Whenever we are browsing a website for the first time we may notice this kind of pop up on your screen
which tells you that this website uses cookies.
What are cookies ?
A cookie which is more technically called as http cookies is a small piece of data from a website that is stored on a user’s computer and these data are used for various functions such as tracking a user’s browsing activity and getting total estimated users. We can see these when we search for something on amazon and get those ads on facebook. A cookie can store any information about the user and only that website which created that can read or edit them.
Why are the cookies used ?
By collecting the user cookies the companies are able to provide targeted information such as ads or services which the user may like and end up buying.
They can also let the website owners know how many unique visitors their website is getting because each cookie has its unique id and if the user visits the same website two or three times in a day a cookie can allow us to count this as one visitor so that website owners can collect more accurate data about their traffic.
Are cookies useful to the users ?
Cookies can be useful to users as they can store some recurring information like login details so that you can reopen the website without logging in again and again. Also some applications would be able to provide optimal user experience only if certain cookies are available.
What are third party cookies ?
Generally cookie is only specific to that website meaning that it cannot track you on a totally different website but sometimes the website uses another website (third-party) product/service on their website and third party websites can store some cookies on behalf of the main website. Simple example would be like a “Share on Facebook” button on a blog website, now the Facebook (third-party) website can store and track the users via their own cookies on behalf of the blog website.
User’s consent and legal obligations
As we saw that the website owners use cookies to collect the user’s browsing pattern for better product endorsement which is in a way helpful but giving that information to the website owner should be the user’s choice and this is why we get that little pop-up whenever you visit a website.
In many countries/states the website owner is not legally obligated to ask for user’s consent but if the website owner is trying to target the audience of different countries then they may come up with their own laws and are legally obligated to comply with all the rules and regulations.
Some of the laws and regulations of different countries are
- European Union (EU) has GDPR and ePrivacy Directive for all the website owners who collect the data from the users of the EU.
- North America
- Children’s Online Privacy Protection Act (COPPA). This law regulates the activity of websites and online services aimed at children under 13 years old.
- California Online Privacy Protection Act (CalOPPA) requires operators of commercial websites and online services to create a Privacy Policy that discloses how they collect personal information.
- Japan – Act on the Protection of Personal Information (APPI)
Although there exists many such laws and regulations in each country/state, not every country requires the website owner to ask for user consent. But many website owners are asking for the consent and also mentioning how they use, store and protect the collected user’s information through the cookie and privacy policy page. Hence it is useful for the companies to ask for consent to the collected data and mention how they store and use it and also have a work around if that particular data is not provided by the user.
General Data Protection Regulation (GDPR)
The GDPR sets strict rules on how businesses request and obtain consent. This strictly prohibits the “Implied” consent and “opt-out” models of consent. The consent must be earned by a user’s specific, clear, affirmative action. If the website serves anyone in the EU, including the UK, then you are fallible to the GDPR regulations. Failing to comply with the GDPR regulation the company may end in a potential 20 million euro fine.
The below are the basic checklist to make the website GDPR compliant-
Cookie notification and opt-in
The cookie consent banner which has a link to the cookie policy, a button to opt in. Any new person that visits the website now should click to opt-in so they acknowledge that the website has a cookie policy.
Cookie policy on your website
In this cookie policy page we should specify what the website collects and why. If the website uses third party applications such as Google Analytics which has a cookie policy of its own and that should be mentioned in the cookie policy.
Privacy policy on your website
Have an up to date privacy policy page which will expand on the cookie policy, where it explains to people what the website does with data, how the website collects and stores it, and also how someone can get in touch with the website owner.
Enabling Secure Socket Layer (SSL)
So essentially the green padlock which can be seen in the browsers when we visit a website. SSL’s good practice, Google uses it for organic rankings. It secures, encrypts the data that goes from the website to the end user’s computer and back again. Even if the website doesn’t take payments, it’s still best practice to have an SSL certificate.
If the website has got an inquiry or contact form there are a few key points here the SSL supports this by the way but don’t store the data unless you really have to and if you do store the data, encrypt it. You also need to make sure your email service provider also has a GDPR policy and that again needs to be mentioned in the privacy policy page. If the website has got any forms then there should be no pre-ticked boxes, for example if the website has got a Terms and Conditions checkbox, don’t automatically tick it.
Payment gateways
If there are any kind of payment on the website then the third party privacy policy which covers GDPR should be mentioned in the website’s privacy policy.
The chat systems often store the data and people put their name, email and phone numbers and this data has to be protected. Hence the third party privacy policy which covers GDPR should be mentioned in the website’s privacy policy.
Cookie Policy
To make the website fully GDPR compliant we have to include a Cookie Policy page which mentions different aspects of the user’s information.
The following are the essential sections to be included in the Cookie Policy page
- Basic introduction to cookies
- How the website uses the cookies, for example to keep a user signed in without re-entering their password each time they visit the site
- The types of cookies used on the site, whether they’re for advertising, analytics, or customer convenience
- If the cookie information is transferred to or used by third parties.
- How users can control the cookies and the data
As GDPR and ePrivacy Directive is quite strict, but also logical when it comes to opt-in, then it is highly likely a GDPR compliant website is US/CA and other regulations compliant.
Technical aspects of GDPR and ePrivacy Directive compliance
There are mainly 4 technical points when it comes to making the website GDPR compliant
- Cookie consent banner
- Enabling Secure Socket Layer (SSL)
- Use of GDPR third party libraries and tools
- Secure storage of data collected
As many websites are becoming GDPR compliant there are many tools available online to help us reduce the work.
Helpful online tools
There are many online services provided by many companies like Termly, TermFeed which provide a complete solution for GDPR and ePrivacy Directive compliance
These tools help in generating
- Cookie consent banner
These tools scan the whole website for all cookies used and generate an all inclusive cookie consent banner. This includes essential cookies and third party cookies. The user will be able to get complete information of all the cookies used and also control the non essential cookies from this banner. These tools provide a script tag which can be added in the html page and this consent banner automatically shows up.
Generating a Cookie Policy template
Generating a Privacy Policy template