This series on internet cookies is for people who seek clarification about them. Why they exist, where they came from, what they are used for, the different types of cookies and how cookies relate to the EU GDPR (European Union General Data Protection Regulation).
In part 1 of this series on internet cookies we will explore the history of internet cookies.
In Part 2 we will look at the types of cookies and similar technologies.
In Part 3 we will look at the legal side of internet cookies i.e. the so-called “Cookie-Law”.
In part 4 we will share the process of deleting cookies.
Internet Cookies: The Cookie Law (Part 3 of 4)
In Recital 66 of the “cookie law” it states “…It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage [the storage of cookies] or gaining of access [to cookies which contain personal information]…The methods of providing information and offering the right to refuse should be as user-friendly as possible…The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.”
The latest version of the “cookie law” is currently being discussed in the EU. It should have been passed as a law at the same time as the GDPR (The GDPR came into effect on May 25th, 2018). Because of varying reasons, the draft for the new “cookie law” is still being put together. It is still unknown when the law will be passed.
The relationship between the Cookie Law and the GDPR:
The GDPR mentions cookies in Recital 30 as a “unique identifier“, which if combined with other data, can be used to identify a person and a profile of them can be created.
Recital 30 “Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them”.
In recital 26 it states that “The principals of data protection shall apply to any information that can be used to identify a person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person…“.
With additional information pseudonymised data can be used to identify a person. It is for this reason that cookies, even though they contain no identifiable information about the person (cookies are genereally pseudonymised data) they fall under the law of the GDPR.
Cookies in a nutshell
Internet Cookies are small pieces of information that send data to the website that sets them. They are saved in your browser. Some of them collect personal data others don’t.
If you own or manage a website that EU citizens visit, be sure to ask people if you can set cookies i.e. make sure you have the cookie notification and allow them to opt in/out.
Disclaimer: The views shared in this blog post are solely those of the author. The author is not a lawyer, and thus, this inforamtion is not legal advice. If you need legal advice on this topic, then please contact a lawyer in the country in which you reside, or do business in