Understanding GDPR and Cookie Consent in E-Commerce

The General Data Protection Regulation (GDPR) is a regulation of the European Union (EU) that became effective on May 25, 2018. It strengthens and builds on the EU’s current data protection framework. The GDPR replaces the 1995 Data Protection Directive. In a sense, the regulations work like a privacy policy.

Specifically, the regulation defines specific rules for the handling and storage of personal data, including cookies.

Cookies are small pieces of data that are stored on a user’s computer or mobile device. They track a user’s browsing behavior and preferences and can be used to target ads or collect information about a user’s online activity.

Does GDPR Apply to All Cookies?

There is a lot of confusion surrounding GDPR and cookies, and whether GDPR applies to all cookies. The answer is, unfortunately, not that simple, as there are some exceptions to the rules of GDPR.

For instance, there are two types of cookies: first-party and third-party. First-party cookies are those that are set by the website you are visiting. Third-party cookies are those that are set by a separate party, such as an advertising company.

GDPR applies to third-party cookies, but not first-party cookies.

First-party cookies are necessary for web functionality, such as remembering login credentials or keeping track of shopping carts, and do not need to comply with GDPR. However, third-person cookies used for advertising or marketing purposes do, since they collect and store customer data such as names, addresses, and email addresses.

GDPR Cookie Consent Requirements for Collecting and Storing Data

One of the most significant changes brought about by the GDPR is that website owners must now get explicit consent from users before collecting or storing any data via cookies or other tracking technologies. This means that website owners must provide a clear and concise explanation of what cookies are, what data is to be stored, and how it will be used, as well as obtain unambiguous consent from users before setting any cookies.

Users must also have the ability to revoke consent at any time, and websites must provide a clear and easy-to-use mechanism for doing so. Failing to comply with the GDPR’s cookie requirements can result in significant fines.

How to Comply With GDPR Cookie Consent

When it comes to cookies and GDPR, there are a few key things businesses need to keep in mind to achieve and remain GDPR compliant. Consent must be explicit for cookies, meaning that a user has to take an affirmative action to agree to cookies being placed on their device. This can include ticking a box, clicking on a button, or accepting a GDPR notification.

Pre-ticked boxes are no longer allowed under GDPR. In addition, businesses must provide detailed information about the cookies being placed on users’ devices, including what type of personal data is being collected and why. Users also have the right to withdraw consent at any time, and must be able to easily do so. Finally, businesses must ensure that their cookie policies comply with all other aspects of GDPR and are easily accessible and understandable by their potential users.

The GDPR’s Effect on Business Cookie Policies

Since the implementation of GDPR, cookie policies have been changing all over the internet. Websites that have not made changes are being forced to do so by EU regulators. For example, Google has been fined $57 million for not complying with GDPR regulations. Their cookie policy has changed to require consent from users in order to store a cookie on their device.

Much like Google, many websites are making changes to how cookies are used and stored. These changes range from requiring consent to simply providing more information about how cookies are used. The goal of these changes is to ensure that users understand what cookies are and how they’re being used, which is essential to protecting the personally identifiable information of users. This is especially important with GDPR in place, as users now have the right to know what data is being collected about them and how it’s being used.

If you’d like to learn more about data collection, take a look at our post about understanding the differences between confidential and sensitive information.