GDPR and cookie consent

There’s been a lot of discussion lately about the upcoming GDPR regulations, set to be implemented next May. From concern over PII search-and-delete requirements, to confusion over the expectations of a data protection officer, to uncertainty related to data breach notifications, a general unease has set in among companies on both sides of the Atlantic. One component of GDPR that has flown under the radar so far, however, is cookie consent. Not surprisingly, GDPR will impose strict cookie consent requirements:

Obtaining consent

Cookies are mentioned once in GDPR (Recital 30):

Natural persons may be associated with online identifiers…such as internet protocol addresses, cookie identifiers or other identifiers…. This may leave traces which…may be used to create profiles of the natural persons and identify them.

Essentially, GDPR treats cookies as PII, and therefore they are subject to all GDPR requirements. When it comes to consent, GDPR therefore requires that organizations obtain explicit approval to utilize cookies. In other words, cookie consent must be “opt in”: ticking a box, choosing technical settings, or otherwise proactively providing consent.

Cookie tracking

Again based on the fact that GDPR treats cookies as PII, companies will be prohibited from storing third-party cookies when users ask them not to.

Store consent

GDPR also requires companies to save the cookie consent that they obtain from users.

How Predesto’s involved

Here at Predesto, our aim is to help organizations ensure that they are fully compliant and prepared for GDPR. As such, we’ve developed an easy-to-use website widget to ensure that organizations properly obtain/store consent and track cookies. We also produce cookie-consent reports to assess organizations along the three cookie-consent requirements above.

From our work with companies so far, we have found that the majority fail across most of the cookie consent requirements. While some companies that we work with do obtain explicit cookie consent, the vast majority family fail when it comes to not storing cookies when asked not to, and not storing/saving user consents for EU audits. On the other hand, a few companies do demonstrate impressive cookie compliance practices: Snapchat, HSBC, and HP.