Guide: How to become cookie compliant

Cookies are a helpful - and necessary - tool for website owners, as they can store many different types of data, which are imperative to a well-functioning website. They are also a tool used by advertisers, and ad-tech to track users’ online activity, enabling website owners to be able to target visitors to their site with relevant ads.

We have made this guide to provide those working with cookies in the EU with an overview of the legal landscape, an awareness of the different types of cookies out there, and what businesses need to do to stay compliant. The rules and information outlined in this guide are relevant for businesses operating in Europe.

image

Disclaimer (6 April 2020): The information on this page is not intended as legal advice and shouldn’t be considered as such. We strongly recommend that you seek legal advice if you’re unsure as to how to become compliant and your use of Legal Monster. Please also keep in mind that these recommendations are not exhaustive and that more requirements might be applicable to your business.

Staying compliant with cookies

If you want to use cookies on your website there are some key things you need to do in order to be compliant. The key requirements around cookie compliance are governed by both privacy and cookie rules.There are different types of cookies, and the requirements for ensuring compliance differs depending on a number of things. To help you get a better overview of this we will cover, the following topics in this guide:

Key legislation affecting cookies

There are a number of rules affecting how cookies can be used in the EU. They are:

The EU Cookie Directive - also known as the E-Privacy Directive (from 2009)

The EU Cookie Directive regulates the definition of cookies (which also other forms of online tracking technology) and how cookies can be used. The definition of cookies also includes device fingerprinting. The EU Cookie Directive therefore applies to more than just cookies. In the EU Cookie Directive it is stated that a person must not store or gain access to information stored in a person’s computer, without specific requirements being met. This includes, that they (a) give clear and comprehensive information about the purpose of the storage of, or access to, that information; and (b) obtain consent from the person to the use of the specific cookies.

ePrivacy Regulation (pending)

The ePrivacy Directive is set to be replaced with the ePrivacy Regulation. It was supposed to be passed and come into effect in 2018, but is yet to be passed. The focus in the new law was supposed to “...address browser fingerprinting in ways that are similar to cookies, create more robust protections for metadata, and take into account new methods of communication, like WhatsApp.” (gdpr.eu).

Cookies and the GDPR (from 2018)

The GDPR is one of the biggest and most comprehensive laws protecting the privacy of individuals’ data in the EU. Although the use of cookies is mentioned only once in the GDPR (Recital 30), it relates to how cookies may retain personal information; it states that cookies that are used to identify users may qualify as personal identifiers, and therefore be subject to the GDPR. And the GDPR also regulates the requirements for obtaining a compliant consent. For this reason, it is a requirement that consent be obtained before you are legally permitted to process website users’ data. In general the law states that legal consent should be; given freely, revocable, informed and explicit.

Cookie authorities in Europe

In the EU, it is the job of the data protection authorities in each EU country to enforce the cookie rules and issue guidelines regarding cookie compliance. Below you can find a list of some of the European data protection authorities who have issued relevant cookie guidelines:

How to achieve cookie compliance

There are many requirements you must live up to ensure cookie compliance. You need to:

  • Know what cookies you are using and why
  • Have a cookie banner on your website
  • Obtain consent from your website visitors before you set non-necessary cookies
  • Ensure your users can change their cookie settings easily, and that the information you provide is comprehensible
  • Have an easily accessible cookie policy on your website
  • Have an audit trail, so you can document the cookie consents you obtained when users gave their consent, including the wording used in the cookie banner to obtain this consent. Remember to log and store the cookie consents for the duration required by law, e.g., in some countries up to 5 years
  • Be aware of the difference between necessary and non-necessary cookies, and follow the requirements for consent before tracking for non-necessary cookies
  • Be mindful of what are the cookies you have obtained consent for are used for - does this fit the purpose

In the following we have provided more information about different types of cookies.

Necessary and non-necessary cookies

There are different types of cookies, which all have different legal requirements, depending on whether they are necessary or non-necessary cookies. This is an important factor to whether you need to obtain consent from your users before cookies can be set.

Necessary cookies:

The purpose of necessary cookies are to secure and ensure the core functionality of your website. You do not need consent from a user to use these. These are also known as essential cookies. These are not the same as helpful cookies that give the user a better experience. Necessary cookies, are cookies that:

  • Remember what products a user placed in their online basket and make sure that the products are shown at the point of checkout, e.g. when the user is adding in their personal details.
  • Or are security cookies making it possible for website owners to comply with security requirements, e.g. in regards to online payments

Non-necessary cookies:

There are a number of different non-necessary cookies. Also known as non-essential cookies, they are used for things such as collecting personal data for marketing, remarketing and analytical purposes. To ensure compliance, you need to obtain consent from a user before you can legally begin to track them with the use of non-necessary cookies. Here are some examples of non-necessary cookies:

  • Analytical cookies
  • Marketing cookies
  • Functional cookies
  • Preference cookies
  • Remarketing cookies
  • Social media sharing cookies

In the table below, you can see a description of the different cookie categories and whether they are necessary or non-necessary.

Cookie category Necessary or non-necessary Description
Cookies that are strictly necessary for your website to work Necessary cookies These types of cookies remember the goods a user wishes to buy when they go to the checkout, or add goods to their shopping basket.

These are also cookies that are essential in order to comply with security requirements in regards to an activity a user has requested, e.g. in connection with online banking services
Statistics cookies Non-necessary cookies Helps to collect data about how users’ are using your website, web traffic and other stats.
Preference cookie Non-necessary cookies Cookies can be used to recognise a user when they return to your website so you can tailor the experience they receive.
Marketing cookies Non-necessary cookies Advertising cookies
Remarketing cookies Non-necessary cookies Advertising cookies

It is not only important to know what type of cookies you are using. You also need to know:

  • Which of the cookies you use are first party cookies,
  • Which of the cookies you use are third party cookies,
  • The difference between session cookies and persistent cookies,
  • Who your cookie providers are,
  • The expiry of each cookie.

First and third party cookies:

When we are talking about first and third party cookies the focus is on whether a cookie is placed by the website being visited by a user or a third party.

First-party cookies are set directly by the website that a specific user is visiting. This means that when a user is visiting a website that specific website is placing a cookie.

Third-party cookies are set by another domain than the website / URL that the user is visiting. These types of cookies are for example social media plugins, images or advertising so when a user is visiting website A which has a social media plugin then the social media will place a cookie in that user’s browser. Google, Safari and Firefox have all announced that they either are or in the near future will be blocking third-party cookies in their web browsers.

From a privacy standpoint third party cookies are seen as more privacy-intrusive than first party cookies but both types of cookies are regulated by the EU Cookie Directive and the GDPR.

Session cookies and persistent cookies:

Session cookies - Temporary cookies that expire when you close your browser, or your session ends. Typically session cookies are used to remember what a user put in their basket when they are browsing your website. As session cookies expire after the browser is closed or the session ends, these types of cookies are often seen as less privacy intrusive than the other category of cookies, e.g., persistent cookies.

Persistent cookies - Cookies that keep tracking your users for a period of time longer than a session. In theory they can be set for a long time, years even, but there is no guarantee that they will last that long, as a user can reset their cookie settings as often as they would like to. This means that these types of cookies continue to work after the session ends. They often work across different sites and make it possible for a user’s preferences to be remembered after the user leaves the site.

The cookie rules, including the GDPR and the EU Cookie Directive, apply to both session and persistent cookies.

Cookie providers

It's important that you know who your cookie providers are. The reason is that you are responsible for any cookies you place on your website and this also entails being accountable for your cookie providers, including how they are processing and handling data collected via the cookies.

You therefore need to tell who your cookie providers are in your cookie policy and in connection with obtaining consent from your users. Read more about this below.

Cookie expiry

The maximum amount of time a cookie can be set can vary. This is also known as expiry and depends on the type of cookie, the usage of the cookie, the purpose for which you are using the cookie and the consent you obtained from the user.

