Disclaimer: I’m a Software Engineer who has spent a bunch of time working on issues relating to the GDPR from a systems design/security/process point of view. I’m definitely not a lawyer so this is my perspective and not legal advice. If you want legal advice, get a lawyer.
Question: How does the GDPR affect my setting of cookies?
The General Data Protection Regulation (GDPR) protects the personal data of EU residents who are in the EU. This regulation comes into effect 25th May 2018 (see Article 51/Paragraph 4) and has been designed to bring personal data protection up to date as the previous directive (Directive 95/46/EC) was adopted in 1995 and had fallen well behind in being able to cover modern day data protection issues.
There is a fundamental change for cookies between the previous directive (and it’s modernising follow-up directive Directive 2002/58/EC) and the GDPR:
- Under Directive 2002/58/EC websites in the EU had to start informating users clearly that cookies were in use, how they were used and what they were used for. It was also required that users could “refuse” to store these cookies – but there was no requirement for a website to provide this refusal functionality and this was usually implemented by web browser configuration.
- Under the GDPR cookies are clearly identified as “online identifiers” which in turn are listed as “personal data”. In order to process personal data a data controller needs to have record of a “clear affirmative” (ie opt-in) consent, and therefore this is needed before cookies can be sent to and stored for a website user.
There are other lawful reasons for processing personal darta covered under Article 6. “Lawfulness of processing” but none of these really apply to a general website and it’s setting of cookies.
Cookies will often be needed by a website for otherwise anonymous users to benefit from all the featues of that website, not to mention for those users to then get as far as registering an non-anonymous account and grant other consents. Given this is the case a separate / simpler cookie consent sub-system is probably a good idea from a GDPR compliance point of view. This system would need to:
- Show clearly information about cookies being used (why, where, how) and to request a clear opt-in consent for these cookies to be used.
- Not send any cookies to a web client if no consent was granted (most likely signalled by the presence of a consent cookie)
- Record the consent cookie, the date it was created and the information given to the user when they consented. Note other personal data like the IP address of the client should not be needed (indeed if it is stored, it’s another bit of personal data that needs to be managed and justified). As cookies will move freely between IP addresses the important thing (unless security concerns mean the consent cookie needs to be more strictly checked) is just that the consent cookie is valid and exists.
- An opt-out mechanism needs to be provided. This could be as simple as instructions for deleting the consent cookie, however as a user may have multiple shared-environment browsers (that therefore might be sharing the consent cookies) it might be worth having an actual cookie revocation web page and then also verify that consent cookies supplied to the site have not been revoked.
Extracts from Directive 2002/58/EC
The following extracts from Directive 2002/58/EC cover the issues discussed above – I have used bold text to highlight specific parts.
However, such devices, for instance so-called “cookies”, can be a legitimate and useful tool, for example, in analysing the effectiveness of website design and advertising, and in verifying the identity of users engaged in on-line transactions. Where such devices, for instance cookies, are intended for a legitimate purpose, such as to facilitate the provision of information society services, their use should be allowed on condition that users are provided with clear and precise information in accordance with Directive 95/46/EC about the purposes of cookies or similar devices so as to ensure that users are made aware of information being placed on the terminal equipment they are using. Users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment. This is particularly important where users other than the original user have access to the terminal equipment and thereby to any data containing privacy-sensitive information stored on such equipment. Information and the right to refuse may be offered once for the use of various devices to be installed on the user’s terminal equipment during the same connection and also covering any further use that may be made of those devices during subsequent connections. The methods for giving information, offering a right to refuse or requesting consent should be made as user-friendly as possible. Access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.
Extracts from the GDPR
The following extracts from the GDPR cover the issues discussed above – I have used bold text to highlight specific parts.
Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
Article (4) Definitions
For the purposes of this Regulation:
(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
(11) ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
Article 6. Lawfulness of processing
1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;