“I remember when we could just slap a big banner on the website that said ‘By using this website, you agree to our cookies.’ Man, those were the good days.” I let out a sigh. I’d been building a new website for one of our clients and I wondered whether GDPR would have any influence at all on cookie policies. As it turns out, GDPR will turn every cookie policy on its head. Let’s start at the beginning.

What’s this GDPR-thing anyway?

If you happen to somehow have spent the past year and a half without WIFI-connection, cherish those moments of bliss right now because you haven’t had to worry about the GDPR, aka the General Data Protection Regulation, like the rest of us. This new regulation promises stricter data protection for consumers and heavy fines for the companies that dare to resist it. It will hit the European Union on May 25 of this year and everyone’s worryingly unprepared.

Yeah, but how does it relate to cookies?

The new law clearly classifies identifying cookies as personal data, meaning pretty much all of your analytics and tracking fall under GDPR. If it gets properly enforced, this means major changes to every cookie policy out there. What it boils down to, is this: you’re still allowed to set cookies, but only when you’ve received very explicit consent from the user.

So I can no longer just inform the user I’m using cookies?

Numbered are the days of simple notices that inform the user ‘This website uses cookies.’ GDPR requires an opt-in approach to identifying cookies. This is defined as ‘a clear affirmative act’, so you can say goodbye to those good old pre-ticked boxes. Stating that by using the website the user agrees to cookies is similarly insufficient: the user needs to have a clear choice.

What if my company isn’t based in the EU?

Sure, the regulation was passed by the European Union, but that doesn’t mean it doesn’t apply to your website if you’re based elsewhere. According to the law, it applies to every organisation that collects data from EU citizens. If you’ve got visitors from inside the EU, you need to be GDPR compliant.

Will this impact my analytics and tracking data?

Good question. According to a recent study by PageFair, about 21% of users would accept identifying cookies, though to me this seems a little optimistic. So if only one in five users gets picked up by your analytics and tracking tools, how do you make sure you get enough data for valuable insights?

We’re not really sure. Granted, ‘cookie walls’ (blocking a user from accessing the website unless they accept the cookies) might seem like a clever way to force users to accept cookies, but it’s honestly not. It’s not only a surefire way to turn away users, but it’s also very much against the new regulation: GDPR states that a consent request can’t be ‘unnecessarily disruptive to the use of the service for which it is provided ’.

Fine. What do I do?

The answer is simple: show the user a menu that allows him to consent to cookies or withdraw that consent, without negative repercussions. If they are used for multiple purposes, the user has to give consent for each and every one of these purposes. Not every cookie needs consent though: non-identifying cookies, like language preferences or shopping cart info don’t fall under GDPR. Lastly, make sure these settings can be changed at any time, seeing as the regulation states that it should be ‘as easy to withdraw as to give consent.’

Congratulations!

Ding! That’s not the sound of the oven, but it does signal that your cookies are now ready. You are safe from massive data-related fines! Isn’t that a relief? Until the new ePrivacy Regulation, that is: this new set of regulations about online privacy data is expected to go into force somewhere in the second half of 2019.

Have you been busy implementing these tips to brace yourself against the unstoppable tide that is GDPR or have those darn cookies escaped your attention? Have you found a surefire way to feed enough data to your analytics solution? We’d love to hear your ways of dealing with GDPR, so do let us know!