The Cookie Law Explained
The GDPR focuses on organizations collecting freely given consent from their customers before they store or process any of their personal data, which includes dropping cookies on their website. Websites and apps that are used by visitors from the EU must implement a consent banner that complies with GDPR, and it has to have several pieces in place.
Consent Requirements
Under the GDPR, customers need to be fully informed about the types of cookies that are being stored and why they are being stored before the consumer can give them consent. Under the GDPR, consent needs to be:
- Freely-given
- Specific
- Informed
- Unambiguous
Cookie Policy
The GDPR requires organizations to have the following included in their cookie policy:
- What information is collected
- What you do with consumer information
- How you protect consumer information
- If you disclose any information to third parties
- How you store consumer information
- How users may access, migrate, request rectification, restriction or deletion of information
EU Cookie Laws Impact on Businesses
The GDPR and e-Privacy Directive both aim to ensure an appropriate level of confidentiality and security of European Union Residents' data.
The e-Privacy Directive provides a guideline on cookies which is why it was originally known as the “cookie law”. This is not the case with the GDPR as it does not explicitly state any guidelines or requirements based on cookies. The e-Privacy Directive requires organizations to provide comprehensive and easily understandable information with regards to the processing of cookies. These organizations must acquire the informed consent of users before tracking them with cookies. Although the GDPR does not mention cookies specifically, it classifies cookies as an “online identifier,” meaning that it may be considered personal data under certain circumstances.
Read more about EU Cookie Laws
Impact of the EU Guidelines on the U.S.
The E-Privacy Directive does not have a clear extraterritorial scope, which means that if a company does not have any physical presence or operation in the EU, they do not need to comply with the cookie guidelines.
On the other hand, the GDPR has clear extraterritorial scope. It covers the processing of personal data within the EU as well as outside the EU if the organization is offering goods and services to EU data subjects. If an organization's website targets EU consumers in accepting e-commerce payments in Euros as an alternative to U.S. dollars, or if the site's use of cookies amounts to intentionally "monitoring" the behavior of visitors who are in the EU, the GDPR likely applies to the organization.
PII and Cookies
PII (Personally Identifiable Information):
Under Article 9 of the GDPR, sensitive data is defined as the following:
- personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs;
- trade-union membership;
- genetic data, biometric data processed solely to identify a human being;
- health-related data;
- data concerning a person’s sex life or sensitive data.
Cookie/online identifiers:
Although the GDPR does not talk about cookies specifically, it does mention “online identifiers under Article 4, recital 30 of the GDPR. The article states:
“Natural persons may be associated with online identifiers provided by their devices, applications, tools, and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
Penalties Due to Non-Compliance
The EU cookie legislation depends on the government to set specific penalties for noncompliance. Here are some of the penalties an organization can face due to non-compliance:
- Regulators can request organizations for information that is stored in the website. This may include:
- Types of cookies your site uses
- Links to the cookie information section
- Identifiers of compliance
- Regulators can ask organizations to make changes to help them be more compliant with the EU guidelines. This can be requested or even enforced to be done in a set amount of time.
- Depending on the country, the organization can face a monetary fine based on the severity of non-compliance.
