Are Cookies Personal Data under the GDPR?
What is a cookie even? Cookies are packets of data/small text files that websites place on your device as you browse through websites. When you visit a web page, the website sends the cookie to your computer. Cookies are intended to help a user of a website access that site faster and more efficiently. They help the website keep track of a user’s visits and activity, store passwords on commonly used sites, etc. and are used only when a person is actively navigating a website.
Recital 30 of the GDPR states that online identifiers, even if they are pseudonymous or do not directly identify an individual, may still be considered personal data if there is a chance for an individual to be identified:
(30): “Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
So, when cookies can identify an individual, they are personal data.
With the GDPR, there are a handful of other requirements:
- Implied consent is no longer compliant – users must take affirmative action to signal their consent;
- Recommending to a user to adjust their browser settings is not sufficient – the GDPR requires that consent must be easy to withdraw so telling users to block cookies if they do not consent won’t work;
- Adding statements like ‘by using this site, you accept cookies’ will not be compliant – there has to be valid, affirmative consent and not assumed consent;
- Opt-out – even if a user provides consent, there has to be a clear, direct way for a user to withdraw that consent;
- Do Not Track requests – in line with the opt-out, to be complaint, sites are required to give the user a way to exercise their right to object to profiling;
- Sites must provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received;
- Sites must document and store consent received from users and have proper processes in place to deal with Do Not Track and Opt-out requests; and
- While the cookie law does not require a site to individually list any third-party cookies, it does require that the category and purpose of the third-party cookies are stated.
Bottom line is that while not all cookies are used in a way that could potentially identify an end user, the majority are and will be subject to the GDPR. This includes cookies for active behaviors like continued browsing, clicking, scrolling as well as those specifically for advertising, survey and chat tools, and analytics purposes.