GDPR, Cookie Consent, and User Privacy
The General Data Protection Regulation (GDPR) is the most robust and comprehensive privacy global law and was enforced on May 25, 2018. GDPR replaces the previous data protection laws that were not comprehensive and did not cope with the advancement of Internet technologies and the increasing volume of personal data published online. GDPR applies to all EU (European Union) residents and citizens; regardless of your business' location, you are subject to the GDPR in the following two cases:
- Selling services and products to EU citizens or residents.
- Monitor or collect EU citizens' or residents' data using your website, application, or by other means.
For example, if you are running a website offering some services in the United States, and a customer from the EU visited your website, you are responsible for any Personally Identifiable Information (PII) gathered about your EU customer. A business owner is liable against the GDPR whether he/she is collecting or processing personal data.
GDPR is used to protect EU personal data and not any data. For instance, personal data must identify an individual, such as name, e-mail address, or even the IP address used to access the internet. The GDPR aims to govern the relationship between customers and website owners, applications, and other IT service providers. For instance, customers need to maintain their privacy online. In contrast, companies need some customer data to run their business (e.g., personalize their content and target prospective customers with advertisements according to their browsing behaviors). The GDPR responds to both customers' and businesses' worries and offers a legal framework that keeps the interest of both parties.
Under the GDPR, customer can now control the following:
- Who collects their data?
- Type of information gathered.
- How collected information is used.
- Are any third parties going to have access to such data?
At any time and without prior notice, the customer can request complete removal of their data. The entity storing customer info must comply with customer requests.
Cookies and the GDPR
Under the GDPR, an organization collecting personal data must not gather more data than it needs to run its business. For example, an online store selling summer clothes does not need to store a copy of the customer's passport or ID number.
Let us discuss what makes web cookies relevant to our discussion about the GDPR.
- A web cookie can be used to identify a user online; it can collect various types of technical information about a user that can be used to identify him/her among millions of connected users.
- As web cookies can collect and store information, it is considered subject to the GDPR law.
Whenever you visit a website via your PC/laptop or mobile phone, it will ask you to accept a cookie. A web cookie is a small text file stored on a user's web browser; it commonly comes encrypted and can only be read by the website that created it. A web cookie contains information to distinguish a visitor's web browser, so it can be identified the next time it returns to the same website. Web cookies are used to perform many tasks such as:
- Remembering user login credentials on the login forms.
- Remembering user search queries.
- Maintain shopping cart functionality when purchasing products from online stores.
- Cookies are also used to remember user preferences when returning to the same website, such as language and theme preferences.
- Display customized ads to visitors based on their browsing history.
Cookies are used to track Internet user visits across many websites. Big Tech providers such as Google and Facebook utilize different types of cookies and other web tracking techniques to track internet users browsing history. Each Internet user's browsing history can be linked back to his/her real identity using different methods if they want.
The GDPR understands the importance of cookies in tracking Internet users, so it imposes different restrictions on businesses to be transparent about the cookies they install and what type of data they are tracking using this method.
Websites must comply with the following GDPR cookie consent requirements:
- Explicit consent must be obtained from website visitors before installing any cookies on their end devices – except the most necessary cookies for the website to work.
- The consent must be selective. Hence, a user can select which cookies to install and which to reject.
- The consent is not mandatory, so a user can select to deny all cookies.
- The user should be able to withdraw from the consent if they want to easily.
- The consent must be stored and treated as legal documentation.
- The consent must be updated at least once a year. However, some national guidelines suggest updating it twice a year. The renewal period depends on the country.
The GDPR cookie compliance is displayed on websites using a banner similar to the one shown in Figure 1. The GDPR cookie banner allows a user to select which cookie wants to activate. A user can also click on "Show details" to see a complete list of cookies used on the visited website in addition to the date when the cookie agreement was last updated (see Figure 2). Figure 1 – A sample GDPR compliant cookie bannerFigure 2 -Seeing detailed info about all cookies available for install by the visited website
The European Data Protection Board (EDPB) made a recent update to the cookie consent; it was published under the Guidelines 05/2020 on consent under Regulation 2016/679. This update has removed many ambiguities regarding cookie usage, such as prohibiting having pre-ticked checkboxes in the cookie consent.
__How to test your website compliance to GDPR cookies consent? __
To test if your website complies with the GDPR cookie consent, go to https://2gdpr.com and enter your site domain name in the search form. The 2GDPR will scan your website, detect all cookies and trackers, and inform you about any issues affecting your compliance with GDPR cookie consent requirements.
The General Data Protection Regulation (GDPR) has special rules to manage web cookies. Website owners dealing with customers from EU countries must adhere to these rules and publish the necessary banner on their website stating clearly their privacy agreement in terms of installing and managing cookies.