Under the GDPR, the data cookies collect is considered personal if it can identify an individual via their device. If you use cookies that do this, you must gain consent from the user to collect and use that data. But can you do that without turning customers off?

The EU’s General Data Protection Regulation (GDPR) represents the biggest change to people’s data protection rights since 1998. It enforces new standards for data protection which you must comply with to ensure you operate within the law.

One area webmasters now need to treat differently is website cookies. Before GDPR, cookies would often track users without their knowledge, and even when notified of their use, users would have no idea what data was being collected and why.

Users now have the right to know about the cookies tracking them and for what purpose your organisation uses those cookies. Cookies should be split into distinct segments. 1) those that are essential for the operation of the website. 2) those that the owner of the website will use to target you for future marketing. 3) those that will be shared with 3rd parties for wider marketing activity. And here’s the clincher – you must get their consent to use them. If you don’t do this, you can’t use them.

Lawful basis for processing

To process personal information under the GDPR, your company or organisation must be able to identify a lawful basis for doing so. Personal information comes in many forms and the Information Commissioner’s Office (ICO) has published clear guidance on this. Under the GDPR, there are six legal enablers for processing personal data:

1.     Consent of the individual

2.     Contractual necessity

3.     Compliance with legal obligations

4.     Vital interests of the data subjects

5.     Public interest

6.     Legitimate interests

We have bolded the enabler relevant to cookies on websites: consent.

Consent must be provided by the user in a specific way. It must be freely given, specific, informed, and give an “an unambiguous indication of the individual’s wishes.” The GDPR demands transparency, which is key to the approach you should take when implementing cookie tracking notifications on your website.

What constitutes lawful consent?

If you use cookies to track your users and collect personal data, you will need to use a tracking consent pop-up to comply with the GDPR. This should load when the user visits your website for the first time. This is because the user must be informed right away for you to be able to use cookies that track them.

The aim here is to gain lawful consent from the user, and the only way to do so under the GDPR is to get them to opt in or

What’s interesting right now is there are some very dubious notices out there from leading retailers. Here’s one we grabbed from a leading retailer:

The message itself is fine, but when you click “manage cookies” the user actually gets no choice at all. You are told you can manage cookies “on your device” and there is no opt-out box. This DOES NOT satisfy the GDPR. It is insufficient because under the GDPR, if you say users can manage their cookies you’ve got to enable that. Users must also be able to opt-out after opting in. That’s cookies 101[AC1] .

Oh, and something else – under the GDPR, the notice “By continuing to use our website, you are agreeing to our use of cookies” or derivates of are insufficient for consent because this is implied consent, which IS NOT a lawful basis for processing. So this notice:

Does not meet the GDPR’s requirements. And this one:

Which we grabbed from another leading retailer is also unlawful. Alarmingly, most of the retailers we have visited use this notice. Both these notices would be made GDPR compliant with an opt-in box, so a simple solution.

If you’re in any doubt about that, the ICO says this: “Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.” They also say that, “consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand, and user-friendly.” Could the guidance be any clearer?

Implementing cookie consent

There is an obvious point webmasters will raise to displaying a prominent cookie notice on their website: that their customers could be turned off from using the website. Perhaps this is why so many retailers hide their notices with colours that blend in and use the outlawed practice of implied consent. Whatever the case, there’s ways to make your notice lawful and good at keeping customers on your website.

The simplest way to implement cookie consent is this: give users an initial notice and a simple choice to opt-in. It really is that simple. And here’s the most important point – it is not mandatory for the notice to give users a choice to the cookies they object to, so a simple ‘in’ or ‘out’ box is absolutely fine.

Andy Chesterman