As we live in the information era, it is becoming ever more difficult to protect our personal data as they are accessed by countless of websites. The EU with the adoption of various legislature acts is trying to regulate how this information is obtained and who process it.
What are cookies?
Cookies are small text files that websites place on the devices as the user is browsing. They are processed and stored by the web browser. In and of themselves, cookies are harmless and serve crucial functions for websites. Cookies can also generally be easily viewed and deleted.
However, cookies can store a wealth of data, enough to potentially identify a user without his consent. Cookies are the primary tool that advertisers use to track user’s online activity so that they can target him with highly specific ads. Given the amount of data that cookies can contain, they can be considered personal data in certain circumstances and, therefore, subject to the GDPR.
Before analyzing what the GDPR and the Law have to say about cookies, it is essential to have a basic understanding of the different types of cookies. Cookies are categorized in groups by identifying some of their properties. In general, there are three different ways to classify cookies depending on:
- What purpose they serve;
- How long they endure; and
- Their provenance.
According to duration there are session cookies. These cookies are temporary and expire once a user closes its browser (or once the session ends).
Secondly, there are persistent cookies. This category encompasses all cookies that remain on a user’s hard drive until the user erases them or his browser does, depending on the cookie’s expiration date. All persistent cookies have an expiration date written into their code, but their duration can vary. Some examples are ‘performance cookies’ and ‘marketing cookies’. These are persistent cookies and almost always of third-party provenance.
According to provenance, there are ‘first-party cookies’. As the name implies, first-party cookies are put on user’s device directly by the website he/she is visiting. On the contrary, there are ‘third-party cookies’. These are the cookies that are placed on user’s device, not by the website he is visiting, but by a third party like an advertiser or an analytic system. According to the EDPB guidelines, first party cookies are more possible to be exempted from consent as opposed to third-party cookies, while analytics cookies are not considered necessary.
According to the purpose, there are “strictly necessary cookies”. These cookies are essential for a user to browse the website and use its features. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.
These are the main ways of classifying cookies, although there are cookies that will not fit neatly into these categories or may qualify for multiple categories. When people complain about the privacy risks presented by cookies, they are generally speaking about third-party, persistent, marketing cookies. The chain of responsibility (who can access a cookies’ data) for a third-party cookie can get complicated as well, only heightening their potential for abuse.
Cookies and GDPR
Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
What this means is that cookies, insofar as they are used to identify users, qualify as personal data and are therefore subject to the GDPR. The use of cookies in Cyprus is regulated by the Law on the Regulation of Electronic Communications and Postal Services of 2004, L. 112(I)/2004 (the Law).
According to the Commissioner for the Protection of Personal Data, a large number of websites have not yet complied with the provisions of this statute and further investigations will start soon on the matter of compliance with the regulations. As a result of the above actions, we expect in the near future that many Cypriot based websites to change the way they ask for consent from the end users.
How to achieve cookie compliance under GDPR?
To comply with the regulations governing cookies under the GDPR and the Law you must at first receive users’ consent before using any cookies except strictly necessary cookies. In relation to cookies other than necessary cookies, consent needs to be provided.
The consent must be given for a specific and a legitimate purpose and each one of them must be presented individually for the user to make an informed decision. The interpretation given for the term “freely” was whether the end user had a real choice when making the decision. The power dynamic between the parties must also be taken into consideration along with whether there was a bundling with other terms or conditions of the contract or the service. Consent must be documented and stored and users have to be allowed to access the service even if they refuse to allow the use of certain cookies on their devices.
Furthermore, consent must be as easily withdrawn as given, and the user that decided not to give consent must not be excluded from services otherwise provided, so as to consider a decision “freely” given. The active choice or the unambiguous of the consent is described as a clear affirmative action consisting of a declaration or an active motion. Lastly, the consent must be given before the processing of data has started.
Conclusion
The rules regulating cookies are still being set, and cookies themselves are continually evolving, which means maintaining a current cookie policy will be a continuous job. However, properly informing the users about the cookies of each site is using and, when necessary, receiving their consent will keep users safe and happy and will keep everyone GDPR-compliant.
For more information please visit our website microsite on Data Protection & Cyber Law or contact Ms. Eleni Neoptolemou at This email address is being protected from spambots. You need JavaScript enabled to view it..
Back to News
