As you have probably already heard, the General Data Protection Regulation (“GDPR”) is right around the corner with enforcement beginning on May 25, 2018. GDPR is a new set of rules designed to give European Union (“EU”) citizens more control over their personal data. Anyone doing business in the EU is required to comply with these regulations. One part of the GDPR references how natural persons may be associated with online identifiers including but not limited to Internet protocol addresses and cookie identifiers. Essentially, when cookies can actually identify an individual through their respective device, it will be considered personal data and subject to GDPR. So what does that mean if you collect cookies?
In order to be compliant, a company will either need to stop collecting cookies or otherwise seek consent prior to collecting data. However, consent has to be given through a clear affirmative action (such as an opt-in box). Implied consent is no longer sufficient under GDRP, so simply visiting a site will not count as consent. A common way to seek consent is by creating an opt-in banner once a user enters the site. Companies will also need to take the additional step to offer users a way to adjust their preferences to cookies and collection practices by providing a method to opt-out of collection practices, whether through preferences, menu or other settings.