GDPR Website Cookie Compliance

EagerBeaverton

Wondering if someone can set me straight.

Everything I read about the GDPR in relation to cookies states that no cookie - except 'essential' ones - is allowed to be delivered to a visitor's computer until they give explicit consent to cookies by specifically opting in; passive acceptance is no longer sufficient so having the typical statement "by continuing to use our site you accept cookies" is no longer acceptable. While a cookie itself might not be viewed as personally identifiable information (PII), because they have the potential to be combined and processed with other information you collect they are potentially PII and so are viewed as falling under the category of PII (as based on almost everything I'm reading).

It seems the GDPR requires, amongst other things, three clear options in relation to cookies:
1. The option to accept cookies and if not accepted (either by not clicking any button or by clicking the 'decline cookies' button) then cookies will not be deployed
2. The option to decline cookies
3. The option to change your mind about your decision to accept or decline cookies; so basically you have to have an option on your website to allow users to 'go back' and alter their first preference.
(4.) Not an option but you're also supposed to make a record of the consent being given or not given (which seems contradictory if someone says no...how do you obtain information about someone who said they don't want you tracking them!?)

On the GDPRandyou.ie website in relation to consent for data processing it states: "Obtaining consent requires a positive indication of agreement – it cannot be inferred from silence, pre-ticked boxes or inactivity."

However on the data protection commissioner website (dataprotection.ie/docs/Cookies/1416.htm) it states: "For cookie usage, this Office would be satisfied with a prominent notice on the homepage informing users about the website's use of cookies with a link through to a Cookie Statement containing information sufficient to allow users to make informed choices and an option to manage and disable the cookies."

Arguably the last part of that "an option to manage and disable the cookies" could be read differently; you could say informing users of how to disable cookies via the browser would suffice instead of having to have an inbuilt system on your website to do this.

There are a number of websites that deploy analytics and advertising cookies without first asking for permission so I'm at a point of presuming that the view being taken is that passive consent is still ok. Take Boards.ie, as soon as you arrive on the website they deploy 25 cookies (of which they use google analytics and the doubleclick cookie which is an ad targeting cookie). RTE does the same. The Irish Times website deploys over 50 cookies without consent.

It just seems strange that many US based websites have specifically put in place methods of allowing people to FIRST accept/decline cookies before they have been deployed on your computer but many websites within the EU, where this law originates, haven't bothered to do this...

I run a website and have removed all scripts that deploy cookies and have been trying out lots of different methods to deploy cooke choice plugins/code etc to no avail so am at a point of giving up and just putting all the scripts back on since a whole bunch of Irish websites are doing the same. I'm smally fry (tiny fry actually) in comparison to these bigger websites/companies so am thinking they'll get hit with non-compliance way before I would... I hope!

Talisman

Google Analytics is GDPR compliant - if you are just tracking use of the website you are fine. If you are doing something else with the data, e.g. profiling the user to personalise the content they see then you need to inform the user and give them the opportunity to opt in/out.

Cookies for session storage are fine - it just requires the regular cookie compliance information.

Websites that display behavioural advertising should be GDPR compliant because the advertising scripts are in the business of profiling and sharing information. If you are worried take a look at Amazon's compliance page: Advertising and the EU General Data Protection Regulation.

The other side of GDPR is ensuring that you keep data captured from users via forms etc as secure as possible. If your website is hacked and the user data is leaked then as the old man said in the Simpsons, "That'll be a Paddlin'".