Do you remember a time when the web was just a fun place to hang out and list your products or services? Well, those days are long gone.
A cookie is a tiny text file that gets stored on a laptop or PC. Cookies are used for various reasons. Some uses of cookies include:
The Cookie law started as a European Union directive in May 2011. This was an update to the Privacy and Electronic Communications Regulations in the UK.
A good example of a website that complies with the Cookie Law is The BBC which provides a banner notification and also offers a link to their detailed cookies page giving further information on what cookies are, how they are used, and ways to disable them.
You also need a separate Cookies Policy if you operate in the EU.
GDPR refers to the General Data Protection Regulation out of the EU.
This law became enforceable in May 2018. It's meant to enable people to take control of their personal data.
You'll need to act in accordance with these new rules if you collect data on citizens in the EU, and most cookies data falls under its scope as being protected data.
Under the GDPR, you need to use the clickwrap method to obtain a user's consent to place cookies. This means you need your user to actively click something to show they consent. You can't just assume "by browsing this site you agree to cookies" anymore.
The GDPR doesn't require a separate Cookies Policy.
As a US website owner, you may be wondering whether or not to obey the Cookie Law or the GDPR. A case in which Belgium had attempted to fine Facebook was overturned on the grounds that Belgium doesn't have authority to regulate the platform.
The court argued that Belgium lacked authority to regulate the social platform as its operations in the EU are based in Ireland. This meant that directive must occur in each state.
Based on the above ruling, this could mean two things.
But the directive signed between the European Union and United States, referred to as the Privacy Shield could affect this interpretation. The agreement generates compliance agreements on companies operating in the Atlantic.
While you may be exempted from fines if you don't have servers in the EU, a person in the European Union may file an objection under the Privacy Shield agreements.
The GDPR applies regardless of whether you have a physical presence in the EU. All you need to do to fall under its scope is to collect personal data from anyone in the EU, regardless of where you're located.
A comprehensive Cookies Policy should inform users of:
Nestle has a detailed Cookies Policy that goes on to explain what cookies are, the cookies used, and how the user can change their settings to disable the cookies.
This is essential as it helps the users know which cookies to allow or disallow.
Here's just an excerpt from the Policy:
A chart is included that breaks down exactly what cookies are used for:
Here are a few ways to comply: