Cookies and GDPR: how they work and why they are in conflict
The GDPR, an EU regulation which came into force on May 25th last year, is designed to protect the personal data of website users. Cookies, or information files from various websites which are memorised by users’ devices so that the users can be identified and profiled, are only mentioned once in the entire 88-page Regulation document.
The few lines dedicated to cookies are however significant. They highlight how these files, when combined with other information obtained from servers, enable the identification of real people. This situation constitutes a grave breach of the GDPR. Despite the fact that not all cookies are used to identify users, the vast majority are subject to the GDPR and will continue to be so.
What are the issues with cookies and how can a site be made to conform to the GDPR?
The text files in question present two main problems. The first relates to privacy and the types of user actions being recorded. The second regards transparency and the issue of who is monitoring users’ actions and why. Furthermore, it is only natural to wonder about data management methods and the timescales of data storage.
As a consequence, website owners must make an effort to adopt measures which permit the space in question to conform to regulations regarding the management of personal data. To further clarify the situation, let us not forget that the term ‘personal data’ refers to bank account details, email addresses, device IP addresses and personal medical records.
If this kind of information is being processed, it is essential to ensure adequate cookie and consent policies regarding the use of these files.
If we take a closer look, we can find that the European General Data Protection Regulation does in fact specify that informed consent must be obtained before any information regarding the behaviour of website users is stored. This rule also applies to information gathered for the purpose of targeted advertising.
Consent must also be based on a real choice. That is to say that the individual user must be given the opportunity to visit the site and use all its functions even if he decides not to accept cookies.
How have things changed since the GDPR has come into full effect?
Since the new regulation governing the processing of personal data came into effect, the legal incompatibility between the GDPR and cookies has led web masters to cut down the use of such files without consent considerably.
Authoritative international analyses carried out a few months later – between April and July 2018 – has shown how the use of third party cookies (designed to provide information on the behaviour of users on social and e-commerce platforms) has fallen by approximately 20%, with an especially sharp decrease in their use for advertising and marketing purposes.
The analyses have also shown a fall in the number of sites displaying icons for the sharing of content on social networks. That indicates that many web-based companies are responding immediately to the European regulation on the protection of personal data, thereby minimising the instances of data tracking by third parties.
If we consider the specific case of Italian websites, the number of third party cookies has fallen by over 30%, exceeding the EU average. These figures relate, however, to minor websites and certainly not to suppliers of services designed to track users’ activities, in other words search engines, social networks and the giants of e-commerce.
Translated by Joanne Beckwith
