Since the GDPR came into effect in May 2018, website operators have had to question whether cookies count as personal data or not. However, to answer this question, the terms cookies and personal data must be explained first.
What do we understand by cookies and personal data
Cookies are small text files that are placed on a website to track website visits and optimize browsing behavior. Cookies have the function of storing and processing user information when visiting a website.
Personal data includes “any information relating to an identified or identifiable natural person”. In simple terms, this means that personal data can be used to identify a specific person. According to this, all information that allows an insight into their physical, physiological, genetic, psychological, economic, cultural or social identity when assigned to a natural person is included. Thus, data such as general personal data, personal identification numbers, bank data, online data, possession characteristics but also customer data are personal data. Furthermore, sensitive data is defined as a separate area of personal data because of its greater need to be protected. A person’s sensitive information includes origin, political opinions, philosophical and religious beliefs, affiliation with trade unions, genetic and biometric data, health-related information and sexual as well as sexual orientation data.
Classification of cookies on the legal basis of the General Data Protection Regulation
Since the GDPR came into effect in May 2018, the personal data of a user is legally protected. However, the kind of cookies involved must be differentiated.
Because not all cookies process personal data (e.g. cookies, which are essential for the functionality of websites) and thus can not be attributed to recital 30 of the GDPR. In these cases, the General Data Protection Regulation does not apply, as it protects only personal data.
Cookies (as well as other web technologies such as pixels, etc.) that process personal data generally fall under the statutory provisions of the GDPR. According to recital 30 of the GDPR, website operators therefore need a legal basis (e.g. consent) for the use of certain web technologies such as cookies, pixels, etc. (in this case: Art. 6 GDPR). For example, cookies with personal references include all cookies that process personal information such as name, address, e-mail addresses and more. They require a consent, which must meet 7 different criteria.
Cookies that do not process personal data
Example: Cookies, which serve to automatically adjust the language of the website and do not permit any conclusions to the identity of a natural person, are not covered by the legal basis of the GDPR.
Cookies that do process personal data
Example: A third party cookie set on a website (e.g. Google Analytics) collects and processes personal data of a user for advertising purposes. According to the GDPR, the user must be made aware that such a cookie has been set. Furthermore, the user’s consent to the use of this third party cookie on the website is required.
The GDPR also states that the user must be given the right to reject this cookie (opt-out) and that he/she may continue to visit the website despite a refusal. Learn more.
Conclusion
Not all cookies involve personal data. It must be distinguished between which cookies actually process personal data and which do not. As soon as certain cookies process the personal data of a user, the GDPR applies.
Interview series with Reed Smith
Further explanations about cookies and their regulations within the GDPR can be found in our interview series with Reed Smith.
Do I need a user’s consent for cookies?
Disclaimer
Usercentrics GmbH does not offer legal advice. The content of this article is not legally binding. The article represents the opinion of Usercentrics.