Cookie dough: IT recipe — or— legal base [part 1]
- Get 1 website
- Add 100g of cookies
- Search for GDPR and cookie consent in the search engine of your choice
- Open +100500 tabs
- Get lost in the information
- Mix it with a pinch of panic
- Get a cigarette or a coffee
- Read this article
[This article is for a hobby developer who does not want to be bothered by the legal staff, a middle-experienced professional developer or any frontend enthusiast who wants to implement a cookie banner him/herself.]
This is part 1 of the whole story. Read here about the legal background. If you are interested in the UX solutions and the best/worst practices, go to part 2, for the technical implementation — go to part 3.
There are over 136 million Google search results for the query „how to implement cookie consent“ — technical ones, legal ones, UX ones etc. This article is a bit of everything to help you get started.
[TL;DR 1: You have to ask for consent whenever any on-site tracking, cookies or share button plugins are involved. No consent is required for the necessary cookies.]
Since you’ve landed here, you already have a basic understanding of cookies or at least you know that you need them. You probably also know that you have to inform about cookie consent options on a website that is served to European users due to the General Data Protection Regulation (GDPR).
Do I have to comply with the GDPR anyway?
Simplified, it comes to these 2 questions:
- Does your website involve any processing of personal data —collection, storage, update, transfer, deletion etc. ? If you plan to store cookies, it probably does. More on this in the next section.
- Do you collect data from European Union visitors? You probably are, since you cannot / don’t want to hide your website from all the German, Spanish, French guys. However, the legal interpretation is not as straightforward as that. If you are really interested, your can find comprehensive guidelines on the territorial cope of the GDPR here.
If you need more official information on cookie handling, check the website of UK Information Commissioner’s Office, Guidance on the use of cookies and similar technologies or Guidelines on consent from the Article 29 Working Party [careful, long legal texts!]. The latter also published an opinion on the concept of personal data. It dates back to 2007, but the legal definition has hardly changed. If you don’t get paranoid and see personal data everywhere afterwords, then keep reading this article.
If you are still not really sure, whether your case falls under the GDPR, ask an expert, don’t rely on swarm intelligence.
I am not setting any cookies, am I safe?
Cookies, insofar as they are used to identify users, qualify as personal data. But even if you are not collecting them yourself, your integrated third-party services are. So, you might still need to get user’s consent for on-site tracking activities with Google Analytics, Facebook Pixel, HubSpot, plugins, social media buttons etc. They say, 70% of all cookies being set are third-party cookies and more than half of them are set by just 25 third-party domains, so watch out!
How to see, what cookies your website is using? Read this article or use some online tools like CookieMetrix (1). YES, it is you, not the third parties, who have to ask the user if all these cookies are OK to be set and provide all the legally required information on purpose and duration for all of the cookies. Moreover, if you don’t ask for consent, you can no longer use some of the third-party web services. For example, Google explicitly states it in its policy.
By the way, if you use canvas fingerprinting, session-replay scripts, local shared objects, web storage, web beacons or ultrasonic tracking instead, you are not safe, neither. Even if the information you collect is not enough to identify a person, the GDPR is strickt on that: whenever it can be used together with further data to potentially identify a person, it is personal data.
Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
Moreover, you should not only look at the GDPR. The ePrivacy Directive a.k.a. the Cookie Law is still there and will be updated soon. It might be the case that you also have to comply with other local regulations: check out the list of data privacy laws around the globe.
Why bother asking for consent?
The answer is as simple as that:
Processing personal data is generally prohibited, unless it is expressly (1) allowed by law, or (2) the data subject has consented to the processing.
Indeed, I have a good news for you — not all cookies require consent! Yet this makes the situation even more complicated. Let’s have a closer look at the first legal ground for processing of personal data — “allowed by law”.
The GDPR says to it:
1. Processing shall be lawful only if and to the extent that at least one of the following applies:
[…] (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
According to the official statement of the European Commission (2), in the following cases no consent is required::
- Cookies used for the sole purpose of carrying out the transmission of a communication, such as cookies that allow the processing of web server requests over a pool of machines instead of just one (load balancing).
- Cookies that are strictly necessary to provide an online service that the person explicitly requested. e.g. user-input cookies (cookies used when you ask your users to fill out an online form or when your customers use a shopping basket while purchasing products on your web site), or authentication cookies (when users authenticate themselves on your web site to log in in order to check online services such as their bank account).
Some more examples can be found in the Europe Web Guide of the European Commission:
- User-centric security cookies, used to detect authentication abuses and linked to the functionality explicitly requested by the user, for a limited persistent duration
- Multimedia content player session cookies, such as flash player cookies, for the duration of a session
- User interface customisation cookies, for a browser session or a few hours, unless additional information in a prominent location is provided (e.g. “uses cookies” written next to the customisation feature)
Note, that most of them have the attribute “for the duration of a session”. If you (or your third party) want to keep them longer, or use preferences, statistics or marketing cookies, you’d better ask for consent. Want to know what is the best way to do it? Check out the 2. part of this article.
[Disclaimer: you think the author misses the point or provides incorrect information? Blame the author AND provide missing / relevant / correct information in your comments — help other readers (and the author) to get it straight! a.k.a. #learningbysharing]
(1) This is just a random 1st-page-result. I am neither promoting nor recommending any of the tools. Make sure to open them in a private tab if you are checking the websites where you’ve already accepted the cookies.
(2) Please note that the official statements of the European Commission or of the Article 29 Working Party have no direct legal power and should be considered just as a recommendation for the legal interpretation.
