Kent, UK - A session cookie is a tiny piece of data sent from a server to a computer which has connected to it. Session cookies are the most innocuous. These are temporary, do not collect any data, and help to keep a visitor’s computer, tablet or smartphone, and the website they are looking at, in sync when moving back and forth between pages. There is no requirement from GDPR to get informed consent from a visitor about session cookies. However somewhere on your website there should be a notice linked to, but not on, the home page, explaining that session cookies are used and why.
ICO: What are PECR Privacy and Electronic Communication Regulation
EU: GDPR General Data Protection Regulation
Persistent cookies have a longer active date, sometimes minutes, sometimes years, and are sent by the website's own server as well as third party servers sent for various reasons but most commonly to track visitors in order to glean statistics. Google Analytics harvests personal data of visitors which has value for marketing, and also sells that data to other marketers for targeting ads.
Third party cookies are believed to combine across all of an internet visitor’s devices - desktop, laptop, tablet or smartphone, and connected devices such as cars and houses - the so-called ‘Internet of Things’. The harvesters can also track text, speech, video, capturing moods using image recognition, and adding all this to its file about that visitor. The big players in the limelight for personal data harvesting are the search engines, although Duck Duck Go does not track, Facebook, Apple, Amazon and eBay. But there are many others.
It is fairly easy to prevent cookies being sent to devices by adjusting the browser’s privacy and security settings which can normally be accessed via the browser’s preference pages, and can limit or block individual website's cookies, or allow global settings which limit or block all websites. People do not often bother with these settings because they are complicated, and often affect normal browsing. Most modern browsers allow private or ‘incognito’ windows to open which can isolate the visitor from a website, although still storing the brower’s IP address. (See IP anonymisation below.)
The cookie consent banner is tedious, but on a smartphone showing a responsive website it can obstruct most of the screen. (See pic)
How can you avoid having an obtrusive cookie banner or dialog box? You know the thing. It appears when you first see a new website, something along the lines of - ‘by continuing to use this site you agree to the use of the cookies as they are currently set’ (which, by the way, is not a legally compliant message under the GDPR because no cookie should be set at this point). The ‘requirement’ under the General Data Protection Regulations seems onerous and unnecessary in some respects, so I read the GDPR and its older brother, the PECR or Privacy and Electronic Communications Regulations 2002, which also impacts on how websites gather personal data and which intertwines with the newer GDPR. Generally, the PECR has been changed to refer to the newer requirements of GDPR with respect to cookies.
Session cookies are innocuous and excluded by GDPR from requiring visitors’ explicit consent. If your website only sends session cookies you do not need the cookie notice requiring visitors’ consent on your home page, but you must include info about it somewhere on your website, preferable on a page linked to your home page, called ‘Privacy’ or similar. Persistent cookies sent by your own code for your own website’s use, and the reasons for needing them also need to be stated.
If your site uses tracking - such as Google analytics - to store visitors to your website you can add code which anonymises their IP address by removing its last three digits which at least removes their location. Google writes:
‘When a customer of Analytics requests IP address anonymization, Analytics anonymizes the address as soon as technically feasible at the earliest possible stage of the collection network. The IP anonymization feature in Analytics sets the last octet of IPv4 user IP addresses and the last 80 bits of IPv6 addresses to zeros in memory shortly after being sent to the Analytics Collection Network. The full IP address is never written to disk in this case.’ [IP Anonymization in Analytics https://support.google.com/analytics/answer/2763052?hl=en]
If your site sends third party cookies from widgets, such as a Facebook ‘like’ button, or uses e-commerce plugins such as Shopify, or tracking software, or bug detection you will need to inform your visitors and will probably require the cookie consent banner on your home page, unless you can prove that third party or marketing cookies are not being sent.
To see the cookies sent to your computer from a website, open a browser such as Firefox, click on the menu icon (extreme top right) and choose ‘new private window’. In the window menu choose ‘tools’ > ‘web developer’ > ‘storage inspector’. Type in a URL. When the page has loaded go to the panel bottom left and click the URL below ‘cookies’ which will show all the cookies set. Look at the ‘expires on’ column in the table and it will show if the cookies are session cookies or are more persistent. The ‘domain’ column will show if the cookie is first party (ie same domain as the website you are looking at) or third party. Clicking on the cookie in a row will show more info. If in doubt simply ask your website designer, but legally you are responsible as the data controller, or joint controller alongside the advertising network, because even though the cookies are created by the third party site, the website operator has chosen to host these third party cookies on their website.
PLEASE NOTE: This issue is a moving target and is likely to change due to EU changing its mind. The article above was been written in good faith to help explain aspects of cookies, GDPR and whether your website needs a cookie consent banner on its home page. IT IS NOT LEGAL ADVICE, just my personal opinion. TK
Story Type: Opinion