Consent & Cookies: How Will GDPR and the ePrivacy Regulation Impact Websites?

12th Dec 2018 – Consent & Cookies: How Will GDPR and the ePrivacy Regulation Impact Websites?
Want a handy guide of the different types of cookies and how to use them to avoid privacy hassles? We have turned this blog into an infographic for you. Download it here
Here are 7 ways to create a great cookie policy page.
One tip that we can give you about this is to only partner with a service provider that understands and respects user privacy laws with the same diligence you display.

  • The GDPR tells you how you need to get your visitors’ unambiguous “consent” before collecting, storing, or using their data.
  • And the ePrivacy Regulation tells you how you can work with cookies (that are used to collect visitor data).

There are four types of cookies based on the duration for which they’re stored or their source. These are:
This is pretty straightforward but can be easy-to-miss. Every 12 months, renew the user’s consent for allowing all the cookies and data.

And because “consent” under the ePrivacy Regulation is interpreted by reference to the definition of “consent” under the GDPR, the GDPR implicitly requires that the cookie consent banners post-GDPR must now collect visitors’ unambiguous consent.
With the GDPR and the ePrivacy Directive, the user consent must be given prior to the setting of the cookies.
In general, we can use consent to serve the cookies (under the ePrivacy Regulation), but rely upon legitimate interests (or another lawful ground e.g. consent, contract, legal obligation, vital interests, public interest) to process the personal data collected using the cookies (under the GDPR).
They’re usually placed by advertising networks with the website operator’s permission. These cookies remember your website visits and this information is shared with other organisations such as advertisers. Quite often targeting or advertising cookies will be linked to site functionality provided by the other organisation.

What are the Different Types of Cookies Used by Websites?

So, make sure you aren’t using any “implied consent” for setting up cookies.
All consents must be securely stored so that they can be used as evidence, in case of control.
While the GDPR doesn’t directly address cookies, it does re-define consent to say that any consent given must be “unambiguous.”
Analytics solutions such as Google Analytics, Clicky Analytics, Adobe Analytics and more use such cookies. These cookies don’t collect information that identifies a visitor and all the information these cookies collect is aggregated and therefore anonymous. It’s only used to improve how a website works.

  • Persistent Cookies: These are cookies that are stored on a users’ device in between browser sessions. These cookies help in remembering a user’s preferences or actions across a website (or in some cases across different websites). Persistent cookies may be used for a variety of purposes including remembering users’ preferences and choices when using a website or for running targeted advertising campaigns.
  • Session Cookies: These are cookies that expire as a browsing session ends. These cookies allow websites to link the actions of a user during a browser session (from when a user opens the browser window to when they exit the browser). They may be used for a variety of purposes such as remembering what a user has put in their shopping cart or enabling internet banking access or for facilitating use of webmail. These session cookies aren’t stored for a long-term. For this reason, session cookies may sometimes be considered less privacy intrusive than persistent cookies.
  • First Party Cookies These are cookies that are set by the website being visited by the user.
  • Third Party Cookies: These are cookies that are set by a domain other than the one being visited by the user. If a user visits a website and a separate company (the main website’s service provider) sets a cookie through that website, this would be a third party cookie.

Without these cookies, it’s not possible to access the services a website has to offer.

Category 1: Strictly Necessary Cookies

Read more5 Ways to Increase eCommerce Conversions

Under the GDPR, you need prior consent to setting cookies that track personal data, whereas the ePrivacy Directive is even more far-reaching, and requires that you get consent for setting all except for the strictly necessary cookies.
Both the GDPR and ePrivacy Regulation focus on the users’ consent about collecting or using their data. And because cookies are the primary tools for collecting user data, a good cookie policy can go a long way in helping you comply with them.
If you take another look at the National Geographic cookies page, you’ll see they let users opt-out of them with just a click.
Consent rules for targeting or marketing or advertising cookies: Specific consent must be sought for these types of cookies because they collect the most information about users.

Category 2: Performance Cookies

So many companies have now already started letting their users reject the cookies they don’t feel comfortable with. On Clym, for example, all the cookies are disallowed by default. A user can choose to allow the ones they want:
If you want to personalize your website’s content based on your site visitors’ data, you must understand two laws very well: 1) the GDPR and 2) the ePrivacy Regulation.
Websites use cookies to enhance a user’s browsing experience and for learning more about the user’s preferences and interests.
Functional cookies are also referred to as preference cookies.
Consent rules for strictly necessary cookies: No consent is required for using strictly necessary cookies. However, it is important to help users understand these cookies and the reasons to use them.
It’s therefore important to make sure your users have access to their current consent state at all times and can change the settings or withdraw their consent entirely.
The biggest change for cookie and online tracking in regard to the GDPR is that consent must be given by a clear affirmative action.

Category 3: Functionality Cookies

These cookies collect information about how visitors use a website.
Let’s now understand how you should approach cookies and consent under these two laws, so you can offer powerful, personalized, and compliant website experiences.
They’re also used to limit the number of times you see an advertisement as well as help track a campaign’s performance.
A compliant cookie policy must give the user a clear and accurate picture of how cookies are used on your website at any time. It’s an actual requirement that the cookie policy is written in plain and understandable language. This is easier said than done as most websites have a large number of third-party cookies flowing through their system.