Many cookie providers have a standard consent expiration, e.g. 30 or 90 days, but this doesn’t mean that this duration is appropriate. You as the website owner need to review and assess each cookie’s duration and determine the correct expiration period. Remember to document your decision, including why you came to the conclusion of e.g. 30 days being the right duration for the specific cookie.

Why do you need a cookie policy?

A cookie policy describes how you use cookies, for what purpose, what types of cookies you are using and when the cookies expire. It's required that you tell users about the cookies when they visit your website, this could be in the form of a cookie banner, which you can read more about below. You also need to make sure that you give them detailed information about your cookies. This information is typically found in or as a subsection of your privacy policy or in a separate cookie policy. The cookie policy, whether it's incorporated into your privacy policy or a separate policy) needs to be accessible in your cookie banner and also directly on your website, either in the top or bottom of your website. Don’t hide it on subpages, you have to make sure that your users can find it - easily - otherwise your cookie setup won’t be compliant.

What you need to include in your cookie policy

You cookie policy needs to include:

  • A description of why, how and what you use cookies for
  • A definition of what a cookie is
  • A description of the different types of cookies on your website and how you use them, including but not limited to
    • Necessary or essential cookies
    • Performance cookies
    • Functionality cookies
    • Targeting and advertising cookies
    • Third party cookies employed your website
    • Your agreement (or lack thereof) with thirds party providers, declaring whether or not you have reviewed third party vendors privacy and cookie policy and cookie use
    • How users can control their cookie settings, and how they can opt-out of being tracked, and whether this will impact their use of the website (necessary cookies only).
  • Letting the user opt-out of of being tracked, it is required that this is easy for the user to find and do

Remember to draft your cookie policy in a way so that people can actually understand it. Avoid very complex and lengthy sentences.

Furthermore, you should also think about the design of your policy. Many authorities, including the ICO and the Danish authorities, are recommending that policies be split up into sections so that each section can be “unfolded” making it easier for the user to read and understand the content of the policy - instead of being a 10 page wall of text.

Why do you need a cookie banner?

A cookie banner is used by many websites as a way to inform its users about cookies and give the users the ability to accept or reject non-necessary cookies.

So your cookie banner is the way you can get your users to consent to or reject your cookies, and provide them with the required information (see below).

What do you need to include on your cookie banner?

Your cookie banner should present your users with:

  • An option to accept or reject non-necessary cookies
  • Explain what cookies you are using, including information about your necessary cookies, and their purpose,
  • A link to your cookie policy,
  • Information about your cookie providers
  • Information about who you will be sharing the information with,

To be compliant, your banner must not include pre-ticked buttons or fields. The user needs to make the decision themselves as to whether they want to give consent to non-necessary cookies or not.

What if your use of cookies changes?

If you start to use new cookies or if you are changing the way you are using your current cookies significantly, you need to obtain consent from users. This means that if you are adding new cookies or changing the purposes for the cookies you are already setting on your website, you need to make sure that your users (who have already given consent) are asked to consent or reject your cookies. I.e. your consent banner should reappear and users asked to make an informed choice about this new activity.

Working with Cookie Consent Systems

Keep track of your cookie consents and documentation easily, with a cookie consent system. Also known as a consent management platform or consent management solution.

With Legal Monster you can collect and document consent for the cookies you use on your site. We use geotargeting to ensure that you collect the right consent in specific markets depending on the jurisdiction of the user or customer. Our solution scans your website and detects which cookies you use. With Legal Monster you get a full audit trail, so you can prove consents to a data authority if you need to.

Working with Cookie Consent Systems

One way of keeping track of consents and the evidence you need is through a consent management solution that tracks your cookie consents.

With Legal Monster you can collect and document consent for all cookies used on your site. We use geotargeting to ensure that you collect the right consent in each of your markets, depending on the jurisdiction of the user or customer. Our solution detects which cookies you use and collects compliant consents for those. With Legal Monster you get a full audit trail, so you can prove consents to a data authority if you need to.

image