Correct Cookies Setting

2 Contributors contributor avatar contributor avatar
Last updated 26 Jan 15:38

TL;DR

When you store cookies on your website, do not forget to correctly set their storage. In some cases, consent is required. However, every time, do not forget to inform users about storage and purpose.

What Are Correct Cookies Setting?

Cookies are small data generated by websites and your browser saves them. They are used for several purposes, e. g. saving inserted data, remembering used language or shopping cart, using it for marketing purposes or analytics. It is clear that by saving this small data, the privacy of users is being affected. In this case, electronic privacy should be protected. European union settled how cookies should be set on the website by the so-called e-Privacy directive. In this directive, the cookies may be saved in the user's browser only with his active consent (opt-in option). Do not confuse this directive with a regulation (e-Privacy regulation) that was supposed to take effect together with the GDPR but has not yet been adopted. This e-Privacy regulation should set different rules for cookies setting, but the European Union is unable to agree on a final text of this regulation.

Cookies
Source: Cookies

However, because it is only a directive, member states have to adopt national laws to implement this duty. And some countries did it wrong. Like the Czech Republic. In this country, it is possible to store cookies even without user consent (websites should only allow the user to disagree with the collection – so-called opt-out option).

Correct cookie setting is the correct process of setting the storage of cookies on the website, so the conditions applicable by law are met.

To comply with EU law and national laws, it is necessary to set-up correctly consent screen for the usage of cookies. Although it looks pretty simple, there may be some difficulties during the correct cookie setting. Several rules will apply during saving and processing data gathered through cookies.
The laws simply state that you may store cookies only with the consent of the user. There are some exceptions like storing so-called technical cookies. For storing technical cookies, there is no necessity to require consent. A typical example are cookies used for language preferences, cookies for storing products in a shopping cart, etc. For other cookies (like marketing or analytics), consent is required.

As stated above, the cookie setting is governed by the e-Privacy directive. The directive is one of the acts that is issued by the EU. The directive sets out the obligation for states to implement or adapt national law where the duties (that are stated in the directive) will be dealt with. According to this, every state has to adopt national law and laws may vary in different states (directive only harmonizes legal orders). Due to this fact, in some states in the EU, there may be different duties in a cookie setting. For example, in the Czech Republic, you do not need active consent for the storage of cookies, because the EU e-Privacy directive was badly implemented. However, changes are coming, and the novelization of the national act should be in force soon.

However, it is very important to set cookies correctly, because, in every state, there is some supervisory authority that checks if you comply with the law.

By correct cookie setting:

  • You will comply with applicable laws
  • You may process data gathered through cookies
  • You can provide relevant authorities that you are in compliance
  • Users will trust your website more

Correct cookie setting requires active consent of the user. When you develop a website, do not forget to correctly implement functionality for cookie consent. On the website, there should be a banner, screen, or other functionality that allows users to give consent.

The consent should be in accordance with the law (mainly GDPR, because GDPR lays down rules for obtaining consent) and shall be presented in a manner that is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. According to the GDPR, consent should be free, informed, specific, and active.

Free

Users cannot be forced to give consent to the storage of cookies. A typical example where a user is forced is the cookie wall. This cookie wall means that the user is not able to go through the website if he/she does not agree with cookie storage. The user also should have the option not to agree with the storage of cookies. When the user does not agree with the storage of cookies, the cookie bar must disappear, and the user must be able to view the site without cookies being stored.

Informed

You have to inform users about cookies storage, how long cookies will be stored in the browser, for what purposes you will use the cookies, what cookies are used on the website and whether or not third parties have access to user data. All this information should be easily accessible on the website and when the user is giving consent.

Specific

There are several types of cookies used for several types of purposes. User should have the option to choose for what purposes he/she will give consent. If you use cookies for marketing, analysis, and personalization of content, you have to give the user chance to choose for which purpose is the consent given.

Active

Consent should be given by active action of the user (clicking on a check-box, slider, clicking on “I agree” etc.).

Due to the fact, that you need to prove that consent was given, you have to make a record of it. The supervisory authority may ask you to submit a log or other record where is stated that the user gave you consent and the date when this happened.

Do not forget that the user has to have the option at any time to withdraw the consent. Simply said, a user should have a chance to change his setting of cookie saving on the website.

Where to get inspiration? Check website www.ico.org.uk (UK supervisory authority). It is a very good example of how the cookie setting should be made.

If you are from the Czech Republic (and your website targets only the Czech market), a specific rule will apply. You do not have to ask for consent. Under the guidelines of Czech supervisory authority, if a user has set his browser to allow cookie saving, he/she express consent. You should only inform the user about cookie storage (see the requirement for consent to information) and inform them about how to set a browser to reject saving cookies. However, this specific rule will apply only when website targets only the Czech market. If you are not sure what countries your website targets (see this ruling of CJEU which may help clarify in which cases you are targeting specific countries), it is not recommended to follow only this Czech rules and set opt-in option just to be sure. Although, if you decide to use consent for cookie storage, you have to abide by rules stated above.

Also do not forget that in cookies, personal data may also be stored (not all of cookies store personal data). If you want to process personal data gathered from cookies, you have to abide by all rules stated in GDPR. How to recognize if cookies save personal data? From gathered information, you must be able to identify a specific natural person.

  • There are cookie walls used on your website – a user cannot use the website without giving consent. The consent screen takes up the entire space of the website and it is impossible to browse the web page.
  • The consent is not active – the website informs users that by scrolling on the website, the user agrees with cookie storage. This is inappropriate because this is not an active action (well, it is, but it is not certain that ser is giving his consent)
  • All types of cookies are under one consent – the website stores more different types of cookies for different purposes and only asks for one consent for all cookies. Do not forget that for different purposes, separate consent should be given.
  • Users are not informed about cookie storage – the website sometimes only states that there are cookies on the website. Inform users about the period of storage, purposes, types of cookies, parties with which cookies are shared. For a complete set of information you need to give your users, please check so called Planet 49 ruling by CJEU which is available here.
  • Different state – different law – check laws of countries on which the website is targeting and check what are their conditions for cookie storage (see e.g. Czech Republic where specific rules apply)

    Resources

  • ePrivacy directive

  • ICO

  • EDPB guidelines on consent under GDPR

  • You can get more information about Cookies from the SEDLAKOVALEGAL agency