Cookies and GDPR

Discussion in 'General Data Protection Regulation (GDPR) Forum' started by Alexisbb, Feb 22, 2018.

  1. Alexisbb

    Alexisbb UKBF Newcomer Free Member

    2 0
    Hello,

    I have some questions around the new cookie setup with GDPR.

    It is said that soft opt in is not sufficient anymore (by browsing this website...). User would have to accept cookies on purpose (by clicking a button to accept cookies).

    Cookiebot says they are compliant with this, but at the same time the cookie notification disappears (and cookies are set) as soon as users scroll or go to a new page. cookiebot dot com

    So what can we really do?

    What about third party cookies? let's say I'm showing the numbers of likes on my site via a facebook widget. Does it mean I'm not supposed to show the widget on my website, unless the users accepted it?

    Are cookies from Google/Facebook for Single Sign On are considered strictly necessary cookies?

    Does it mean I can't show Youtube videos on my page because Youtube could create cookies from my embed?

    Thanks!
     
    Posted: Feb 22, 2018 By: Alexisbb Member since: Feb 22, 2018
    #1
  2. Cookiebot

    Cookiebot UKBF Newcomer Free Member

    3 0
    Hi there,

    I'm on the Cookiebot team and can hopefully help clarify :)

    Under the GDPR you need explicit consent ('Active Consent' in Cookiebot) if you process sensitive, personal data.

    If not, you can use soft opt-in ('Implied Consent' in Cookiebot), if you make sure to:
    • Display an 'intrusive' consent banner that can not be missed by the visitor.
    • Inform the visitor in the banner, that continued usage of your website constitutes consent (e.g. "You consent to our cookies if you continue to use this website.")
    • Hold back cookies and other trackers until the visitor consents by clicking 'OK' or starts to use your website by clicking a link or scrolling. This 'prior consent' is in all cases crucial for compliance, so make sure to check out step 3 in the Cookiebot Tutorial on how to mark up cookie-setting tags on your site.
    And of course provide detailed information about the tracking on your website.

    If the visitor then ignores the banner and starts using your website, Cookiebot will automatically hide the banner, log the consent and fire all tags blocked by prior consent in conformity with the visitor's consent. This method ensures that you e.g. will be able to see referral information on the landing page in Google Analytics (for visitor's accepting statistics cookies) and thereby still will be able to measure the effectiveness of your marketing.

    Implementing prior consent on existing tags will automatically hide widgets like your share-button, YouTube videos etc. until the consent is submitted. When the visitor consents, the widgets and videos are automatically and immediately displayed by Cookiebot.

    The Cookiebot API makes it possible to easily display alternative content for visitor's opting out of certain categories of cookies and to implement prior consent on iframes like Youtube.

    SSO-cookies set by third parties are not considered strictly necessary.

    Sorry that I am not able to include links in the post, but I hope you find this useful anyway.
     
    Posted: Mar 3, 2018 By: Cookiebot Member since: Mar 3, 2018
    #2
  3. Alan

    Alan UKBF Legend Full Member - Verified Business

    5,807 1,601
    Posted: Mar 3, 2018 By: Alan Member since: Aug 16, 2011
    #3
  4. fisicx

    fisicx It's Major Clanger! Staff Member

    28,547 8,436
    Who or what is Cookiebot?

    You do not need consent if the cookie is necessary for processing (ie: online shopping or a login) or the cookie doesn't process personal data. So for example, a non-persistent tracking cookie that records page views but not the person doesn't need consent.
     
    Posted: Mar 3, 2018 By: fisicx Member since: Sep 12, 2006
    #4
  5. Cookiebot

    Cookiebot UKBF Newcomer Free Member

    3 0
    Cookiebot is a Software-as-a-Service provided by Cybot to help websites comply with the GDPR and the ePrivacy Directive regarding online tracking.
     
    Posted: Mar 3, 2018 By: Cookiebot Member since: Mar 3, 2018
    #5
  6. fisicx

    fisicx It's Major Clanger! Staff Member

    28,547 8,436
    I'm not sure it really helps that much with compliance. Or if it does it's only a very, very small element - the intimation of your website is that cookie management is a major component, which I'm not sure it is.

