How Does GDPR Affect Your Use of Cookies?
While GDPR doesn’t necessarily affect current cookie laws as such at the moment, there are considerations that have to be taken into account on the occasions where cookies include personal data. If they do, then GDPR will come into play and consequently affect how consent should be acquired for using those cookies and how we should deal with that information.
What are Cookies?
A cookie is the name given to a small text file that carries information about the user of a website and will be stored on their own computer. It is then used by the website for a variety of reasons, for example tailoring what the user sees depending on what they have browsed before, for Google Analytics, or ecommerce.
Current PECR and What Actions to Take Now
The current cookie rules covered by the Privacy and Electronic Communications Regulations (PECR), state that you need to be making the visitor to your website aware that you are using cookies and give them the option to opt out if necessary. This is usually done by ‘implied consent’ in that after informing the user you make an assumption that they agree to the use of cookies by continuing to view the website.
Unfortunately, with the increased threshold for consent required by GDPR, this may no longer be satisfactory, and you may need to get explicit consent from the visitor such as getting them to click a box signifying acceptance before you can let them browse your site. The indecision lies in the fact that PECR is currently undergoing review and will not be finalised until probably 2019. Obviously far too late to be included in considerations for changes that have to be made for GDPR.
Future Changes
Because the PECR changes have not been established yet, it is quite uncertain how GDPR will be expecting you to react if you use cookies, but to be on the safe side, there are a number of things you can do to make sure you are as compliant as you can be.
- Make sure you have a banner or pop-up that can be easily seen and read; no tiny fonts or obscure colourings, or a notification hidden away somewhere at the bottom of the page.
- Refer to your use of cookies and include a link to your cookie policy so that users can find out more if necessary.
- Include a statement that says that by continuing to use the website the user agrees with the use of cookies, but that they can change their browser settings if they would prefer not to. This then covers you for implied consent which should be sufficient at the moment.
Please also be aware of timing, in that you need to make sure you are getting consent first before the cookie is placed on the user’s machine.
Overall, you shouldn’t worry too much about being fined or getting into difficulties because of non-compliance when it comes to cookies as there is no current hard and fast rule that you should be adhering to. It is rumoured that the PECR draft may contain information on a preference for gaining consent through browser settings rather than implicit acceptance via a banner or pop-up, but until it is published nothing is set in stone.
If you can show that at least your website conforms to the current rules, whereby you are using a pop-up or clear banner that can be seen and read easily by visitors to your website, you should be covered until clear regulations are provided in 2019.