If your ecommerce site uses Google Analytics or keeps track of the items in a shopping cart, your business is using HTTP cookies, and you may need to offer site visitors an option to opt out.
Cookies are small text files that can be used for session information (logins, shopping carts, and similar), personalization, or monitoring. When someone visits your business online, your website tells the visitor's web browser to store the cookie information and send that information back with each new request.
Some web cookies are only active while a person is on the website in question and others remain with a user's web browser for a sometime.
Many standard website features depend on this technology, which as been baked into the internet (pun intended) since 1994. Cookies really do improve the online experience in many ways.
Cookies are Personal Data
HTTP Cookies also make it possible to monitor user behavior. Google Analytics is, perhaps, one of the the best examples. Many businesses depend on Google Analytics or similar services to count visitors, monitor website conversions, or understand how customers flow through the company's website.
While the information in the cookie won't specifically identify a person by itself, it can be used in combination with other information to identify a specific individual. For this reason, cookies come under the purview of some privacy laws, including the European Union's recently enacted General Data Protection Regulation (GDPR).
Recital 30 of the GDPR says specifically, "natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers [emphasis added] or other identifiers... This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them."
Effectively, under the GDPR "personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data."
The key idea for HTTP cookies is that when they are "collected together" with other information they "constitute personal data."
This fact — that an HTTP cookie is personal data or can be personal data — is important because at the time of writing the GDPR is, perhaps, the most comprehensive privacy law in the world. The GDPR is also very strongly enforced, meaning that penalties for a data breach or for mishandling personal data are very high, perhaps even as much as 20 million EUR or 4 percent of a company's total annual revenue.
As a final point, the GDPR may even apply to businesses outside of the European Union which do business with E.U. citizens or have site traffic from the E.U.
GDPR Cookie Consent Requirements
Given the GDPR's scope and enforcement, smart businesses, including businesses outside of Europe, will want to make certain they comply.
So what does your company need to do to meet GDPR Cookie consent requirements?
You really want to do three things for your customers.
- Communicate clearly about cookies.
- Provide a way for visitors to stop cookies.
Communicate Clearly About Cookies
Your business should let new site visitors know that you are using cookies and why you are using them.
Here's an example of a general cookie notification.
MailChimp, like many businesses with good cookie policies, organizes its list of cookies into several categories, including:
- "Essential Website Cookies" which are "strictly necessary" to provide services,
- "Performance and Functionality Cookies" that "enhance the performance and functionality" of the MailChimp site,
- "Analytics and Customization Cookies" used to help MailChimp "understand" site traffic and marketing,
- "Advertising (Targeting) Cookies" associated with targeted advertising.
The GDPR requires active consent. For example, Recital 32 states that "consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data...this could include ticking a box when visiting an internet website."
As a result of this language, many websites require a visitor to click a button or an "x" to close a cookie notification banner.
It is also important to store this acknowledgement in the event of a GDPR audit.
Provide a Way for Visitors to Stop Cookies
The GDPR also requires websites to give users the opportunity to opt out of data collection, and by extension the ability to opt out of cookies at any time.
Some websites have created privacy centers that allow users to individually reject or remove cookies. MailChimp, as an example, offers a privacy center tool.
"You can control and/or delete cookies [emphasis in original] as you wish - for details, see aboutcookies.org. You can delete all cookies that are already on your computer and you can set most browsers to prevent them from being placed. If you do this, however, you may have to manually adjust some preferences every time you visit a site and some services and functionalities may not work."
You'll want a similar message on your website, so that visitors understand how they can remove cookies.
Best Cookie Consent Notice Generators
Some free tools to create the cookie consent for your website and meet GDPR compliance are listed below.
- 3dcart Free Cookie Notice Generator
- TermsFeed Cookies Policy Generator
- Termly Cookie Consent Manager
Want to learn how to make your online store GDPR-compliant fast? Download our ebook below.