General Data Protection Regulation (GDPR) came into force nearly four years ago, but the ways it is understood and applied in practice are still evolving. It’s been on the news that not everyone succeeded in making themselves compliant – in January, the French regulatory authority fined Google and Facebook (in the sum of €150 million and €60 million, respectively) for violating cookie laws. It is worth noting that Google has already been fined once for failing to follow cookie regulations (the earlier fine was in the sum of €100 million). The topic of cookie use draws more and more attention, from activists as well as regulators – for example, last summer noyb (None Of Your Business) enforcement platform sending over 500 GDPR complaints to companies violating various cookie laws caused quite a stir.
- Under GDPR, only certain types of cookies are treated as possibly containing personal data. However, under ePrivacy Directive, all cookies except those that are strictly necessary must be treated as if they can be used to create profiles of natural persons and identify those persons. Consent is treated as the only legal basis for saving cookies on visitors’ devices except for the strictly necessary ones.
- Obligation to obtain consent before saving cookies on visitors’ devices implies the obligation to comply with all requirements regarding consent stipulated by GDPR. Among other things, it means that it must be equally easy to grant or deny consent, and also to withdraw consent at any time.
- The “Accept only necessary cookies” is a must (it is permissible to use the “Accept selected” option with only the necessary cookies selected by default).
- No pre-checked boxes for optional cookies.
- Having an “Accept all cookies” option is allowed, but making it more prominent than the “Accept only necessary cookies” option is not.
- The “Necessary” cookies must only include those cookies that are strictly necessary to provide the visitor with the requested service or to comply with regulations (for example, those related to security).
- All cookies must be described in clear and plain language.
- All cookies must be categorized in a reasonable and fair way.
- The cookie consent banner must be easily accessible from anywhere.
- All instances of consent being given must be logged. Every individual visitor must be assigned an identifier (that is, you’re not storing information about “John Doe”, you’re storing information about “user with id=7284b9a2-6b16-4d07-8fd9-a38452d0916d”), and every time the visitor gives consent, you must record the date and time consent was given and what, specifically, the visitor in question consented to.
It is important to understand that any consent gathered using a cookie banner that does not comply with one or more of these requirements may be declared null and void, with all the legal consequences that this entails.
As for EU sites, it looks like in this case there is a discrepancy in the requirements between GDPR and ePrivacy:
- European websites must always comply with GDPR, but only in regard to cookies that are related to an identified or identifiable natural person.
- ePrivacy Directive applies to all cookies, but only for end users and terminal equipment of end users located in the EU.
It looks like it is not necessary to gather consent for cookies that are not related to an identified or identifiable natural person or their terminal equipment located outside of the EU. In practice, though, the only way to profit from this loophole is to create one’s own mechanism for tracking users’ behavior, as all 3rd party tracking cookies absolutely do fall under GDPR.
Checking a website for privacy compliance
As far as we know, there is not a satisfactory tool or service that can be used to check whether a website is compliant with cookie-related regulations. We recommend that you check your website’s compliance by hand – here’s how:
- You will need to dial the privacy settings down for this test, so unless you fancy changing them back again by hand, we recommend using a browser other than the one you usually use. The “Private Window” feature is, unfortunately, not going to help in this case.
- Disable or remove any ad blocker software and anything else having a similar function.
- Make sure that the most permissive settings related to cookies, privacy, security, safety, protection, tracking, etc. are in effect.
- Add the domain name of the website being tested to the white list.
- Allow all cookies, including third-party ones.
- Finally, delete all saved cookies.
Checking the website
- Open the website:
- If the cookie banner does appear:
- Check the saved cookies – only strictly necessary ones should be saved until the user consents otherwise (i.e. if the user clicks nothing and closes the tab, no cookies should be saved).
- Make sure that the checkboxes allowing to save optional cookies are not pre-checked by default.
- Make sure that the “Accept only necessary cookies” (or the “Accept selected” with optional cookies not saved by default) option is present.
- Make sure that the “Accept all cookies” option is present (this is not required by regulations, but is not prohibited either, and it is a very useful option for you).
- Check the cookies’ categorization in cookie banner details:
- Make sure that the “necessary cookies” category contains only technically necessary cookies: session, must-have preferences, etc.
- Make sure that all other cookies’ categorization is reasonable.
- Check the description of the cookies:
- Make sure that all cookies have meaningful descriptions.
- Check the correct functioning of preferences:
- Make sure that applying the selection by default (the necessary cookies category only) doesn’t result in any other cookies being saved on your device.
- Make sure that selecting one or more additional categories of cookies only results in cookies from those categories being saved on your device.
- Make sure that you can easily change cookie settings at any time (i.e. the corresponding direct link or button is always there).
- Make sure that updating cookie settings results in cookies being saved on/removed from your device.