Cookies & GDPR Checklist: Do’s & Don’ts

Since 25 May 2018, website operators have been asking themselves whether cookies fall under the GDPR or not. So let's ask ourselves whether cookies fall under the DSGVO or the forthcoming ePrivacy Regulation. What is the actual legal basis and which myths surrounding cookies are true, which ones are false?

We clarify all unanswered questions and clear up the myths and rumors surrounding cookies and GDPR.

"Cookies are not personal data, which is why GDPR does not apply."

This statement is not entirely correct. The basic data protection regulation regulates the processing of personal data. A personal reference is given if the information can be used to identify a person. According to recital 30 of the GDPR, identification is also possible via online identifiers such as IP addresses or cookie identifiers.It therefore depends on the type of cookie involved and whether it allows the processing of personal data.

Thus, the assumption that cookies will only be regulated under the future ePrivacy Regulation is also wrong. This misunderstanding is probably due to the fact that it is intended for it to replace the ePrivacy Directive of 2002 and the Cookie Directive of 2009. However, the forthcoming ePrivacy Regulation will cover the processing of electronic communications data, even without a personal reference. Read more about ePrivacy below.

"I don't need a cookie banner."

As a rule, cookies collect personal data irrespective of the intended use, which is more important than ever to provide users with information. The website operator is therefore obliged to inform the user of the website about the collection and processing of his or her personal data. The duty to provide information does not only include exactly which data are collected, but also how they are processed, for what purpose and on what legal basis. Furthermore, the website operator must provide information on how long the data is kept and how the objection to the processing of the data takes place.

Since most cookies may only be loaded with the prior consent of the user, a cookie banner should not only provide information but also obtain the explicit consent of the user.

"If I have a cookie banner in place, I'm safe."

Not everyone who implements a cookie banner on their website is automatically GDPR-compliant and within the legal framework. This is because the banner must meet certain requirements. GDPR defines 7 criteria according to which consent must be collected in order to be valid within the meaning of the Basic Data Protection Ordinance. This means that the website operator must obtain the user's consent via its cookie banner in accordance with these criteria in order to be on the "safe side".

We explain which criteria these are in our article on valid consent (LINK).

"The ePrivacy Regulation will not affect the use of cookies."

The ePrivacy Regulation, which is expected to come into effect in 2020, contains additional new provisions for the use of cookies. Cookies, which are only used for the technical operation of a website, do not require the user's consent. However, cookies used for tracking or advertising purposes still require the explicit, active and voluntary prior consent of the user. The ePrivacy Regulation is intended to counteract and eliminate tracking walls. Accordingly, all websites must be made accessible, even if the user has not consented to the use of cookies.

Newsletter abonnieren

In unserem „Legal Update“ Newsletter informieren wir Sie alle 2 Wochen über aktuelle News rund um die DSGVO und sonstige relevante Datenschutz-Themen. Darüber hinaus erfahren Sie als erstes von Usercentrics Events und neuen Veröffentlichungen.

[contact-form-7 404 "Not Found"]

Checklist - Do's at a glance

As you can see, the above mentioned myths and assumptions about cookies are only correct in parts and are mostly in the wrong context. This leads to a lot of confusion for website operators.

The following points should be noted in order to use cookies DSGVO-compliant as a website operator:

Duty to provide information

Cookie banners or pop-ups should indicate the use of cookies on each web page. Furthermore, users must be informed if their data are used to create profiles within the meaning of Art. 21 GDPR and/or if their data can also be transferred to third parties in different countries. This is particularly the case if the providers behind the cookie technologies are based in the USA, for example.

Consent

The cookie banner must ensure that the user can give his consent in advance, voluntarily, explicitly, informed and granularly for each web technology (or bundled for individual use areas). Furthermore, there must be a straightforward and simple way to object to the processing of personal data.

Loading cookies

Cookies may not process or collect any data without a legal basis. Therefore, there must be a technical link between the cookie banner and the web technology, ensuring that cookies are not loaded until the user has given his consent. If the user refuses processing, it must be ensured that no cookies are set.

Legally compliant documentation

In the event of a review by the data protection authority, the website operator must comply with its documentation obligation and be able to demonstrate the users' consent. To ensure that all data is available during the check, various data points should be documented, such as time stamps, user agents or the version of the consent texts. Also important is the condition under which the consent was given, i.e. how large was the "Accept" button compared to the "Reject" button and was the choice really voluntary, i.e. could the user use the site even when rejecting cookies without any disadvantages.

Opt-out

According to GDPR, the objection must be as simple as the opt-in. This means that external links to a third page for opt-out are not sufficient. In addition, it must be ensured that no further data is collected and forwarded from the moment of the objection, i.e. the opt-out must also be technically linked to the cookie and, at best, documented.

Whitepaper: DSGVO für Enterprises

Sie möchten mehr über die DSGVO erfahren? In unserem kostenlosen Whitepaper haben wir Ihnen neben allem Wissenswerten rund um die DSGVO auch hilfreiche Checklisten und praktische Tipps festgehalten, wie Sie mit Cookies und User-Identifiern zukünftig umgehen müssen.

Disclaimer

Usercentrics GmbH bietet keine Rechtsberatung an. Der Inhalt dieses Artikels ist nicht rechtsverbindlich. Der Artikel stellt die Meinung von Usercentrics dar.

Newsletter icon
Legal Update
Always up-to-date: With our legal update, we keep you up to date with the latest trends around data protection.
Whitepaper Cookie Consent Management for Enterprises in accordance with GDPR
New Whitepaper
Checklists and practical tips for the correct handling of cookies and user identifiers according to GDPR.