GDPR, consent and cookies are sitting in a tree...
Have you ever visited a website and the first thing you saw was a popup blocking the navigation to ask you what kind of cookies you wanted?
Lots of companies are misunderstanding what the GDPR actually is and how it impacted the web, especially cookies. My own company included:
People think that because you need to ask consent for analytics cookies, you need to ask consent for every single cookie.
I'm not a lawyer, so I'll do my best to go through the GDPR and the European law to see what is actually permitted and what is not.
Cookies in the GDPR
The GDPR is centered around personal data, not cookies and because I'm lazy I did a simple word search on the GDPR text and found exactly one mention of cookies in the GDPR, which is in recital 30.
Quoting the recital:
Natural persons may be associated with online identifiers provided by their devices, applications, tools, and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
From what I understand the short version is that cookies can be used to store Personal Identifiable Information (PII). It's doesn't talk about consent at all.
I found recital 32 which is all about consent:
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not, therefore, constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
In other words, according to the GDPR, we don't need a consent to use a cookie on our website. We need an explicit consent to process PII.
Cookies in the ePrivacy Directive
Furthermore, according to the ePrivacy Directive, some cookies are exempt from requiring consent like those:
used for the sole purpose of carrying out the transmission of a communication, and strictly necessary in order for the provider of an information society service explicitly required by the user to provide that service.
It also give us the following example:
- user‑input cookies (session-id) such as first‑party cookies to keep track of the user's input when filling online forms, shopping carts, etc., for the duration of a session or persistent cookies limited to a few hours in some cases
- authentication cookies, to identify the user once he has logged in, for the duration of a session
- user‑centric security cookies used to detect authentication abuses, for a limited persistent duration
- multimedia content player cookies used to store technical data to playback video or audio content, for the duration of a session
- load‑balancing cookies, for the duration of a session
- user‑interface customization cookies such as language or font preferences, for the duration of a session (or slightly longer) -third‑party social plug‑in content‑sharing cookies, for logged‑in members of a social network.
Would you authorize the use of tracking cookies? yes - no
Or even better, consider using Matomo, it's free, it's open source and it offers GDPR compliance out of the box.