Cookie Laws and the GDPR
Here are some typical FAQs which we commonly encounter:
Does the GDPR cover cookies?
While the GDPR touches on cookies only in a “recital”, it’s generally felt that cookies are caught by the GDPR.
What are the GDPR principles relevant to cookie consent?
- Consent requires a positive, unambiguous step.
- Users must be very clear what they are consenting to.
- Consent must be given before cookies are placed (except those which are “strictly necessary”).
- It must be easy for users to opt out of different kinds of cookies at any time.
- User consents must be recorded.
What should the cookie consent notice say?
There are many different kinds of cookie consent models. Many people think that under the GDPR it’s reasonable to proceed on the basis of “soft opt in”. This tells users that you will place cookies if they continue to use the site. Cookies are then only set if the user either clicks an “ok” (or similar) button or navigates to another page on the site. This notice must stay prominently in place until the user takes that further action. The cookie choices should be spelt out clearly in the message but this can be “layered”.
What about cookie consent tools?
If not already done, you may want to talk to your web developer about using a suitable GDPR-compliant cookie consent tool. Google lists some suggested tools on www.cookiechoices.org. The Information Commissioner’s Office itself uses “Cookie Control”, so that might not be a bad place to start.
The advantage of these tools is that they can help you to present the cookie information and options in a prominent, clear and comprehensible way to your users – the kind of thing which the GDPR likes to hear!
What does Google have to say about cookies?
- https://www.google.com/about/company/user-consent-policy-help.html (useful guidance).
- www.cookiechoices.org (Google’s cookie advice website).