It’s been almost two years since the GDPR came into effect and turned the online world on its head. Confusion around cookies/cookie consent/cookie compliance remains till today. So we’d like to take this chance to talk more about the supposed “big bad” of the latest century.
Online cookies seem to have a bad reputation, but are they as bad as they seem?
To start, what are cookies on the internet?
An internet cookie a.k.a. an HTTP cookie, is a small piece of data sent from websites that is stored on your computer or mobile when you visit that site.
Are all cookies bad?
No. Cookies themselves are usually harmless as they can’t infect computers with malware.
They can also be helpful for both websites who use them and individuals visiting those websites. For example, when online shopping, cookies on ecommerce sites keep track of what you’re shopping for. If you didn’t have that tracking, your cart would be empty every time you moved away from that site.
For businesses/websites, cookies can be used for authentication (logins) and tracking website user experience. For example, tracking multiple visits to the same site in order to provide better experiences to customers visiting their website.
The not-so-sweet types of cookies:
Cookies that contain personal data
They can be used by websites to learn about your visit and activity across multiple websites. Cookies can enter harmful territory when employed for “big brother” types of tracking i.e. when they’re used to build a virtual fingerprint of individuals after their activity is tracked from website to website. For example most advertising networks create third party cookies in your browser when you view an ad, which lets these advertisers track users across these websites and let companies buy more targeted ads.
Types of cookies Matomo uses:
- Matomo by default uses first-party cookies, set on the domain of your site.
- Cookies created by Matomo start with:
_pk_ses. See a list of all Matomo cookies: https://matomo.org/faq/general/faq_146/
Cookie-less tracking - disable cookies and ensure cookie compliance:
If you disable cookies, Matomo tries to detect unique visitors by a fingerprint based on a few browser attributes: operating system, browser, browser plugins, IP address and browser language.
By disabling tracking cookies, you may also use Matomo without needing to display a cookie consent screen. You can also keep tracking when they reject cookie consent by keeping cookies disabled.
Cookies and the GDPR
In some countries and according to the GDPR, websites need to provide a way for users to opt-out of all tracking, in particular tracking cookies.
Cookie compliance and the GDPR
To be GDPR compliant you must:
- Receive user consent before using any cookies (except strictly necessary cookies). Read more on cookies that are “clearly exempt from consent”.
- Provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received.
- Document and store consent received from users.
- Allow users to access your service even if they refuse to allow the use of certain cookies
- Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place.
When does GDPR require cookie consent?
The purpose of the GDPR is to give individuals control over their personal data. As such this regulation has provisions and requirements which regulate the processing of personal data to protect the privacy of individuals.
When does GDPR not require cookie consent?
Then there are many cookies that generally do NOT require consent (Source: https://wikis.ec.europa.eu/display/WEBGUIDE/04.+Cookies).
- user input cookies, for the duration of a session
- authentication cookies, for the duration of a session
- user-centric security cookies, used to detect authentication abuses and linked to the functionality explicitly requested by the user, for a limited persistent duration
- multimedia content player session cookies, such as flash player cookies, for the duration of a session
- load balancing session cookies and other technical cookies, for the duration of session
Tracking cookies and consent vs legitimate interest
User consent is not always required:
We understand that whenever you collect and process personal data, you need – almost always – to ask for their consent. However, there are instances where you have to process data under “legitimate interests”. The GDPR states that processing of personal data is lawful “if processing is necessary for the purposes of the legitimate interests”. This means if you have “legitimate interests” you can avoid asking for consent for collecting and processing personal information – but only if this processing is absolutely necessary. Learn more: https://cookieinformation.com/resources/blog/what-is-legitimate-interest-under-the-gdpr
A lawful basis for processing personal data (proceeding with caution):
We’ve also written about having a lawful basis for processing personal data under GDPR with Matomo. The caveat here is you need to have a strong argument for legitimate interests. If you are processing personal data which may represent a risk to the final user, then getting consent is, for us, still the right lawful basis. If you are not sure, at the time of writing ICO is providing a tool in order to help you make this decision.
How is Matomo Analytics GDPR compliant?
Matomo can be configured to automatically anonymise data so you don’t process any personal data. This allows you to completely avoid GDPR. If you decide to process personal data, Matomo provides you with 12 steps to easily comply with the GDPR guidelines.
New developments on cookies and the GDPR
In the early days of the GDPR, a spate of cookie management platforms (CMPs) popped up to help websites and people comply with GDPR rules around cookies.
These have become problematic in recent years. Europe’s highest court ruled pre-checked box for cookie boxes does not give enough consent.
As well as that, new research suggests most cookie consent pop-ups in the EU fall short of GDPR. A new study called, ‘Dark Patterns after the GDPR’ from MIT, UCL and Aarhus University found that a vast majority of websites aren’t following GDPR rules around cookies. The study found most cookie consent pop-ups in the EU to be undermining the GDPR by finding sneaky ways to convince website visitors to click ‘accept’.
We are not lawyers and don’t claim to be. The information provided here is to help give an introduction to issues you may encounter when dealing cookies. We encourage every business and website to take data privacy seriously and discuss these issues with your lawyer if you have any concerns.