Those seeking answers to how cookies will be affected under the GDPR might struggle with the multitude of legislation around this concept. You have the GDPR, the ‘Wet Elektronische Communicatie / Loi Communications Electroniques, and soon there will be the EPR (E-Privacy Regulation to update the E-Privacy Directive of 2002). So, it is quite easy to get lost with all these regulations.

And for those who thought that a clear answer can be given on how to deal with cookies, sorry to disappoint you… But let’s stay pragmatic and see how you can best approach this question.

Are cookies personal data?

First, for those who are still hesitating, yes, a cookie could be considered as personal data under the GDPR.

(“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”)

Please notice the word ‘may’ in the text. In fact, we need to distinguish the type of cookies we are dealing with. Let’s start with the easy ones: functional cookies. These are always first party cookies (cookies that are inserted by a website which is being visited by the user at that moment) and make sure that the website functions properly (e.g. for login or registration purposes, language preferences, shopping baskets, etc.). These cookies are not used to identify the user of your website.

Then there are non-functional cookies (tracking cookies), both 1st party and 3rd party cookies (there is no such thing as 2nd party cookies… there are 2nd party data, but let’s stick to the cookies for now, as that’s already complicated enough). Non-functional cookies are cookies that can be inserted for statistical, social, targeting and commercial purposes. They have nothing to do with the purely technical support of the website.

These cookies are clearly part of the notion of personal data under GDPR, which means that you should ask for consent for them as of 25 May 2018.

Consent: implied or implicit?

I can hear you thinking, are we talking about implied or implicit consent? Most Belgian websites have been using the principle of implied consent since the publication of the Belgian Cookie Act of 2005. This law is very vague, however, as to whether you require implicit consent for non-functional cookies, and we noticed widespread use of implied consent (those annoying banners that pop-up and you have to click away).

You could still benefit from this implied consent if you apply the GDPR. An important notion has been added, however, namely that a user should have the possibility to withdraw this consent at any time or to choose which cookies he or she accepts. So now we already see pop-ups with lengthy lists of cookies that you can accept or decline, one by one. Once again, this is quite annoying, not really transparent and certainly not customer centric.

Don’t panic, the EPR is on its way…

Luckily, the story does not end there. Soon there will be yet another piece of legislation that will change the way we deal with cookies. The new E-Privacy Regulation (EPR), which will probably be voted by the European Parliament by the end of 2018, takes a completely different approach.

The draft version suggests that this regulation might actually clarify the situation once and for all. The proposed rule stipulates that no consent is needed for non-privacy intrusive cookies that improve internet experience. Furthermore, cookies set by a visited website to count the number of visitors will no longer require consent. The new rule also proposes to centralize user consent in software, such as internet browsers, and to prompt users to choose their privacy settings across the board - but with the extra notion that you will be asked every 6 to 12 months to renew this consent.

The EPR has not been finally voted by the European Parliament yet, so we need to prepare to comply with the GDPR for the time being.

So, what do we do today? Tomorrow? As of 25 May 2018?

You could continue to use the notion of implied consent up to 25 May 2018 (although the Belgian Privacy Commission has not taken a stance on this matter yet). As of 25 May you should be specific as to which cookies you store and why, and give users the possibility to withdraw consent one by one (part of your privacy notice). As soon as the EPR enters into force, cookie consent will most probably be part of the browser application of your users.

And what about the cookies I use for Google Analytics?

Strictly speaking Google Analytics (GA) uses analytical cookies. These are non-functional cookies and should require consent, but you can adapt the settings of your company’s Google Analytics account so as to comply with the GDPR.

The idea behind these changes is that your Google Analytics cookies are in the strict sense 3rd party cookies and that Google today uses such data in a pseudonymised – but not an anonymized - way.

First, make sure that you agree to a contract amendment in your settings for Google to act as data processor. It is not a standard ticked box… so look it up and check it. Then, once you are in the settings of your GA account, untick the box for sharing your data with Google. Finally, don’t let Google process the full IP address. This is script you can add to the Google JavaScript on your webserver (easily found online).

One last piece of advice: Don’t let your cookies be eaten by the GDPR. Consult your DPO (or legal advisor) today and document the framework for cookies you have decided on under the GDPR in your company’s data processing register. And don’t forget to update your privacy notice!