GDPR online
Rules on cookies on a website under the GDPR
Rules on cookies on a website under the GDPR are based on the so-called ePrivacy Directive. Both the GDPR and the ePrivacy Directive contain many key EU rules on cookies.
Use of Cookies
Companies that have a website, which today is the majority, usually use cookies of different kinds and for different purposes. If the use of cookies also means that personal data is stored in the cookie, such as an individual’s IP address or email address, the GDPR also applies. Therefore, it is important for companies to have knowledge about the applicable rules on cookies on a website under the GDPR when using cookies.
What are cookies?
Simply put, cookies are small text files containing a certain amount of information, which the website can save on the visitor’s device (e.g. computer, mobile or tablet). Cookies are a form of online identifier, which may constitute personal data according to Recital 30 of the GDPR. This is because cookies can leave traces that, in combination with other data received by the servers, can be used to create profiles of natural persons and identify them.
An individual can be associated with online identifiers provided by their equipment, applications, tools and protocols, such as cookies. Cookies are thus a form of online identifier, and some of the information contained in cookies may constitute personal data, such as a user name, IP address or email address.
What is the purpose of cookies?
The use of cookies can be conducted by a company for several different purposes. For example, cookies may enable the company that operates the website to:
- Retrieve information that is already stored on the visitor’s device.
- Store new information in the visitor’s device. The storage can take place both during a single visit (temporary cookie) and between several visits (permanent cookie).
- See what the visitor has done on the website, by storing data about their activities and interactions on the website.
- Ensure that the website’s critical functions are working as intended.
- Transfer certain data between the website and the visitor’s device, or to a third party.
- Store information on the visitor’s device, such as the user’s chosen language settings for the website.
- Make it possible to carry out targeted marketing to the visitor the next time the visitor visits the website, based on the demonstrated interests and use of the website.
Is there a difference between permanent cookies and temporary cookies?
Yes, there are several differences between permanent cookies and temporary cookies. These are two different types of cookies, and below is a description of the main differences:
Temporary cookies
Temporary cookies (also known as session cookies) are temporarily stored in the device's memory and have no expiry date. These cookies are active and stored only during the browser session in question. Then they are automatically deleted from the device, when the browser is closed. That is, the storage of temporary cookies takes place only while the visitor is browsing the website, until the visitor closes the browser. Temporary cookies are often used to enable certain functions on the website and to maintain a user session.
Permanent cookies
Permanent cookies (also known as persistent cookies) are instead stored on the device for a fixed period of time. The storage duration is shown in the cookie settings. Permanent cookies remain stored on the device even after the visitor has closed the browser, until its expiration date or manual deletion. It is common for permanent cookies to be used to save user settings for future visits to the website, such as the language settings chosen by the user.
What is the difference between essential cookies and non-essential cookies?
Essential cookies and non-essential cookies are two different categories of cookies. These are also subject to different rules on cookies on a website under the GDPR and the ePrivacy Directive. Below you can read more about the difference between these cookie categories.
There are cookies that must be used for a website to work properly, also known as strictly necessary cookies. It mainly refers to cookies that enable the functions of the website to work as intended, and to deliver the online services requested by the visitor. In order to use essential cookies, no consent from the visitor is required. This means that cookies that are categorised as “essential” will always be used. However, it is important that the company is aware that essential cookies must ensure basic functions and security features that are important to the visitor of the website. It is not about what the company thinks is necessary/essential or not.
These cookies are not necessary or essential for the proper functioning of the website's basic functions. They are instead used for other purposes, such as for analysis of website traffic, improvement of user experience, statistical purposes, etc.
Specific requirements for the use of cookies and applicable rules on cookies on a website under the GDPR
Information requirements: The company must always inform visitors of the website about the use of cookies. This applies regardless of whether the company only uses essential cookies, or also non-essential cookies. The purpose is to give the visitor a clear picture of how cookies work in practice and help them make informed decisions about the use of cookies. The information should be provided by the company publishing a cookie notice, sometimes also called a cookie policy. This can usefully be published on the footer of the website for easy access, and should also be linked in the cookie banner where the visitor can manage their cookie settings (if applicable).
Consent: In order for a company to be able to use non-essential cookies, website visitors must actively give their consent to it. In addition, the visitor has the right to withdraw consent at any time, in which case the use of these non-essential cookies shall cease immediately. If the visitor does not give their consent, or has given an invalid consent, non-essential cookies may not be stored on the visitor’s device.
Examples of what constitutes invalid consents:
When it is not possible to withdraw a given consent, or if it is too difficult to do so, the consent is invalid. One starting point is that it should be as easy to withdraw a consent as to give the consent.
- The buttons in the cookie banner to “Accept” or “Deny” cookies must not be designed in a way that influences the visitor’s choices. For example, the “Accept” button is large and green, while the “Deny” button is smaller and grey.
- Passive consent is not valid. In other words, it is not allowed to store non-essential cookies in the event that a visitor has neither accepted nor denied the use of cookies.
- If a consent box is pre-ticked, it does not constitute a valid consent, as it is not considered to be actively provided by the visitor.
