GDPR and cookies: I was looking for best practice
(Post by Patrick Lee, 26 August 2018).
I was trying to answer questions from an acquaintance about cookie notices, and I went looking for examples of best practice. So I visited both the UK Information Commissioner’s Office ( ICO) and the European Union (EU)’s websites. This is what I found.
The EU’s General Data Protection Regulations (GDPR) came into force across the whole of the EU just over 3 months ago, on 25 May 2018. As a result, many of you will have seen (and indeed before May) prominent cookie notices asking you to give explicit consent when visiting websites.
The ICO’s website: looks pretty good
This cookie notice is what you see, and very prominently when you visit the UK Information Commissioner’s (ICO) website for the first time (or after clearing cookies):
The reason for this is that cookies can be used to record personal information. Under GDPR, (and this is from the ICO’s own guidance – the bold emphasis is mine):
Consent must involve some form of communication where the individual knowingly indicates their acceptance. This may involve clicking an icon, sending an email or subscribing to a service. The crucial consideration is that the individual must fully understand that by the action in question they will be giving consent.
In other words, the ICO is implying that users need to knowingly perform an action to give consent to cookies. And that is precisely what the ICO’s own website does via its prominent cookie control notice.
To me (and I should make clear that I am not a lawyer) the ICO website does indeed appear to be very much in line with the letter and spirit of the GDPR.
The EU’s website: a very different story
What about the EU’s website, europa.eu? Remember that I visited in the expectation of seeing an example of good, or perhaps best practice.
At present, the EU’s website, http://europa.eu doesn’t give visitors any notice or prominent indication that it is storing cookies on their device.
This is what you see the first time you go to http://europa.eu (or if you have cleared cookies). Notice as well as the absence of any cookie notice, the “Not secure” warning from Google Chrome. This seems to be because, unlike the ICO, the EU website does not (initially at least) redirect users to the secure version of their website (https://europa.eu):
If you click on English as your desired language, you then see (notice that the site has now at least redirected me to its secure version):
EU Cookies page says they “may” store cookies
By default, website visitors are tracked using the first-party persistent cookies from Europa. You may choose not to be tracked by Piwik (opt-out). If you change your mind, you can choose to be tracked again by Piwik (opt-in).
Notice again the PIWIK_SESSID cookie. That seems to be the tracking cookie that the EU is referring to.
Let’s try opting out
The site now says that you have opted out, and has an extra cookie (piwik_ignore) to record that you have opted out:
The tracking cookie is still there …
But the PIWIK cookie (PIWIK_SESSID) cookie is still there!
Does it disappear when I go to another page on the site, e.g. the page on Personal Data Protection? No, the cookie is still there.
Perhaps it will go away if we close the browser completely and re-open it …
What if I close the browser completely and open it up again. Will the cookie have disappeared? Apparently not!
It’s not just Google Chrome: similar things happen if you open the site in a different browser, Microsoft Edge.
My conclusion? Again, I am not a lawyer, but I think it is not clear whether the EU website complies with the GDPR (its own regulations) at the moment:
- there is no prominent cookie notice when you visit the site
- you have to explicitly opt out of being tracked
- even when you do opt out, contrary to what the site says, the same or very similar cookie that is used for tracking is still there.
(Article dated 26 August 2018). #GDPR, #EU #Cookies #Privacy