The new data protection regulations are present everywhere and this is the reason why cookies, that are used when you visit a website, need to respect GDPR and data privacy.
But first things first, what’s a cookie exactly? At Efficy, we attended a lunch event organized by CMS a Law Firm specialized in privacy, data security & data protection last week and we’ll try in this following blog to summarize their best practices and share advice that they gave us to you.
What’s a cookie?
A cookie appears when you go on a website and you request information from it. When the website replies it sends a cookie which is put on your hard drive.
When you get online to return to the website, your computer sends the cookie back and it allows the website server to identify you and record data that can be shared with other “third-parties” (e.g. advertising…).
Cookies – basis rules
Let’s imagine a visitor comes to your website and you want to record his or her data, meaning for example that you want to know which page he or she visited, you’ll always need to think about these 3 following basic rules:
- Explain what the cookies are doing and why
Decide what solution you will implement to obtain consent:
- Step 3: Determine the mechanism that you will implement to obtain the user’s consent
Step 1 – NOTIFY
Step 2 – INFORMATION TO PROVIDE
Best practice: Use immediately visible notice (BANNERS) that various types of cookies are being used by the website.
- Who the “data controller” is
- The types of cookies used
- The purposes of the cookies
- Indication of possible cookies from third parties (and details on these third-party cookies) or third-party access
- Retention, typical values, and other technical information
- How users can accept all, some or no cookies and how they can change their preferences in the future
Step 3 – OBTAIN CONSENT
Best practice: Active Consent
See below some examples of the best options:
- Direct Granular consent with “boxes”
- Indirect granular consent, you can provide basic information on types of cookies and then provide granular consent in a second layer of information
If we had to give you 6 key takeaways from our meeting with CMS there would be these ones:
- Carry out a cookie audit
- Identify which cookies are operating on your website
- Provide the appropriate level of information
- Deliver a consent solution in which no cookies are set to a user’s device (other than essential cookies) before that user has signaled their wishes regarding those cookies
- Cookie acceptance banners must not disappear until the user has continued browsing
- User must be offered the possibility to deactivate/Activate cookies for specific purposes