Whenever we are browsing a website for the first time we may notice this kind of pop up on your screen
What are cookies ?
A cookie which is more technically called as http cookies is a small piece of data from a website that is stored on a user’s computer and these data are used for various functions such as tracking a user’s browsing activity and getting total estimated users. We can see these when we search for something on amazon and get those ads on facebook. A cookie can store any information about the user and only that website which created that can read or edit them.
Why are the cookies used ?
By collecting the user cookies the companies are able to provide targeted information such as ads or services which the user may like and end up buying.
They can also let the website owners know how many unique visitors their website is getting because each cookie has its unique id and if the user visits the same website two or three times in a day a cookie can allow us to count this as one visitor so that website owners can collect more accurate data about their traffic.
Are cookies useful to the users ?
Cookies can be useful to users as they can store some recurring information like login details so that you can reopen the website without logging in again and again. Also some applications would be able to provide optimal user experience only if certain cookies are available.
What are third party cookies ?
Generally cookie is only specific to that website meaning that it cannot track you on a totally different website but sometimes the website uses another website (third-party) product/service on their website and third party websites can store some cookies on behalf of the main website. Simple example would be like a “Share on Facebook” button on a blog website, now the Facebook (third-party) website can store and track the users via their own cookies on behalf of the blog website.
User’s consent and legal obligations
In many countries/states the website owner is not legally obligated to ask for user’s consent but if the website owner is trying to target the audience of different countries then they may come up with their own laws and are legally obligated to comply with all the rules and regulations.
Some of the laws and regulations of different countries are
- European Union (EU) has GDPR and ePrivacy Directive for all the website owners who collect the data from the users of the EU.
- North America
- Children’s Online Privacy Protection Act (COPPA). This law regulates the activity of websites and online services aimed at children under 13 years old.
- Japan – Act on the Protection of Personal Information (APPI)
General Data Protection Regulation (GDPR)
The GDPR sets strict rules on how businesses request and obtain consent. This strictly prohibits the “Implied” consent and “opt-out” models of consent. The consent must be earned by a user’s specific, clear, affirmative action. If the website serves anyone in the EU, including the UK, then you are fallible to the GDPR regulations. Failing to comply with the GDPR regulation the company may end in a potential 20 million euro fine.
The below are the basic checklist to make the website GDPR compliant-
Cookie notification and opt-in
Enabling Secure Socket Layer (SSL)
So essentially the green padlock which can be seen in the browsers when we visit a website. SSL’s good practice, Google uses it for organic rankings. It secures, encrypts the data that goes from the website to the end user’s computer and back again. Even if the website doesn’t take payments, it’s still best practice to have an SSL certificate.
- Basic introduction to cookies
- How the website uses the cookies, for example to keep a user signed in without re-entering their password each time they visit the site
- The types of cookies used on the site, whether they’re for advertising, analytics, or customer convenience
- If the cookie information is transferred to or used by third parties.
- How users can control the cookies and the data
As GDPR and ePrivacy Directive is quite strict, but also logical when it comes to opt-in, then it is highly likely a GDPR compliant website is US/CA and other regulations compliant.
Technical aspects of GDPR and ePrivacy Directive compliance
There are mainly 4 technical points when it comes to making the website GDPR compliant
- Cookie consent banner
- Enabling Secure Socket Layer (SSL)
- Use of GDPR third party libraries and tools
- Secure storage of data collected
As many websites are becoming GDPR compliant there are many tools available online to help us reduce the work.
Helpful online tools
There are many online services provided by many companies like Termly, TermFeed which provide a complete solution for GDPR and ePrivacy Directive compliance
These tools help in generating
- Cookie consent banner
These tools scan the whole website for all cookies used and generate an all inclusive cookie consent banner. This includes essential cookies and third party cookies. The user will be able to get complete information of all the cookies used and also control the non essential cookies from this banner. These tools provide a script tag which can be added in the html page and this consent banner automatically shows up.