Cookies are small text files placed on a user’s device when they visit a website. They are used primarily to enable sites to operate perfectly. Some cookies are used to collect data from users for personalized, targeted ads, tracking user behaviour, etc.
Are cookies personal data?
Recital 30 of the European Union’s General Data Protection Regulation (GDPR) states:
“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags.
This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them”.
This supplements Recital 26 which states that any data that can be used to identify an individual either directly or indirectly (on its own or in conjunction with other information) is personal data. Therefore, principles of data protection stated in the GDPR are applicable to any such data concerning an identified or identifiable individual.
Under the California Consumer Protection Act (CCPA) personal information refers to any information that
“identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The CCPA defines a non-exhaustive list of data types that come under the scope of this definition. It includes unique personal identifiers, which is defined as:
“…a persistent identifier that can be used to recognize a consumer, a family, or a device…including, but not limited to, a device identifier; an Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology…or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device.
In short, as cookies could be used to potentially identify users, they can be considered personal data.
Most likely, yes. It depends on your intended audience i.e. where your website users are based in? The EU and the US have slightly different regulations regarding cookies.
- Description of the types of cookies used by your site
- Explanation of any other tracking technologies used
- An explanation of why these cookies are used
- Details on how users can opt-out or set their cookie preferences
Let’s take a look at examples of some good practices to follow.
On the mobile app, you should display your cookies policy in the menu, under the ‘About’ or ‘Legal’ sections.
Identify the cookies your website uses
Identify all the cookies your website uses and what each cookie does including the different categories of cookies such as first-party cookies, third-party cookies, etc.
You also must look into the cookies policies of all third parties such as advertisers and web analytics services that are using cookies on your website.
In the manage preferences section, you can describe how users can opt-out or manage cookies set by your website. You can customize the content of each of these sections to add more details.
You can add a ‘Revisit consent widget’ to your website which will let users modify or change it at any time. This will help your website get compliant with the right to withdraw, a key requirement under the GDPR.
All you need to do, is sign up on CookieYes!
Get compliant with the GDPR and CCPA
While opt-in consent is not mandated under CCPA, the law requires that websites provide CCPA notices to users so that they can opt out of the sale of their personal information.
You can easily add a fully customizable cookie consent banner, CCPA notices and make it available in 26 languages.
CookieYes will scan your website for cookies and add them to your site’s list of cookies. You can automatically block 20+ third-party cookies until you get user consent.
Sign up for free today!