The way the cookie crumbles: tracking cookies under GDPR

GDPR is everywhere at the moment but we wanted to share an often forgotten area that will be heavily impacted – cookie tracking and online advertising.

Cookies allow businesses to track web visitors’ activities and movements and use this information to market directly to the individual.

However, cookies which can identify an individual or device are classified as personal data under GDPR and the ePrivacy Regulation, and from 25 May, companies will therefore need to have a legal basis for processing this data.

If consent is the legal basis for processing the data, you must obtain clear and voluntary consent for every activity (i.e. both tracking the individual and using the data). Crucially, soft opt-in consent (i.e. the ‘by using this site, you accept cookies’ messages that pop up on websites) is not sufficient, and users must be given the opportunity to withdraw their consent easily.

In a recent survey by PageFair, 81% of respondents confirmed that they would not consent to having their behaviour tracked by companies other than the website they are visiting. This will have the most impact on ad tech companies and advertisers who currently use third-party cookies and who will be most at risk if individuals consider that their consent should not be provided for these activities.

To become compliant companies have two choices – either stop gathering the relevant cookies, or find a lawful ground to collect and process that data. For most companies, that lawful ground will be the consent of the individual. With consent so much harder to get under GDPR, perhaps an alternative could be for software companies to devise progressive new software that will enable companies to continue to market to individuals, but without the need to collect the user data. It will certainly be interesting to keep an eye on how software develops in this area in the near future.