12th Dec 2018 –
Want a handy guide of the different types of cookies and how to use them to avoid privacy hassles? We have turned this blog into an infographic for you. Download it here
One tip that we can give you about this is to only partner with a service provider that understands and respects user privacy laws with the same diligence you display.
- The GDPR tells you how you need to get your visitors’ unambiguous “consent” before collecting, storing, or using their data.
- And the ePrivacy Regulation tells you how you can work with cookies (that are used to collect visitor data).
There are four types of cookies based on the duration for which they’re stored or their source. These are:
This is pretty straightforward but can be easy-to-miss. Every 12 months, renew the user’s consent for allowing all the cookies and data.
GDPR + ePrivacy Regulation = Cookies + Consent
And because “consent” under the ePrivacy Regulation is interpreted by reference to the definition of “consent” under the GDPR, the GDPR implicitly requires that the cookie consent banners post-GDPR must now collect visitors’ unambiguous consent.
With the GDPR and the ePrivacy Directive, the user consent must be given prior to the setting of the cookies.
In general, we can use consent to serve the cookies (under the ePrivacy Regulation), but rely upon legitimate interests (or another lawful ground e.g. consent, contract, legal obligation, vital interests, public interest) to process the personal data collected using the cookies (under the GDPR).
They’re usually placed by advertising networks with the website operator’s permission. These cookies remember your website visits and this information is shared with other organisations such as advertisers. Quite often targeting or advertising cookies will be linked to site functionality provided by the other organisation.
What are the Different Types of Cookies Used by Websites?
So, make sure you aren’t using any “implied consent” for setting up cookies.
All consents must be securely stored so that they can be used as evidence, in case of control.
While the GDPR doesn’t directly address cookies, it does re-define consent to say that any consent given must be “unambiguous.”
Analytics solutions such as Google Analytics, Clicky Analytics, Adobe Analytics and more use such cookies. These cookies don’t collect information that identifies a visitor and all the information these cookies collect is aggregated and therefore anonymous. It’s only used to improve how a website works.
- Persistent Cookies: These are cookies that are stored on a users’ device in between browser sessions. These cookies help in remembering a user’s preferences or actions across a website (or in some cases across different websites). Persistent cookies may be used for a variety of purposes including remembering users’ preferences and choices when using a website or for running targeted advertising campaigns.
- Session Cookies: These are cookies that expire as a browsing session ends. These cookies allow websites to link the actions of a user during a browser session (from when a user opens the browser window to when they exit the browser). They may be used for a variety of purposes such as remembering what a user has put in their shopping cart or enabling internet banking access or for facilitating use of webmail. These session cookies aren’t stored for a long-term. For this reason, session cookies may sometimes be considered less privacy intrusive than persistent cookies.
- First Party Cookies These are cookies that are set by the website being visited by the user.
- Third Party Cookies: These are cookies that are set by a domain other than the one being visited by the user. If a user visits a website and a separate company (the main website’s service provider) sets a cookie through that website, this would be a third party cookie.
The Different Cookie Categories:
Without these cookies, it’s not possible to access the services a website has to offer.
Category 1: Strictly Necessary Cookies
Under the GDPR, you need prior consent to setting cookies that track personal data, whereas the ePrivacy Directive is even more far-reaching, and requires that you get consent for setting all except for the strictly necessary cookies.
If you take another look at the National Geographic cookies page, you’ll see they let users opt-out of them with just a click.
Consent rules for targeting or marketing or advertising cookies: Specific consent must be sought for these types of cookies because they collect the most information about users.
Category 2: Performance Cookies
So many companies have now already started letting their users reject the cookies they don’t feel comfortable with. On Clym, for example, all the cookies are disallowed by default. A user can choose to allow the ones they want:
If you want to personalize your website’s content based on your site visitors’ data, you must understand two laws very well: 1) the GDPR and 2) the ePrivacy Regulation.
Functional cookies are also referred to as preference cookies.
Consent rules for strictly necessary cookies: No consent is required for using strictly necessary cookies. However, it is important to help users understand these cookies and the reasons to use them.
It’s therefore important to make sure your users have access to their current consent state at all times and can change the settings or withdraw their consent entirely.
The biggest change for cookie and online tracking in regard to the GDPR is that consent must be given by a clear affirmative action.
