What GDPR Means For Your Cookies Policy

Your Cookies Policy Should Be Transparent and Comprehensive

a cookie

Cookies are pieces of tracking data that are placed by websites on users’ browsers. They serve several different purposes. For example, websites might use cookies to track whether a user is logged into an account, whether they’ve added or removed items from their shopping cart, or to track browser history to create more personalized user experiences.

What Is Necessary in Order to Provide a Comprehensive Cookie Notice?

Brands must explicitly educate users on how they plan to use their personal data on an opt-in basis. Consent is not required for cookies that are used specifically for the collection of “non-sensitive personal data” – like a cookie that is used to track items in a user’s shopping cart. However, if a cookie collects any personal data, which, under GDPR includes IP addresses that are tied to users, this could be considered an infringement on regulation and subject to penalty.

What About Third-Party Cookies?

Though third-party cookies are not owned by the sites they are dropped on, companies that allow these cookies can still be held liable for violations associated with data collection. Basically, a website owner can be held liable for GDPR violations by a third party that is collecting EU personal data by dropping pixels.  Under GDPR, it is imperative for organizations that distribute cookies to allow users to express consent before the cookie is dropped. To remain compliant, companies must ensure that personal data or other identifiers are only collected after a user expresses consent. This can be done by launching an opt-in banner immediately when a user enters the site. Clear consent must derive from the use of the cookie for a specific purpose.

Cookies Policy

Your Cookies Policy should provide detailed and specific information about the cookies your website uses. The policy should explain the use of cookies and how a user can limit or prevent the placement of cookies on a device. Your Cookies Policy can be a standalone page on your website or it can be integrated with your Privacy Policy.

The Cookies Directive under GDPR requires websites to alert users of the presence of cookies and explain the kind of cookies being used. The user must be able to refuse or accept cookies placement on their devices. Websites often use pop-up boxes or obvious banners to alert users of the use of the cookies.

The different types of cookies that are available should be qualified with your IT provider:

  1. First Party Cookies:  These are cookies collected by your website or app.  These cookies are only used by your site or app when the user visits.
  2. Third-Party Cookies:  These cookies are used to share information with third parties such as advertisers or social media platforms.
  3. Session Cookies:  These cookies remain active on our user’s browser until closed.
  4. Persistent Cookies:  A user’s browser stores these cookies for a specific amount of time before the cookies expire.  These are used to perform functions such as keeping a user logged in or for web analytics purposes.

The purpose of a Cookies Policy is to be transparent and comprehensive in disclosing how the cookies benefit you and your website’s users. It is wise to inform your users of whether disabling cookies will cause a malfunction or reduced user experience.

Pittsburgh Corporate Attorneys

While the GDPR regulations are complex, the attorneys at The Lynch Law Group have more than 50 years of combined experience dealing with international business compliance issues, have been dealing with EU data privacy laws for the last eight years, and are currently advising many companies with their GDPR obligations.

We would be happy to use that experience to help your company navigate these regulations and continue to be successful. Please contact Frank Botta by phone at 724-776-8000 or by emailing fbotta@lynchlaw-group.com.

This entry was posted in Corporate, International Business, Legal Watch. Bookmark the permalink.