Tracking cookies
Cookies that can also be read when visiting another website are called tracking cookies. Organisations can use these cookies for tracking the browsing behaviour of individuals over time. Tracking cookies enable an organisation to draw up profiles of people (profiling) and treat them differently. Tracking cookies often involve the processing of personal data.
On this page
Personal interests may be derived from the information about websites visited. Organisations can use this information, for example, for showing targeted advertisements to their website visitors.
Complying with the GDPR with tracking cookies
Do you use tracking cookies for processing personal data of the visitors of your website? Then you must comply with the rules from the General Data Protection Regulation (GDPR).
The most important requirements are that you:
- have a legal basis for the data processing;
- inform visitors in a timely and proper manner;
- secure the data properly.
In order to obtain legally valid consent for placing tracking cookies, you must first inform your website visitors about:
- the types of personal data that you collect and process by means of the cookies;
- the purposes of the data processing;
- the categories of businesses or third parties to whom you provide the data;
- the retention period;
- as much further information as necessary for giving your visitors a fair view of the data processing.
Types of personal data
Provide information about the types of personal data that you collect and process using tracking cookies. This should in any case include:
- web pages visited;
- IP addresses;
- cookie content;
- referrer URL;
- any other data that you collect, such as data about the peripherals used and settings of the software on the device.
Purposes of the data processing
Let your visitors know for what purpose you collect and process their personal data. For example:
- displaying targeted advertisements (or having these displayed);
- the use of social media, website statistics;
- compiling interest profiles;
- displaying recommendations, market analysis, target group analysis;
- improving the navigation on your website.
Note: a general purpose such as 'improving the services' is not specific enough.
Third parties
Give your website visitors information about the type of third parties that you provide the personal data to. State the names of advertising networks, any social media and other parties that place tracking cookies through your website. Also state the names of the cookies and information about the purpose of the processing.
Retention period
Inform visitors about the retention period for each separate cookie. Check the service life of the tracking cookies that are placed through your website. Then assess whether the retention period is necessary for the purpose.
A retention period of six months or more will often be too long. This is also because the period is extended by another six months every time your website or another website that places this cookie is visited.
Social media only
Do you want to include only a few social media buttons on your website, to enable your visitors to share content? And do you not use any other tracking cookies? Then you can, for example, work with non-active social media buttons.
In that case, visitors will have to click consciously on these ‘grey’ buttons to give consent. By clicking the button, the users determine whether they want to activate the functionality of that button. And with it, whether they want to make use of the social media plug-in cookies. In this case too, you have to tell the visitors what they give consent for.
Legal basis: consent
The GDPR contains a number of possible legal bases for processing personal data. Do you process personal data using tracking cookies? Then you must be able to rely on a specific legal basis, namely unambiguous consent.
Asking for consent
This means that you must ask your website visitors for consent for placing tracking cookies. And that the visitors must have a clear choice to give or refuse such consent.
Under the GDPR, consent is only valid if it is given freely, specifically, and in a well-informed and unambiguous manner.
This means that:
- the visitors to your website must also be able to refuse consent (otherwise it is not a free choice);
- it must be clear for what exactly you ask consent;
- your visitors must be provided with sufficient information about what happens with their data when they give consent;
- you visitors must actually give consent by an affirmative action.
If you offer your visitors an information bar with a clear choice between ‘yes’ and ‘no’, you will at least meet the choice requirement for unambiguous consent. Provided that you do not place any cookies before the visitor has made a choice.
No valid consent
There is no valid consent in the following examples:
- A cookiewall that prevents your visitors from gaining access to your website if they refuse cookies.
- Omission of an act by your visitors. You cannot derive consent from such omission. For example, if visitors have not chosen through their browser to refuse tracking cookies. If you only refer to your privacy policy, this is also insufficient.
- Assuming that your visitors have given consent when they continue to use your site (continue scrolling or swiping) after an information bar has been displayed ((‘By making further use of the website you agree to placing tracking cookies’). These are not affirmative actions from which unambiguous consent is apparent.
- Standard settings in which all categories of cookies have already been ticked.
Note: you must be able to demonstrate that visitors have actually given consent for placing cookies.
Anonymising tracking cookies
Even if you do not have a name and address of your website visitors yourself, you will nevertheless often process their personal data using tracking cookies. When tracking cookies are placed and read, other data are always collected, such as IP addresses, data about websites visited at an earlier time, and sometimes data that enable unique identification of the peripheral on the Internet.
Indirectly traceable
These data are personal data, individually or combined with each other. Even if you, as a website owner, cannot link them to a name or an address yourself. The definition of personal data is not only about data that you can use yourself for identifying someone, but also about data that can be used by someone else for identifying someone. This is what we call indirect traceability.
Apart from this, the purpose of tracking cookies is actually to track the behaviour of a specific individual on the Internet. And based on this Internet behaviour, to treat this individual differently.
That you (or the advertising network that places tracking cookies through your website) do not know the name of the website visitor does not alter the fact that you (or the advertising network) can combine information about the surfing behaviour of one specific individual. And can approach this individual in a targeted manner through advertisements.
Still personal data
The anonynimisation of personal data is a form of personal data processing. When collecting these data you will have to ask for consent based on adequate information that you provide to the visitor, even if you do not anonymise the data immediately.
Truly irreversible anonymisation is not easy, by the way. In practice, this is often pseudonymisation. This may be a good measure for, for example, reducing security risks. But pseudonyms (encrypted data) also remain personal data, because they still can be traced back to individuals.
See for more information: Opinion of the European Article 29 Working Party on Anonymisation Techniques.