    PS: The wordpress plugin has poor usability (it relies on a shortcode rather than a theme hook).
     
    Posted: Mar 3, 2018 By: fisicx Member since: Sep 12, 2006
    #6
  7. Cookiebot

    Cookiebot UKBF Newcomer Free Member

    3 0
    Thank you for your feedback. Cookiebot covers one corner of the GDPR: online tracking. This includes automated scanning of a website to document and inform about trackers, collecting and documenting consents as well as controlling cookies in use in conformity with the visitor's consent.
    I will pass on your comment on the WordPress plugin to our developers, thanks.
     
    Posted: Mar 3, 2018 By: Cookiebot Member since: Mar 3, 2018
    #7
  8. fisicx

    fisicx It's Major Clanger! Staff Member

    28,547 8,436
    Yes I know, but your website doesn't make this clear. It says: "Is my website GDPR compliant?" and requires me to sign up for your newsletter - which is clearly not GDPR compliant! And your test will not be able to check if my website is GDPR compliant as you have no idea what data I collect and hold.
     
    Posted: Mar 3, 2018 By: fisicx Member since: Sep 12, 2006
    #8
  9. BigPhill

    BigPhill UKBF Newcomer Free Member

    28 9
    I'm unsure if this is entirely correct....

    "‘ Recital 30: Natural Persons may be associated with online identities…such as internet protocol addresses, cookie identifiers or other identifiers…This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them. ’"

    Some cookies can identify an individual via their device, so that may be "considered" personal data... i feel its a massive grey area, no one seems to know
     
    Posted: Mar 3, 2018 By: BigPhill Member since: Oct 13, 2017
    #9
  10. fisicx

    fisicx It's Major Clanger! Staff Member

    28,547 8,436
    Tracking cookies used for analytics can be considered legitimate interest as they are necessary to ensure the viability of the website. They are used purely to manage the business.

    Cookies that track a visitor across various websites (such as those used by social media or advertisers) are not legitimate interest.
     
    Posted: Mar 4, 2018 By: fisicx Member since: Sep 12, 2006
    #10
  11. fluffybunny

    fluffybunny UKBF Newcomer Free Member

    20 10
    A site that sets cookies for different purposes will also need to obtain consent for each separate purpose.

    To quote cookierot :- "Hold back cookies and other trackers until the visitor consents by clicking 'OK' or starts to use your website by clicking a link or scrolling. This 'prior consent' is in all cases crucial for compliance, so make sure to check out step 3 in the Cookiebot Tutorial on how to mark up cookie-setting tags on your site."

    You cant use a one size fits all OK. So cookierot is still not compliant.
     
    Posted: Mar 13, 2018 By: fluffybunny Member since: Feb 14, 2018
    #11
  12. Alexisbb

    Alexisbb UKBF Newcomer Free Member

    2 0
    Thanks for all the feedback.

    I have three more questions:

    What are sensitive data? Race, gender...? or things like IP address? Is there a proper definition from GDPR somewhere?

    Also, if you have a website/business in EU but you have visitors from brazil, do you have to show the cookies options as well?

    Finally, what does it mean to log consent? Register IP address and what cookies were accepted/rejected along with timestamp?

    Thanks!!
     
    Posted: Mar 14, 2018 By: Alexisbb Member since: Feb 22, 2018
    #12
  13. NinoGdprHq

    NinoGdprHq UKBF Newcomer Free Member

    7 2
    Sensitive personal data are special categories of personal data (See Article 9).
    IP address is not sensitive personal data.

    If you are from EU, but the visitor is from Brazil - I believe that you will need to show cookie option/consent, but it will not be required by the GDPR, it will be required by the so-called EU cookie law. However, if a visitor is from EU, then GDPR applies because IP address is personal data.

    To log/record a consent:
    ☐ We keep a record of when and how we got consent from the individual.

