GDPR: Keep calm; Think Cookies

There are so many different aspects to The GDPR that it can be easy to forget about something as humble as the cookie. We’re shining a light on them this week to make sure that you know how the cookie crumbles.

Keep calm; Think Cookies

Events over the last two weeks surrounding the Cambridge Analytica scandal have significantly accelerated around data protection, its importance, and the significance of consent and clear opt-in.

Whilst the pragmatists may look at The GDPR as a positive, based on the opportunity for better, more relevant marketing, it is fair to say the majority see any financial investment in compliance as a burden.

Whatever their attitude, businesses are generally ‘on it’, with one glaring omission… Cookies! We don’t blame them, though. Cookies are only mentioned once in The GDPR, but the repercussions could be significant. So, what are cookies?

Cookies are typically two pieces of information: a site name and unique user ID. When you visit a site that uses cookies for the first time, a cookie is downloaded onto your device. The next time you visit that site, your device checks to see if it has a cookie that is relevant and sends the information contained in that cookie back to the site.

The site then ‘knows’ that you have been there before, and in some cases, tailors what pops up on screen accordingly. Some cookies are more sophisticated, storing data such as length of time spent on site, links you click, as well as what’s in your shopping cart. This element is key.

The ability for cookies to store personal information that could then be used to build a picture of your browsing habits is fundamentally what The GDPR is there to protect. Here’s a relevant extract from Recital 30.

“Natural persons may be associated with online identifiers…such as internet protocol addresses, cookie identifiers or other identifiers…. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”

Everyone has become familiar with the classic ‘By using this site, you accept cookies’ message you find at the bottom of a lot of websites. But how will this change with the implementation of The GDPR?

Moving forward users must consider four things:

  1. Implied consent (e.g. ‘By using this site, you accept cookies’) will not cut it anymore – ideally the user would be choosing settings or preferences on a settings menu
  2. You must make it possible for users to both accept or reject cookies with ease
  3. As with all other consent under The GDPR, consenting to cookies needs to be extremely clear (Steve Jobs explained the importance of this back in 2010)
  4. Opt-out – The GDPR clearly states that a data subject should be able to withdraw consent as easily as they gave it at any point in time

Wondering how that might look? Well, here’s an example from one of our clients:

  • Nice visual opt-in settings upon visiting the website for the first time, giving the option to change settings to suit the user 1
  • ‘Change Settings’ provides you with four different options, which include ‘Strictly Necessary’, ‘Performance’, ‘Functional’ and ‘Targeting’ – each with a clear description and opt-in tick-box (these can be updated at any time)

  • The ‘Change Settings’ feature is then constantly visible in the bottom left-hand corner which enables the user to update at any time 3

Hopefully this has answered most of your cookie questions but if you need any further support or guidance on cookies or The GDPR in general, please do give us a shout.


Matthew Bowell – head of client service and operations

Don't miss a beat in digital - Get our tips on tap