As you have probably already heard, the General Data Protection Regulation (“GDPR”) is right around the corner with enforcement beginning on May 25, 2018. GDPR is a new set of rules designed to give European Union (“EU”) citizens more control over their personal data. Anyone doing business in the EU is required to comply with these regulations. One part of the GDPR references how natural persons may be associated with online identifiers including but not limited to Internet protocol addresses and cookie identifiers. Essentially, when cookies can actually identify an individual through their respective device, it will be considered personal data and subject to GDPR. So what does that mean if you collect cookies?

First, if your company does in fact collect cookies, you will need a policy identifying their collection practices which explains what data is gathered through the use of cookies and how that data is used. If your cookies are strictly required for website functionality and do not track user activity then you likely do not need a policy or consent notice. On the other hand, if your website uses cookies to track user behavior then you will be required to comply with GDPR. If your website is based in the EU or if you target any EU citizens, and your site uses cookies to collect any personal data or is otherwise tied to users, then you will need to comply with GDPR’s notice and consent requirements. It’s important to note that compliance with GDPR and collection of personal data through cookies also extends to third parties that track users (i.e., advertising, analytics, or other plug ins such as chat tools).

In order to be compliant, a company will either need to stop collecting cookies or otherwise seek consent prior to collecting data. However, consent has to be given through a clear affirmative action (such as an opt-in box). Implied consent is no longer sufficient under GDRP, so simply visiting a site will not count as consent. A common way to seek consent is by creating an opt-in banner once a user enters the site. Companies will also need to take the additional step to offer users a way to adjust their preferences to cookies and collection practices by providing a method to opt-out of collection practices, whether through preferences, menu or other settings.

In short, if you are collecting personal data through means of cookies or otherwise, you need consent to be compliant with GDPR and should revisit your privacy policy to ensure it contains the required information based on your data collection practices.