Category 4: Targeting Cookies or Advertising Cookies

This cookie information is then used to personalize the user’s future visits to the same website, so website experiences feel more relevant. Cookie data can be used to offer content and advertising that’s aligned with the already established preferences of browsers.
At Convert, we use only first-party performance cookies which are described below:
Cookies are small data files that a website stores on a user’s computer or mobile or tablet.
Here are some examples of advertising/targeting cookies HTC uses:
Because GDPR focuses on the processing of private or personally identifiable data, and because it’s not possible to identify the data subject from data that has undergone pseudonymisation,  performance cookies (such as those of Google Analytics data) don’t concern GDPR to a very great degree. You can include the consent rules for these cookies into your terms and condition. Essentially, you get the users’ consent to work with these cookies when they use your website. Every website uses a host of solution providers. And many of these service providers use cookies. It doesn’t matter if you use first-party cookies or third-party ones, under the newer stringent privacy laws, you can be subjected to controls and be required to account exhaustively for the data processes that are going on in connection with your website.

Convert’s Cookies: Balancing Privacy and Innovation

These cookies allow a website to remember the choices you make (such as your user name, language or the region you are in) and provide enhanced, more personal website experiences. For instance, a website may be able to provide you with local weather reports or traffic news by storing region details within a cookie.

_conv_v

  • Cookie name: _conv_v
  • Purpose: This cookie is a visitor centric cookie. It is a string of star(*) separated pieces; each piece is a string that contains key and value strings glued together by colon (:).
  • Duration: 6 months
  • Domain source: convert.com
  • Category: Performance
  • Data that is stored: session count, current session timestamp, first session start timestamp, number of pageviews, previous session start timestamp, project level segment IDs, json structure with all experiences-goals presented to the visitor
  • Privacy Policy mentions this cookie: Yes

_conv_s

  • Cookie name: _conv_s
  • Purpose: This is the session centric cookie. It is a string of star(*) separated pieces; each piece is a string that contains key and value strings glued together by colon (:).
  • Duration: 20 minutes
  • Domain source: convert.com
  • Category: Performance
  • Data that is stored: session ID, number of pageviews in current session, session hash for performance issues
  • Privacy Policy mentions this cookie: Yes

_conv_r

  • Cookie name: _conv_r
  • Purpose: This cookie holds the referral data for the current visitor.
  • Duration: This is overwritten each time visitor comes from a new referrer.
  • Domain source: convert.com
  • Category: Performance
  • Data that is stored: source name, referral medium, referrer search terms
  • Privacy Policy mentions this cookie: Yes
Read more[Infographic] Grow and Protect your Position in the Data Ecosystem

These laws govern consent and cookies:
Here are some examples of functional cookies Clym uses:
EU citizens have grown accustomed to – albeit probably slightly annoyed by – the banners on all websites, stating the use of cookies, sometimes asking you to check the ok button, but giving no true choice.

Use user-friendly language

Consent rules for performance cookies:
Check out the policy page examples from above and you’ll see how these organizations have written user-friendly versions of the policies that can otherwise sound like legal jargon and be very difficult to understand for general users.

The GDPR regulates the general handling of personal data and doesn’t directly address cookies.
National Geographic cookies page, you'll see they let users opt-out of them with just a click.
Consent & Cookies: How Will GDPR and the ePrivacy Regulation Impact Websites?
Consent can be written into terms and condition – by using the site you consent to the use of these types of cookies.

But a message saying “We aren’t responsible for any … ” or “Our service providers have their own data … ” or “We aren’t liable for the … ” might give you some peace of mind … but they might not be good defenses.

That’s the only way forward for a progressive, privacy aware business.
These cookies can also be used to remember the changes you’ve made to text size, fonts and other customizable parts of the web pages you visit. They may also be used to provide services you’ve asked for such as watching a video or commenting on a blog. The information these cookies collect may be anonymised and they can’t track your browsing activity on other websites.
“This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.” — Recital 26 of the GDPR

These cookies are used to run personalized promotions and advertising campaigns based on personal interests and preferences.

So think about adding an opt-out page to your website and let your users manage their consent. Here are some examples of National Geographic’s performance cookies:

Besides, by explaining what cookies you use, what data you store, and how you use your data, you can earn the confidence of your users and show them that their privacy actually matters.
You can loosely categorize these cookies into four categories using the recommendations by the International Chamber of Commerce in this ICC UK Cookie Guide. (Some cookies can appear in more than one category.)

These cookies are essential in order to enable you to move around the website and use its features, such as accessing secure areas of the website — for example, for logging into your account on an online shopping store.
Don’t assume the consent to be “eternal!”
With the regulation, this is not sufficient. The consent has to be given as an affirmative, positive action, and rejecting cookies must be an actual option.

On Clym, for example, all the cookies are disallowed by default

More than anything else, get accountable for all the cookies on your website:

Here are a few strictly necessary cookies The New York Times uses:
Clicky Analytics, too, offers one-click opt-out option to users to stop being tracked by any website using its analytics solution.
The ePrivacy Regulation, on the other hand, focuses on cookie use, which is why it’s also known as the “Cookie Law.” Businesses in Europe must get explicit consent to use cookies and provide clear opt-outs to users under the proposed new law.
Users must have the power to withdraw their consent whenever they want — the consent is theirs to give or withdraw after all!
Consent rules for functionality cookies: Just like in the case of performance cookies, consent for functionality cookies, too, can be written into terms and condition – by using a site you consent to the use of these types of cookies or a notice can be applied when a user makes changes to settings on a website. But many companies proactively let their users opt-in or out of the functionality cookies.

Privacy Vendor List
Privacy Vendor List

Related Posts