What needs to be stated in the cookie notice regarding the use of cookies
There are several things that should be clear when a company informs the data subjects about the use of cookies on the website. These include:
The company’s details, such as company name, company registration number and contact details;
- A list of each individual cookie that the company intends to use. This list should be kept up to date on a regular basis, to reflect the current use of cookies. The list should contain at least the following information:
o The name of each cookie.
o Which categories each cookie belongs to.
o Which storage period applies to each cookie.
o A description of the purpose of the use of the respective cookie.
o Whether they are third-party cookies or not. If it is a third-party cookie or if the information is shared with a third party, this should be indicated.
- How the visitor of the website can withdraw their consent.
- How the visitor of the website can manage their settings regarding the storage of cookies.
How can a website visitor manage their settings regarding the storage of non-essential cookies?
The visitor of a website can control and manage how non-essential cookies can be stored on their device, through various methods. For example, the visitor should have the possibility to fully or partially enable or disable non-essential cookies. However, it is important to inform the visitor that disabling non-essential cookies, in whole or in part, may affect the functionality of the website and make certain functions not work as intended.
Below you can read about different ways for the visitor to manage their cookie settings.
1. The website's installed cookie solution
If the website uses non-essential cookies and has an installed cookie solution enabled, for example via a cookie plugin, the visitor should at least be able to take the following actions through it:
- Accept all cookies
- Deny all non-essential cookies
- Provide customised consent for different individual cookie categories
Please note that the company does not need to install a cookie solution when using only essential cookies. This is because the company may always use essential cookies, without the visitor’s consent.
When should the cookie banner be displayed?
The cookie banner should be displayed when the visitor visits the website for the first time. It should then also be displayed when significant changes are made to the cookie notice, the cookies used or the categories of cookies used. This must be done to ensure that the consent that the visitor may give or has previously given, shall meet the requirements to be considered valid.
How can the visitor withdraw their consent or change their choices?
In addition, the visitor of the website shall have the possibility to withdraw the consent at any time, after giving it. This should be done by being able to re-open the cookie banner to change its settings. Often this is done through a small widget at the bottom of the website, or by having a button or link to “manage cookie settings” in the footer of the website. It should be easy to find the settings again. The purpose is to give the visitor the flexibility to customise their cookie settings for the website according to their preferences and needs.
2. The browser's settings
The visitor of a website can also limit the use of cookies by adjusting the settings in the browser. Many browsers allow the user to block non-essential cookies or require the user to actively accept each new cookie before it is stored on the device.
The settings via the browser can also give the user the ability to block third-party cookies. In some cases, the user may also mark frequently visited websites as “trusted”, which means that cookies from such websites are always accepted. In addition, through the browser settings, the user can delete specific individual cookies that have been stored or clear all previous cookies.
Where are these features in the browser?
These features are often found under the browser’s menu options “Settings”, “Help” or “Tools”. Please note that features may vary depending on which browser the visitor is using (e.g. Chrome, Firefox, Safari, Edge, Opera, etc.). If the visitor needs help configuring the browser’s settings, they should contact the browser’s publisher or visit its help pages for more information and support.
Do the cookie settings need to be customised on each browser and each device?
Yes, the cookie settings need to be customised on each browser and each device. The company should inform the website visitor about this, to ensure that their preferences apply everywhere in all devices and websites they use.
Does adjusting the browser’s cookie settings meet the requirements of GDPR?
In order for the website’s visitors to be considered to have given a valid consent under the GDPR, it must be done through an active action. Therefore, it is important to keep in mind that adjusting the cookie settings via the browser is not always sufficient, if the website uses non-essential cookies that require prior active consent. Therefore, the company should recommend the website visitors to instead use the cookie settings on the company’s website, via the installed cookie solution, to manage their consent.
‘I understand’ and ‘I agree’ mean two different things
It is important to enter the correct text on the buttons that the visitor can choose to click, in order to manage cookie settings, via the installed cookie solution or cookie banner on the website.
The button text ‘I understand’ does not mean that the visitor consents to the use of cookies. The button must indicate “I agree” or “Accept”. In addition, the user of the website must have the possibility to “Deny” cookies and to open the “Cookie Settings”. This also applies after consent has been given. The visitor must have the opportunity to withdraw consent in an equally simple way, or otherwise change the settings. This is one of the key rules on cookies on a website under the GDPR.
Is it allowed to have a cookie wall on the website?
No, it is forbidden to design the website’s cookie banner as a cookie wall. A cookie wall means that a wall of information about cookies takes up all or large parts of the website. Often, cookie walls are placed in the middle of the screen and take up a large surface area, which makes it impossible to read the text behind the cookie wall.
In order for the visitor of the website to be able to access the information on the website, he or she needs to accept cookies. A cookie wall thus forces the visitor to accept cookies in order to use the website. Such consent cannot therefore be regarded as freely given. Therefore, it is not allowed to have a cookie wall on their website.
GDPR online
Data Protection by Default and Privacy by Design
Companies that are data controllers must implement data protection by default and privacy by design, in accordance with Article 25 GDPR. The same applies to data protection by default. Data protection by default means that companies that, for example, provide a digital service or similar, should have data protection-friendly settings. For example, by implementing a feature that allows users to withdraw their consent. Companies that process personal data must also put in place adequate organisational and technical security measures to protect the personal data. Examples of technical security measures are virus protection, multi-factor authentication at login, backup files and similar. Examples of organisational security measures include training staff in data protection and having clear instructions and procedures regarding the processing of personal data.