracking technologies must be proportionate and limited to what is necessary to achieve the planned purpose. The storage period can also not exceed the period for which valid consent was given.

Time for action!

  • Check what cookies or other tracking technologies your online service already uses or intends to use and identify what information is processed by each cookie

  • Confirm the purposes of each cookie and remove cookies you do not need

  • Identify strictly necessary cookies, communication cookies and cookies for which consent is required

  • Put in place a cookie policy to provide the necessary information concerning your company’s use of cookies and other technologies

  • Implement a GDPR-compliant consent mechanism, including the ability to refuse non-essential cookies

  • Keep records of users’ consent to implementing cookies for an appropriate period of time

  • Ensure compliance with the GDPR where information obtained and processed through cookie storage can be considered as personal data

  • Avoid the use of third-party cookies or other tracking technologies as much as possible