Cookies and how to lawfully use them
Written by Richard BradleyGDPR Consultant
Introduction to cookies
Digital cookies have become a ubiquitous tool in how websites identify visitors, understand their online behaviour, and make browsing more convenient for the user. Cookies are small text files which store data to identify your computer. Cookies aren't necessarily bad. They're useful for encryption, delivering webchats, improving marketing campaigns by personalising the content displayed, and many other digital services. This can make the browsing experience more enjoyable for a user by delivering customised messaging and preferences, such as retaining shopping carts, wish lists or remembering login information.
For domain owners, analytics cookies drive intelligence for marketing purposes, the efficacy of advertising and allow advertisers (including referrers) to be paid for advertising on a website. Analytics cookies are a form of a web audience measurement (WAM). These differ from digital cookies in that websites can collect information on how people are accessing them, how long users are spending on the site, the number of visitors, and how long each session lasts. Consent is an important factor with analytics cookies as they don't prohibit users from accessing websites and therefore would not form part of the user request to access a site. Public services such as the NHS use these same cookies to get the best value from and to understand engagement with public health or safety campaigns.
Drawbacks of cookies
Despite the advantages, cookies are not without their problems. Privacy can be an issue as web browsers with cookies enabled will remember the websites you have visited. This information can then be accessed by third parties in the form of advertisers who then target ad campaigns to your browser. Some websites will simply not function as intended if users don't accept cookies. A user's e-commerce customer journey could also be less tailored without accepting cookies.
A user can be identified by a combination of their IP address, their browser version, and device information (online identifiers) as stated in Recital 30 of the GDPR. This allows the person to be digitally tracked without their knowledge. When cookies collect and store information about a user's online habits, it can be used for targeted ads and content. An example is when you're browsing for a new pair of shoes online. You may have spent some considerable time browsing without buying. Next time you visit a different website or Facebook, you may see targeted ads appear around the shoes you looked at. This is an example of cookies tracking your digital presence once they've been stored on your device. Another example could be searching Google for a mobile phone brand and subsequently being targeted with ads from that brand.
None of Your Business
NoYB - European Center for Digital Rights is a legal activism project dedicated to the purity of privacy rights. Its aims are to launch court cases and initiatives in support of the GDPR, the ePrivacy Regulation (ePR), and information privacy in general. It launched 101 model cases in August 2020 - these are 101 complaints filed in 30 EU and EEA member states against companies which still unlawfully transfer website user data between the EU and US to Facebook and Google. The 101 complaints were also brought against Google and Facebook in the US for accepting data transfers, despite this being in violation of the GDPR.
On the 12th of January 2022, the Austrian data protection authority ruled that cookies which transfer personal data to the US, including analytics cookies, without valid consent from the individual are unlawful. A ban is expected to be enforced by the German authorities. The case surrounded an Austrian website's continuous use of Google Analytics and the resulting personal data transfers sent to Google which breached the GDPR. It was found that users were not properly informed of this data capture or given the option of opting-in beforehand. The ruling does not sanction Google themselves but targets the owners of websites using their services. Fines have not yet been imposed, nor has any compensation been awarded.
Website Cookie Checklist - What to Remember
- There are other tracking technologies such as tracking pixels. These pixels help advertisers gather data for online or email marketing. They covertly collect user data, such as how users browse websites and interact with email without their knowledge due to their inconspicuous nature. As there is rarely a route for users to consent to these or reject them, some would say tracking pixels are underhanded.
- Provide clear statements on the purpose and means of the cookies in use on websites. This should be visible to users via a cookie banner and the Privacy Notice on the website.
- Any cookies which are not strictly required for access to a website or use of its features should obtain the consent of visitors before using them.
- Give users easy options for giving or withdrawing consent to cookies (opt in/opt out).
- Ensure that cookies only truly essential (for the user) are on by default. The ICO's website has analytics cookies switched “off” by default and therefore would need for the user to opt-in to allow the website to collect that data. Opt-in/opt-out options should provide clear, concise and meaningful information relating to cookies at a glance when users first navigate onto a website.
- For analytics cookies, use compliant domestic or self-hosted options. Sending data overseas without permission or where an adequate level of protection for personal data cannot be guaranteed is unauthorised.
- Always ask your analytics provider how they will be handling your visitors' data. Alternatively, you can use self-hosted analytics where data is not sent to other companies or overseas.
Get help with your data protection obligations
Bulletproof's experienced data protection officers give your business on-going support and maintenance of your data protection obligations. Find out more about our flexible, cost-effective packages.Learn more
Our experts are the ones to trust when it comes to your cyber security
Get a quote today
If you are interested in our services, get a free, no obligation quote today by filling out the form below.