How do the cookie rules relate to the GDPR?

By 

IIH Global

cookie GDPR

The GDPR or General Data Protection Regulation is a new EU data protection law that came into effect on May 25, 2018. The GDPR replaces the 1995 EU Data Protection Directive. 

The GDPR sets out strict rules about how personal data must be collected, used, disclosed, and destroyed. It also gives individuals the right to know what personal data is being collected about them, the right to have that data erased, and the right to object to its use.

No matter where a business is located, it must be GDPR-compliant if it processes the personal data of EU individuals. Organizations based outside of the EU that provide goods or services to EU residents or collect or processing of personal info on EU residents fall under this category.

Organizations that process the personal data of EU citizens must comply with the GDPR unless they can demonstrate that they meet one of the GDPR’s exemptions.

Article 5(3) of the GDPR lays out the cookie regulations, which specify that personal data must be "collected for stated, explicit and legitimate purposes and... sufficient, relevant and limited to what is necessary for relation to the purposes for which it is processed".

In other words, organizations can only collect and use personal data for the specific purposes they have started. The data must be relevant and limited to what is necessary for those purposes.

THEREFORE, the GDPR’s cookie policies are directly relevant to organizations that use cookies or other tracking technologies to collect personal data.

Organizations that use cookies or other tracking technologies must ensure that they:

  • Only collect and use personal data for the specific purposes that they have stated;
  • Only collect and use data that is relevant and limited to what is necessary for those purposes; and
  • Ensure that individuals are aware of, and consent to, the collection and use of their personal data.

Organizations that use cookies or other tracking technologies must also ensure that they delete or destroy the personal data they have collected when it is no longer needed. They do not retain it for longer than is necessary.

GDPR, Cookies, and Compliance:

The General Data Protection Regulation (GDPR) came into effect on May 25, 2018. While it includes many provisions designed to protect the privacy of European Union (EU) citizens, it also has implications for the use of cookies and other tracking technologies.

Organizations that collect or process the personal data of EU citizens must comply with the GDPR unless they can demonstrate that they meet certain conditions. One of the key requirements of the GDPR is the need to obtain informed consent from individuals before collecting, using, or sharing their personal data.

In the context of cookies and other tracking technologies, this means that organizations must get consent from individuals before using cookies that collect or process personal data. The GDPR also requires that organizations provide individuals with clear and concise information about their rights, the purpose of processing their personal data, and the use of cookies.

What are cookies?

Whenever you visit a website, it may store small text files called cookies on your computer or mobile device. As a result, you don't have to re-enter your choices every time you return to the site or browse from one page to the next because the website remembers your actions and preferences over a period.

What types of cookies are there?

The GDPR distinguishes between two types of cookies:

  • 1st-party cookies: Those placed by the website you're visiting are known as "first-party" cookies. It's only accessible through that website.
  • 3rd-party cookies: Cookies set by a third party, rather than the website you're viewing, are known as third-party cookies. For example, this may be used for targeted advertising. The cookie can only be accessed by the company that set it.

How do the cookie rules relate to the GDPR? 

Under the GDPR, all cookies must be classified as either ‘strictly necessary’ or ‘non-necessary.’

Strictly necessary cookies are exempt from some of the GDPR’s requirements, including the need to obtain consent. This is because they are essential for the operation of the website, and there is no way to disable them without affecting the functionality of the site.

Non-necessary cookies, on the other hand, must comply with GDPR requirements, including the need to obtain consent. This means that you must provide clear and concise information about the cookies and obtain the user’s consent before setting them.

You can do this by using a cookie consent banner, for example.

If you set any non-necessary cookies without obtaining the user’s consent, you will be in breach of the GDPR.

What are the consequences of non-compliance?

Not complying with GDPR can lead to fines of up to 4 percent (or €20 million) of an organization's annual revenue (global) (greater of the two).

In addition, the GDPR cookie compliance gives individuals the right to file a complaint with the supervisory authority if they believe their rights have been violated.

The supervisory authority can then launch an investigation and, if it finds that there has been a violation, impose a range of sanctions, including ordering the company to stop the illegal activity, fining the company, or even suspending its operations.

What should you do if you use cookies on your website?

If you use cookies on your website, you should:

  • Classify the cookies as either ‘strictly necessary’ or ‘non-necessary.’
  • For non-necessary cookies, obtain the user’s consent before setting the cookies.
  • Provide clear and concise information about the cookies, including what they are used for and why you are setting them.
  • Allow the user to withdraw their consent at any time.
  • Delete the cookies if the User withdraws their consent.
  • You should also keep a record of your consent from each user.
  • If you need any help with compliance, please get in touch with our team of GDPR experts.

Conclusion

No matter where a firm is headquartered, it must comply with the GDPR if it handles or proposes to process the personal data of EU residents. One important aspect of the GDPR is its focus on cookies and tracking technologies. Under GDPR, all websites must get explicit consent from users before installing any type of cookie on their devices.

Discover Your Ideas With Us

Take the lead with integrated innovation in your company using high-quality software. Contact us now to get started with your project.

Intelligent IT Hub Ltd. is Registered in UK under Companies House with Company Number FC033871 & Establishment Number BR018959.
 Intelligent IT Hub Pvt. Ltd. is Registered in India under Registrar of Companies with CIN Number U72900GJ2013PTC076759.
4.9 / 5.0 by 160+ customers for 525+ Web and Mobile App development projects.
arrow-right-circle linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram