What Is Necessary in Order to Provide a Comprehensive Cookie Notice?
Brands must explicitly educate users on how they plan to use their personal data on an opt-in basis. Consent is not required for cookies that are used specifically for the collection of “non-sensitive personal data” – like a cookie that is used to track items in a user’s shopping cart. However, if a cookie collects any personal data, which, under GDPR includes IP addresses that are tied to users, this could be considered an infringement on regulation and subject to penalty.
What About Third-Party Cookies?
Though third-party cookies are not owned by the sites they are dropped on, companies that allow these cookies can still be held liable for violations associated with data collection. Basically, a website owner can be held liable for GDPR violations by a third party that is collecting EU personal data by dropping pixels. Under GDPR, it is imperative for organizations who distribute cookies to allow users to express consent before the cookie is dropped. To remain compliant, companies must ensure that personal data or other identifiers are only collected after a user expresses consent. This can be done by launching an opt-in banner immediately when a user enters the site. Clear consent must derive from the use of the cookie for a specific purpose.
The Cookies Directive under GDPR requires websites to alert users of the presence of cookies and explain the kind of cookies being used. The user must be able to refuse or accept cookies placement on their devices. Websites often use pop-up boxes or obvious banners to alert users of the use of the cookies.
The different types of cookies that are available should be qualified with your IT provider:
- First Party Cookies: These are cookies collected by your website or app. These cookies are only used by your site or app when the user visits.
- Third Party Cookies: These cookies are used to share information with third parties such as advertisers or social media platforms.
- Session Cookies: These cookies remain active on our user’s browser until closed.
- Persistent Cookies: A user’s browser stores these cookies for a specific amount of time before the cookies expire. These are used to perform functions such as keeping a user logged in or for web analytics purposes.
The purpose of a Cookies Policy is to be transparent and comprehensive in disclosing how the cookies benefit you and your website’s users. It is wise to inform your users of whether disabling cookies will cause a malfunction or reduced user experience.
While the GDPR regulations are complex, the attorneys at The Lynch Law Group have more than 50 years of combined experience dealing with international business compliance issues, have been dealing with EU data privacy laws for the last eight years, and are currently advising many companies with their GDPR obligations. We would be happy to use that experience to help your company navigate these regulations and continue to be successful.
For further information, contact any of the attorneys below via email or by calling The Lynch Law Group at (724) 776-8000. Members of our GDPR Compliance Team are: