On May 25th 2018 the EU GDPR comes in to effect.
Cookie Notices Must Change to Comply with GDPR
Why does GDPR say about cookies?
Is your website GDPR compliant?
The EU’s General Data Protection Regulation requires companies to protect the privacy of their EU customers. This means there is a requirement to notify visitors to your website if you are collecting any information that could identify them and give them a clear option to give consent or otherwise.
Personally identifiable information (PII) is any data that can be used to identify a specific individual. While your website may not seem like it collecting enough information to identify a real person, the collation of information by third parties, could include your information to complete the PII profile. Therefore you must let them know of any data you are collecting about them.
Before the new regulations, it was enough just to inform visitors to your website that cookies are in use on the website, however, it’s no longer the case..
Article 7(3):
“The data subject shall have the right to withdraw his or her consent at any time. (…) It shall be as easy to withdraw as to give consent.”
The data subject being referred to here is the person behind the PII.
Cookies can be personal data. The GDPR explicitly states that online identifiers, even if they are pseudonymous, even if they do not directly identify an individual, will be personal data if there is potential for an individual to be identified or singled out. Any persistent cookie that is unique to the device by virtue of its attributes or stored values fits the criteria for personal data. That means most cookies, and certainly the most useful ones for site owners. This is the basis for cookie consent being about GDPR compliance now, as well as the existing cookie laws.
Implied consent will no longer constitute compliance. The GDPR requires the user to make an ‘affirmative action’ to show that their consent has been given. This means that from the beginning of their visit to your website they must be informed that cookies are in use and be given the option to proceed to view the website with, or without cookies.
It also won’t be ok to say ‘By using this site, you accept cookies’. If there is no valid choice, then there is no valid consent.
The ability to opt out of consent that has already been given is also a requirement. So, just as there will be an “I Accept” button to click, in order to give consent, there must also be one that allows the user to reset their consent, if they have given it earlier. The image below is of the Cookie Reset Button in the footer of this website.
