Recital 30 of the legislation states:
“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
What does this mean for your website?
In summary a cookie that can uniquely identify a device or used with another combination of data should be treated as personal data, this supports recital 26:
“The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person.....”
With this is mind we now need to treat cookies that can uniquely identify users (Google analytics, advertising, tracking, etc) as personal data and as such is subject to GDPR laws. To become compliant your website has 2 options:
1) Stop using these cookies.
2) Find a lawful way to gain cookie consent.
Due to the invaluable functionality these cookies give to your website option 1 is not viable for the majority.
How does a website lawfully gain cookie consent?
Traditionally websites relied on implied consent from users visiting the site however this is no longer valid and lawful. The reason being consent must be through an “affirmative action to signal their consent” such as a confirmation button.
Some sites use a single confirmation button, also this is not acceptable “If there is no genuine and free choice, then there is no valid consent”
Furthermore there must be an opt out option and changing your cookie preferences at a later date must be straightforward todo “Even after getting valid consent, there must be a route for people to change their mind.Again this comes down to the requirement that withdrawing consent must be as easy as giving it.”
GDPR Cookie Consent Viper module – become GDPR compliant in 3 easy steps
With the above in mind we have developed the GDPR cookie consent viper module. The module works by allowing you to categorize the types of cookies your website uses and then on a users first visit to your website all cookies except the “strictly necessary” ones are blocked and the user is presented a clear UI where they can view the different categories of cookies and confirm the ones they would like to enable.
Only once consent has been given will the cookies by loaded, the user then has the option to change their preferences at any time and the cookies are either loaded / unloaded based on their preferences.
The module comes with inbuilt layouts to meet the majority of needs, however it is built using Razor scripts so it can be extended to meet any requirements you require.