Since 25 May 2018, website operators have been asking themselves whether cookies fall under the GDPR or not. So let’s ask ourselves whether cookies fall under the DSGVO or the forthcoming ePrivacy Regulation. What is the actual legal basis and which myths surrounding cookies are true, which ones are false?
We clarify all unanswered questions and clear up the myths and rumors surrounding cookies and GDPR.
This statement is not entirely correct. The basic data protection regulation regulates the processing of personal data. A personal reference is given if the information can be used to identify a person. According to recital 30 of the GDPR, identification is also possible via online identifiers such as IP addresses or cookie identifiers.It therefore depends on the type of cookie involved and whether it allows the processing of personal data.
Thus, the assumption that cookies will only be regulated under the future ePrivacy Regulation is also wrong. This misunderstanding is probably due to the fact that it is intended for it to replace the ePrivacy Directive of 2002 and the Cookie Directive of 2009. However, the forthcoming ePrivacy Regulation will cover the processing of electronic communications data, even without a personal reference. Read more about ePrivacy below.
As a rule, cookies collect personal data irrespective of the intended use, which is more important than ever to provide users with information. The website operator is therefore obliged to inform the user of the website about the collection and processing of his or her personal data. The duty to provide information does not only include exactly which data are collected, but also how they are processed, for what purpose and on what legal basis. Furthermore, the website operator must provide information on how long the data is kept and how the objection to the processing of the data takes place.
Since most cookies may only be loaded with the prior consent of the user, a cookie banner should not only provide information but also obtain the explicit consent of the user.
Not everyone who implements a cookie banner on their website is automatically GDPR-compliant and within the legal framework. This is because the banner must meet certain requirements. GDPR defines 7 criteria according to which consent must be collected in order to be valid within the meaning of the Basic Data Protection Ordinance. This means that the website operator must obtain the user’s consent via its cookie banner in accordance with these criteria in order to be on the “safe side”.
We explain which criteria these are in our article “7 Criteria for a GDPR-compliant Consent“.
Checklist – Do’s at a glance
As you can see, the above mentioned myths and assumptions about cookies are only correct in parts and are mostly in the wrong context. This leads to a lot of confusion for website operators.
Duty to provide information
The cookie banner must ensure that the user can give his consent in advance, voluntarily, explicitly, informed and granularly for each web technology (or bundled for individual use areas). Furthermore, there must be a straightforward and simple way to object to the processing of personal data.
Cookies may not process or collect any data without a legal basis. Therefore, there must be a technical link between the cookie banner and the web technology, ensuring that cookies are not loaded until the user has given his consent. If the user refuses processing, it must be ensured that no cookies are set.
Legally compliant documentation
In the event of a review by the data protection authority, the website operator must comply with its documentation obligation and be able to demonstrate the users’ consent. To ensure that all data is available during the check, various data points should be documented, such as time stamps, user agents or the version of the consent texts. Also important is the condition under which the consent was given, i.e. how large was the “Accept” button compared to the “Reject” button and was the choice really voluntary, i.e. could the user use the site even when rejecting cookies without any disadvantages.
According to GDPR, the objection must be as simple as the opt-in. This means that external links to a third page for opt-out are not sufficient. In addition, it must be ensured that no further data is collected and forwarded from the moment of the objection, i.e. the opt-out must also be technically linked to the cookie and, at best, documented.
Usercentrics GmbH bietet keine Rechtsberatung an. Der Inhalt dieses Artikels ist nicht rechtsverbindlich. Der Artikel stellt die Meinung von Usercentrics dar.