The European Union (the “EU”) adopted the General Data Protection Regulations (the “GDPR”) in 2016 with the intention of protecting all EU citizens from privacy and data breaches. The GDPR officially went into effect on May 23, 2018, but many US businesses that process the personal data of EU citizens have yet to update their privacy policies and internal procedures to reflect the required changes. If a business is found in breach of the GDPR, it can be fined up to 4% of its annual global turnover or €20 million, whichever is greater. A cookie policy is a crucial aspect of any company’s privacy policy, and this article aims to provide an overview of the required updates necessary to protect your company from excessive fines.

If you’re reading this article, you’re likely already familiar with how cookies enhance a website for both the user and the company. If you aren’t, it might be helpful to watch this brief video before reading any further. Cookies can identify a particular computer, tablet, or mobile device (a “Device”) that accesses a company’s website. The information a cookie collects about a Device includes, but is not limited to: the name of the provider the Device operates through; the location of the Device; the amount of time spent on a website or webpage; browsing history on a particular website; and the browser used to access the website. In the US, none of this information is considered “personal data” because none of the information can personally identify an individual user. This means that none of the information collected by cookie is protected. The GDPR sets a different standard for any website that reaches EU citizens.

Under the GDPR, any information collected by a cookie that can be used to identify an individual, either directly or indirectly, is considered personal data. Therefore, almost all information collected by cookie from EU users is protected. A company with foreseeable EU citizen users must update its cookie policy and procedures to reflect the different standards for protected information. Perhaps the simplest and most effective way to update your cookie policy is to draft a new section outlining the GDPR’s definition of personal data and what information collected through the website falls under that umbrella. Review your privacy policy’s existing sections, and wherever there’s disconnect between what the US and the EU consider “personal data,” make a note in italics directing the EU user to your GDPR section so they know what applies to them.

Updating your cookie policy is the first step. You should also ensure that the other requirements of the GDPR are met, such as obtaining consent from EU users to collect and use the information collected. Then you need to ensure that your procedures for collecting, storing, and using the information complies with your policy and the GDPR requirements.