    ☐ We keep a record of exactly what they were told at the time.

    (from the ICO, can't include link)

    You should be able to demonstrate that individual gave you consent for the processing of personal data.
     
    Posted: Mar 20, 2018 By: NinoGdprHq Member since: Mar 20, 2018
    #13
  14. SEOpie

    SEOpie UKBF Contributor Full Member

    96 35
    It's not "sensitive personal data", but it could be personal data.
    https://www.whitecase.com/publicati...rms-ip-addresses-are-personal-data-some-cases

    So we shouldn't collect personal data (IP Address) without consent, and if we do we must record consent using IP address, timestamp, and method of consent.

    This data must be kept in the case of a legal issue arising from a data request, and therefore we would be recording personal data.

    So this brings us to another problem - how long should we be recording consent? 1 year? 3 years? Is that reasonable? Court rulings can take years, so it would be prudent to keep them for 5+ years, right?

    Are there any plugins available for the popular CMS platforms for recording cookie consent?
     
    Posted: Mar 22, 2018 By: SEOpie Member since: Oct 16, 2014
    #14
  15. NinoGdprHq

    NinoGdprHq UKBF Newcomer Free Member

    7 2
    Technically, you're right about the IP address - but - in practice, how will you distinct if it's possible to identify a visitor of your site based on the IP address or not? If you're not sure, you will have to assume that IP is personal data.

    Most often people think that consent is a magic wand when it comes to the GDPR; in reality, you should try to use consent as a last resort. For example, you may decide to document that a particular processing activity is a legal interest. Having done so, point out in your Privacy policy/notice how to object to that processing activity. In such a case, you don't need consent from an individual - instead, you're processing personal data, and an individual has a right to object.

    Consents (or other processing activities) doesn't have "time limits." Depending on the purpose of the processing and the category of personal data, you can define the envisaged time limits for erasure of personal data. In practice, you can define and document for how long will you keep personal data in your databases for a particular purpose; e.g., "I will delete personal data related to a newsletter after six months." Note that you're still obligated to keep personal data if a lawful basis for processing is a legal obligation.
     
    Posted: Mar 22, 2018 By: NinoGdprHq Member since: Mar 20, 2018
    #15
  16. SEOpie

    SEOpie UKBF Contributor Full Member

    96 35
    So record personal data first, then tell users that they have a right to object? That doesn't sound right/fair/GDPR Compliant.

    I guess that depends on what you would decide a legal interest would be.

    So if we're monitoring server performance for errors and in doing so record the IP addresses of a bunch of users, we can justify that as long as we tell them and offer them an opt-out retrospectively.
    But even then we wouldn't be contacting them directly, so they might not even realise this is what we were doing. In effect, we would be taking their personal data without consent, based on our own decisions as to whether we think we have a legal right to use it or not!
     
    Posted: Mar 22, 2018 By: SEOpie Member since: Oct 16, 2014
    #16
  17. NinoGdprHq

    NinoGdprHq UKBF Newcomer Free Member

    7 2
    Yes - process personal data first, while informing an individual of his (GDPR) rights. Why not? If it's a legitimate interest of your business? If you have a contract? If it's a legal obligation? I can't insert URLs in my posts, search for "Lawful basis for processing" on ico org uk or read some other article on that subject.

    It indeed depends on the processing you're performing - however, it's not enough to say "it's my legitimate interest"; you must conduct a legitimate interests assessment (LIA) and purpose, necessity and balance tests. You must also document your decision and state info about it in the Privacy policy.
     
    Posted: Mar 22, 2018 By: NinoGdprHq Member since: Mar 20, 2018
    #17
  18. SEOpie

    SEOpie UKBF Contributor Full Member

    96 35
    Posted: Mar 22, 2018 By: SEOpie Member since: Oct 16, 2014
    #18
  19. NinoGdprHq

    NinoGdprHq UKBF Newcomer Free Member

    7 2
    That's the one ;)
     
    Posted: Mar 22, 2018 By: NinoGdprHq Member since: Mar 20, 2018
    #19