cookie compliance

Your guide to cookies, web analytics, and GDPR compliance

It’s been almost two years since the GDPR came into effect and turned the online world on its head. Confusion around cookies/cookie consent/cookie compliance remains till today. So we’d like to take this chance to talk more about the supposed “big bad” of the latest century. 

Online cookies seem to have a bad reputation, but are they as bad as they seem?

To start, what are cookies on the internet?

An internet cookie a.k.a. an HTTP cookie, is a small piece of data sent from websites that is stored on your computer or mobile when you visit that site.

Are all cookies bad?

No. Cookies themselves are usually harmless as they can’t infect computers with malware. 

They can also be helpful for both websites who use them and individuals visiting those websites. For example, when online shopping, cookies on ecommerce sites keep track of what you’re shopping for. If you didn’t have that tracking, your cart would be empty every time you moved away from that site.

For businesses/websites, cookies can be used for authentication (logins) and tracking website user experience. For example, tracking multiple visits to the same site in order to provide better experiences to customers visiting their website.

internet cookies tracking

The not-so-sweet types of cookies:

Cookies that contain personal data

Another example of a bad cookie is when cookies contain personal data directly in the cookie itself. For example, when websites store demographics or your name in a cookie; or when a website stores survey results in a cookie. Use of cookies in these ways is considered bad practice nowadays.

Third-party cookies

They can be used by websites to learn about your visit and activity across multiple websites. Cookies can enter harmful territory when employed for “big brother” types of tracking i.e. when they’re used to build a virtual fingerprint of individuals after their activity is tracked from website to website. For example most advertising networks create third party cookies in your browser when you view an ad, which lets these advertisers track users across these websites and let companies buy more targeted ads.

Why does Matomo use cookies?

web analytics cookies

For accurate reporting of new and returning visitors. Matomo uses cookies to store some information about visitors between visits. We also use cookies to remember if someone gave consent to tracking, or opted out of tracking. 

Types of cookies Matomo uses:

  • Matomo by default uses first-party cookies, set on the domain of your site.
  • Cookies created by Matomo start with: _pk_ref_pk_cvar_pk_id_pk_ses. See a list of all Matomo cookies: https://matomo.org/faq/general/faq_146/

Cookie-less tracking - disable cookies and ensure cookie compliance:

It’s possible to disable tracking cookies in Matomo by adding a line on the javascript code. When cookies are disabled, Matomo data will become slightly less accurateAlso, when cookies are disabled, there may still be a few cookies created in specific cases.

If you disable cookies, Matomo tries to detect unique visitors by a fingerprint based on a few browser attributes: operating system, browser, browser plugins, IP address and browser language.

By disabling tracking cookies, you may also use Matomo without needing to display a cookie consent screen

Cookies and the GDPR

In some countries and according to the GDPR, websites need to provide a way for users to opt-out of all tracking, in particular tracking cookies.

The GDPR regulates the use of cookies when they compromise an individual’s privacy. When cookies can identify an individual, it is considered personal data.

cookies and GDPR

Cookie compliance and the GDPR

To be GDPR compliant you must:

  • Receive user consent before using any cookies (except strictly necessary cookies). Read more on cookies that are “clearly exempt from consent”.
  • Provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received.
  • Document and store consent received from users.
  • Allow users to access your service even if they refuse to allow the use of certain cookies
  • Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place.

Source: https://gdpr.eu/cookies/

When does GDPR require cookie consent?

The purpose of the GDPR is to give individuals control over their personal data. As such this regulation has provisions and requirements which regulate the processing of personal data to protect the privacy of individuals. 

This means in order to use cookies, you will sometimes need explicit consent from those individuals.

When does GDPR not require cookie consent?

Then there are many cookies that generally do NOT require consent (Source: https://wikis.ec.europa.eu/display/WEBGUIDE/04.+Cookies). 

These are:

  • user input cookies, for the duration of a session
  • authentication cookies, for the duration of a session
  • user-centric security cookies, used to detect authentication abuses and linked to the functionality explicitly requested by the user, for a limited persistent duration
  • multimedia content player session cookies, such as flash player cookies, for the duration of a session
  • load balancing session cookies and other technical cookies, for the duration of session
  • user interface customisation cookies, for a browser session or a few hours, when additional information in a prominent location is provided (e.g. “uses cookies” written next to the customisation feature)

Tracking cookies and consent vs legitimate interest

cookie consent and GDPR legitimate interests

User consent is not always required:

We understand that whenever you collect and process personal data, you need – almost always – to ask for their consent. However, there are instances where you have to process data under “legitimate interests”. The GDPR states that processing of personal data is lawful “if processing is necessary for the purposes of the legitimate interests”. This means if you have “legitimate interests” you can avoid asking for consent for collecting and processing personal information. Learn more: https://cookieinformation.com/resources/blog/what-is-legitimate-interest-under-the-gdpr  

A lawful basis for processing personal data (proceeding with caution):

We’ve also written about having a lawful basis for processing personal data under GDPR with Matomo. The caveat here is you need to have a strong argument for legitimate interests. If you are processing personal data which may represent a risk to the final user, then getting consent is, for us, still the right lawful basis. If you are not sure, at the time of writing ICO is providing a tool in order to help you make this decision.

How is Matomo Analytics GDPR compliant?

Matomo can be configured to automatically anonymise data so you don’t process any personal data. This allows you to completely avoid GDPR. If you decide to process personal data, Matomo provides you with 12 steps to easily comply with the GDPR guidelines.

New developments on cookies and the GDPR

In the early days of the GDPR, a spate of cookie management platforms (CMPs) popped up to help websites and people comply with GDPR rules around cookies.

These have become problematic in recent years. Europe’s highest court ruled pre-checked box for cookie boxes does not give enough consent

As well as that, new research suggests most cookie consent pop-ups in the EU fall short of GDPR. A new study called, ‘Dark Patterns after the GDPR’ from MIT, UCL and Aarhus University found that a vast majority of websites aren’t following GDPR rules around cookies. The study found most cookie consent pop-ups in the EU to be undermining the GDPR by finding sneaky ways to convince website visitors to click ‘accept’.

Disclaimer

We are not lawyers and don’t claim to be. The information provided here is to help give an introduction to issues you may encounter when dealing cookies. We encourage every business and website to take data privacy seriously and discuss these issues with your lawyer if you have any concerns. 

Additional resources:

Share this post

Share on facebook
Share on twitter
Share on linkedin
Share on print
Share on email