Cookie compliance in a GDPR age. Image credit: Supplied
In recent years, the term “cookie compliance” has become commonplace term for those who wish to do business online. And there is a good reason for that: The General Data Protection Regulation (GDPR).
As a result, a quick search online will reveal a wide array of cookie checker tools, but knowing which cookies are active on your site is not sufficient to become compliant with the GDPR. You must, among other things, also control them and then hand over this control to your users. Keep reading for a short introduction to cookies and the GDPR.
Almost every website uses cookies, and chances are that the website where you have found this article is also running on cookies. Cookies are small text files, that collect and contain information about a website’s visitor. There are four categories of cookies: Necessary cookies, preference cookies, statistics cookies, and marketing cookies. Cookies were invented in the early 90’s and are named after the real-life fortune cookies.
Upon first contact with a website, the website will place cookies on the visitor’s browser. The cookies then gather information such as IP address, device specification, location etc. Should the visitor return to the website at a later time, the website can then recognize the visitor and use the information from the cookies to give the returning visitor a pleasant user experience. However, not all cookies exist to improve the user experience, as the majority of active cookies on the world wide web are statistics and marketing cookies.
Statistics and marketing cookies are typically provided by third party services like Google and Facebook and their main purpose is to collect data on the website visitor’s online behavior. This information can then be used to optimize the website for conversions and the cross-tracking nature of most marketing cookies enable website owners to let their display ads follow their visitors around on the internet.
The GDPR, the most significant data protection initiative in 20 years, came into effect on May 25th, 2018. The purpose of the GDPR is to give individuals in the EU control over how their data is used. This is done by setting strict requirements for organizations that collect and processes personal information about their users, including demands for transparency, valid user consent, and documentation.
This means that if your website caters to users from the EU or your website just happen to have visitors from the EU by coincidence, then you are obligated to follow the regulations of the GDPR.
An important aspect of the GDPR is to give end users control of their data, which includes guidelines as to how to revoke their consent and for their data to be forgotten.
Should an organization fail to become compliant with the GDPR, the organization can face heavy fines of up to €20 million or 4% of the organization’s global yearly turnover, whichever is higher.