General Data Protection Regulation (GDPR) is a new set of rules issued by the European Union (EU) designed to give citizens more control over their personal data. From a web perspective, it requires Web sites that reach a European audience to actively inform site visitors of what data is being gathered by the site via cookies, and to offer those visitors the choice to opt in or out of having that data collected.

This mandate means that Web site owners must implement functionality to satisfy these laws, or face extremely punitive fines from the EU.

Chances are you’ve already encountered Web sites responding to these new laws. When arriving at such a site you typically see a message, usually at the bottom of the page, indicating that the site collects cookies. This message specifies some details about the cookies, and then gives you the option to opt in or out of the process.

Fortunately, you don’t need to implement this functionality on your own. There are assorted vendors offering SaaS (Software as a Service) solutions, and many Web development firms (including The Brick Factory) can help coordinate and implement the service. When choosing a service, and in thinking about your data policy in general, here are some important points to consider:

Essential vs Non-Essential Cookies. The GDPR policy does not address or affect “essential” cookies — which are those used by the site to perform needed site functionality, such as displaying information to the user. You still need to inform the user of these cookies (in general terms), but no other action is needed. Non-essential cookies are those used for analytics, data gathering for customization, advertising, recognizing repeat visitors, etc. These are the cookies that fall under the GDPR and require action.

Opt in or out. You must give the user the ability to both opt-in and opt-out of cookie usage. If the user initially opts in for cookie usage, that user must have the ability to later opt out instead; and this mechanism should work the same as the opt-in process did. The opposite holds true as well: users must be able to opt-in after previously having chosen to opt-out.

Different Types of Cookies. Within the “non-essential” cookie category are lots of different kinds of cookies, and it may be beneficial to let users know which cookies handle which data-gathering functions. Some cookies, for instance, handle only Web traffic analytics; others are used by third-party marketers, etc. Explaining this distinction to your visitors may help them make a more informed choice. Some of the SaaS services can automatically scan your site and determine what cookies are in play, and what their general function/category is.

Reporting. You’ll need to have the ability to provide, if requested by a governing body, a report detailing usage of your cookie authorization process. Most SaaS vendors provide a mechanism for storing the opt in/out settings made by users.

UI/UX. It’s important to consider any user experience implications of your cookie notification. It should be easily recognized and understood, with clear language, and a clear mechanism for opting in and out, with no ambiguity and no unnecessary hurdles.

Finally, remember that the SaaS vendors do not actually implement the functionality that enables or disables cookies based on the user’s decision. They simply provide a mechanism for the user to make that choice, and then most store a record of that choice. It’s up to you and your development team to make sure the site’s cookies are activated/de-activated based on user preferences. (Many of the services do offer Web “hooks” that can alert other parts of your code when the choices have been made. Qualified developers will know how to work with these hooks.)

More Information:

https://eugdprcompliant.com/cookies-consent-gdpr/

Some SaaS Vendors:

Civic Cookie Control:  https://www.civicuk.com/cookie-control/v8/download

One Trust: https://www.onetrust.com/products/cookies/

TrustArc Cookie Consent Manager: https://www.trustarc.com/products/consent-manager/