This series on internet cookies is for people who seek clarification about them. Why they exist, where they came from, what they are used for, the different types of cookies and how cookies relate to the EU GDPR (European Union General Data Protection Regulation).

In part 1 of this series on internet cookies we will explore the history of internet cookies.
In Part 2 we will look at the types of cookies and similar technologies.
In Part 3 we will look at the legal side of internet cookies i.e. the so-called “Cookie-Law”.

In part 4 we will share the process of deleting cookies.

Internet Cookies: The Cookie Law (Part 3 of 4)

The so-called “EU Cookie Law” or “ePrivacy Directive” is actually called the EU Directive 2002/58/EC (Directive on privacy and electronic communications)It is not the same law as the GDPR. It was amended in 2009 to regulate, among other things, the use of cookies and similar technologies. The Cookie Law states that prior consent has to be collected before setting/storing cookies and similar technologies on a person’s device. A person must also have the right to withdraw their consent at any time. It also states that the user (person) can refuse cookies. If the website deems the setting of cookies as a legitimate interest, then the website may refuse access to the content of the website if the person does not accept the websites cookies.

In Recital 66 of the “cookie law” it states “…It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage [the storage of cookies] or gaining of access [to cookies which contain personal information]…The methods of providing information and offering the right to refuse should be as user-friendly as possibleThe enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.

The latest version of the “cookie law” is currently being discussed in the EU. It should have been passed as a law at the same time as the GDPR (The GDPR came into effect on May 25th, 2018). Because of varying reasons, the draft for the new “cookie law” is still being put together. It is still unknown when the law will be passed.

The relationship between the Cookie Law and the GDPR:

The GDPR mentions cookies in Recital 30 as a “unique identifier“, which if combined with other data, can be used to identify a person and a profile of them can be created.

Recital 30 “Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them”.

In recital 26 it states that “The principals of data protection shall apply to any information that can be used to identify a person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person…“.

With additional information pseudonymised data can be used to identify a person. It is for this reason that cookies, even though they contain no identifiable information about the person (cookies are genereally pseudonymised data) they fall under the law of the GDPR.

Cookies in a nutshell

Internet Cookies are small pieces of information that send data to the website that sets them. They are saved in your browser. Some of them collect personal data others don’t.

If you own or manage a website that EU citizens visit, be sure to ask people if you can set cookies i.e. make sure you have the cookie notification and allow them to opt in/out.

Disclaimer: The views shared in this blog post are solely those of the author. The author is not a lawyer, and thus, this inforamtion is not legal advice. If you need legal advice on this topic, then please contact a lawyer in the country in which you reside, or do business in