Cookie Laws and the GDPR

Here are some typical FAQs which we commonly encounter:

Does the GDPR cover cookies?

While the GDPR touches on cookies only in a “recital”, it’s generally felt that cookies are caught by the GDPR.

What are the GDPR principles relevant to cookie consent?

1. Consent requires a positive, unambiguous step.
2. Users must be very clear what they are consenting to.
3. Consent must be given before cookies are placed (except those which are “strictly necessary”).
4. It must be easy for users to opt out of different kinds of cookies at any time.
5. User consents must be recorded.

What should the cookie consent notice say?

There are many different kinds of cookie consent models. Many people think that under the GDPR it’s reasonable to proceed on the basis of “soft opt in”. This tells users that you will place cookies if they continue to use the site. Cookies are then only set if the user either clicks an “ok” (or similar) button or navigates to another page on the site. This notice must stay prominently in place until the user takes that further action. The cookie choices should be spelt out clearly in the message but this can be “layered”.

For example, the initial notice might say something like: “This site uses cookies, including to analyse traffic, for social sharing, to measure / personalise ads” (change as necessary). Or you might use something a bit more general eg: “Your cookie choices. We use cookies to make the site work better and give you the best user experience.” That said, the more specific your notice, the better. (See also Google’s suggested wording at www.cookiechoices.org.)

The initial notice should also include both an acceptance button (e.g. “OK”, “I’m fine with this.”, “I accept” etc) and a separate information button (e.g. “Information and Settings”, “Cookie Preferences”, “More Info”). The information button should lead to a location (often a second banner or pop up and/or a link to the cookies section of the privacy policy) where the user can get more detailed information about the different kinds of cookies on your site and opt out.

What about cookie consent tools?

If not already done, you may want to talk to your web developer about using a suitable GDPR-compliant cookie consent tool. Google lists some suggested tools on www.cookiechoices.org. The Information Commissioner’s Office itself uses “Cookie Control”, so that might not be a bad place to start.

The advantage of these tools is that they can help you to present the cookie information and options in a prominent, clear and comprehensible way to your users – the kind of thing which the GDPR likes to hear!

What does Google have to say about cookies?

Note that users of Google services (eg analytics / ads) must also comply with Google’s EU user consent policy at https://www.google.com/about/company/user-consent-policy.html including the need to obtain and record users’ consent to the use of cookies and to personalisation of ads. See also:

• https://www.google.com/about/company/user-consent-policy-help.html (useful guidance).
• www.cookiechoices.org (Google’s cookie advice website).