Category 3: Functionality Cookies
These cookies collect information about how visitors use a website.
Let’s now understand how you should approach cookies and consent under these two laws, so you can offer powerful, personalized, and compliant website experiences.
They’re also used to limit the number of times you see an advertisement as well as help track a campaign’s performance.
Category 4: Targeting Cookies or Advertising Cookies
This cookie information is then used to personalize the user’s future visits to the same website, so website experiences feel more relevant. Cookie data can be used to offer content and advertising that’s aligned with the already established preferences of browsers.
At Convert, we use only first-party performance cookies which are described below:
Cookies are small data files that a website stores on a user’s computer or mobile or tablet.
Here are some examples of advertising/targeting cookies HTC uses:
Convert’s Cookies: Balancing Privacy and Innovation
These cookies allow a website to remember the choices you make (such as your user name, language or the region you are in) and provide enhanced, more personal website experiences. For instance, a website may be able to provide you with local weather reports or traffic news by storing region details within a cookie.
- Cookie name: _conv_v
- Purpose: This cookie is a visitor centric cookie. It is a string of star(*) separated pieces; each piece is a string that contains key and value strings glued together by colon (:).
- Duration: 6 months
- Domain source: convert.com
- Category: Performance
- Data that is stored: session count, current session timestamp, first session start timestamp, number of pageviews, previous session start timestamp, project level segment IDs, json structure with all experiences-goals presented to the visitor
- Cookie name: _conv_s
- Purpose: This is the session centric cookie. It is a string of star(*) separated pieces; each piece is a string that contains key and value strings glued together by colon (:).
- Duration: 20 minutes
- Domain source: convert.com
- Category: Performance
- Data that is stored: session ID, number of pageviews in current session, session hash for performance issues
- Cookie name: _conv_r
- Purpose: This cookie holds the referral data for the current visitor.
- Duration: This is overwritten each time visitor comes from a new referrer.
- Domain source: convert.com
- Category: Performance
- Data that is stored: source name, referral medium, referrer search terms
These laws govern consent and cookies:
Here are some examples of functional cookies Clym uses:
Use user-friendly language
Consent rules for performance cookies:
Check out the policy page examples from above and you’ll see how these organizations have written user-friendly versions of the policies that can otherwise sound like legal jargon and be very difficult to understand for general users.
Say no to implied consent – get it with an affirmative action
The GDPR regulates the general handling of personal data and doesn’t directly address cookies.
Consent & Cookies: How Will GDPR and the ePrivacy Regulation Impact Websites?
Consent can be written into terms and condition – by using the site you consent to the use of these types of cookies.
Let your users withdraw their consent at any time
That’s the only way forward for a progressive, privacy aware business.
These cookies can also be used to remember the changes you’ve made to text size, fonts and other customizable parts of the web pages you visit. They may also be used to provide services you’ve asked for such as watching a video or commenting on a blog. The information these cookies collect may be anonymised and they can’t track your browsing activity on other websites.
“This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.” — Recital 26 of the GDPR
So think about adding an opt-out page to your website and let your users manage their consent. Here are some examples of National Geographic’s performance cookies:
Renew consent every year
Besides, by explaining what cookies you use, what data you store, and how you use your data, you can earn the confidence of your users and show them that their privacy actually matters.
You can loosely categorize these cookies into four categories using the recommendations by the International Chamber of Commerce in this ICC UK Cookie Guide. (Some cookies can appear in more than one category.)
These cookies are essential in order to enable you to move around the website and use its features, such as accessing secure areas of the website — for example, for logging into your account on an online shopping store.
Don’t assume the consent to be “eternal!”
With the regulation, this is not sufficient. The consent has to be given as an affirmative, positive action, and rejecting cookies must be an actual option.
Record your users’ consent (as evidence … just in case!)
Here are a few strictly necessary cookies The New York Times uses:
Clicky Analytics, too, offers one-click opt-out option to users to stop being tracked by any website using its analytics solution.
Users must have the power to withdraw their consent whenever they want — the consent is theirs to give or withdraw after all!
Consent rules for functionality cookies: Just like in the case of performance cookies, consent for functionality cookies, too, can be written into terms and condition – by using a site you consent to the use of these types of cookies or a notice can be applied when a user makes changes to settings on a website. But many companies proactively let their users opt-in or out of the functionality cookies.