Where Does GDPR Mention Cookies?
GDPR almost gives a blink-and-miss mention to cookies. It is mentioned in Recital 30 of the GDPR document, which clearly states that data subjects may leave ‘online identifiers’ like cookies. Such identifiers, when seen in conjunction with other information collected by the servers, can identify the user. As the organization has information that can identify a person uniquely, the data collected by cookies is personal data and hence, it is protected by GDPR.
What Should Organisations Do?
They have to reassess their cookies and cookies policy. It is understandable that all the cookies used by an organization cannot be used for identifying the users. Cookies used for chats, surveys, advertising, which can uniquely identify users must follow the rules laid down under GDPR.
Cookie policies should be transparent and easy to read for the users. If an organization does not already have that in place, then they should. Here are a few questions their cookie policies should be able to answer.
Question 1: What type of cookies does the website use and how long they will exist on the data subject’s devices?
Question 2: What kind of data are they tracking and why?
Question 3: Who will have access to the data?
The policy should also elaborate on the third parties that will have access to the data and where it will be stored or processed.
Question 4: What can the user do?
It is imperative for the user to be in control of their data under GDPR. So, the policy should tell the user about rejecting the cookies or changing their tracking status.