Overview

The GDPR’s goal is to allow the customers of an organization to have more control if and how their personal data is used. One of the control attributes is deciding whether to allow the website to use cookies (a small text file that is stored in computer or mobile device by a visited website), and to what extent.

Each organization is required to create and maintain a policy which outlines how the customers will be able to control which cookies they agree to.

 The Policy

The main objective of the cookie policy template is to outline to the IT department what their GDPR obligations are, and how to implement these obligations so that they comply with the organization’s policy.

Since cookies may be considered intrusive, the policy should also take into account the many positive aspects of cookie usage: Personalization, Tracking of the user’s history and session management.

Purpose

This document aims to explain the accepted policy of using cookies per the GDPR. Complying with this policy is a predecessor to receiving the certification and standards of the GDPR.

A cookie is a small text file stored on a computer or mobile device by a website you visit. The cookie may contain information such as a unique identifier, the site name, and some digits and numbers.

Scope

The following document explains to the IT department of the organization what a cookie is, the GDPR policy, and how to comply with it. Most cookies are harmless and are used to improve your browsing experience.However, some cookies may be used to track your browsing habits and may be considered intrusive.

The goals of cookies are:

1.Session management:

Whenever an end-user accesses a website for the first time, a cookie is used to remember the session identifier. This is so that the next time that the site is accessed, the cookie alerts the site that the end user has been authenticated and grants the end-user access to the site.

2.Personalization:

The cookies remember the content previously accessed by the end-user and use that information to give them information that is deemed to be relevant to them.

3.Tracking:

The habits of the end-users are tracked by the cookies, allowing the organization to learn the habits of its customers (which content was viewed, for how long and for which purpose). This is useful for continuous improvement and to be sold as databases.

 Uses of Cookie Policy

The use of cookies has come under scrutiny from privacy advocates and regulators.Cookies can be used for various purposes, including storing user preferences, tracking user behavior, and targeted advertising.

While cookies are generally considered harmless, some privacy concerns are associated with their use. Usually, these concerns can be addressed using a cookie policy.

A cookie policy can address some privacy concerns, including :

• Informing users about the types of cookies used on a website.
• Specifying the purposes for which cookies are used.
• Disclosing the third-party recipients of cookies.
• Specifying the duration for which cookies are stored.
• Offering users, the ability to opt out of the use of cookies.
• A cookie policy ensures that users are informed about the use. 

Required Fields in the Policy

The policy must include the following information :

1.General consent requirements:

How to obtain the users’ consent, its possibilities and the different devices that may be used.

2.Frontend requirements:

Translation, consent call-back and presenting the cookie policy.

3.Backend requirements:

Presenting the cookie table, blocking 3rd party cookies, consent forms log, auto-update of the cookies.

4.Data attributes:

Defines which types of personal data the cookies are allowed to collect.

Regulations For GDPR Cookie Policy

The following statutes must be followed for the organization to comply with the GDPR cookie policy :

• Any organization must comply with this policy if it collects data from end-users inside the EU, even if it’s outside of the EU.
• The end-users must give consent for their data to be collected and stored.
• The consent may be for only some of the data and can’t be an “all or nothing” consent.
• The consent can be rescinded at any given time.
• All the data which is collected must be stored according to the GDPR policy.
• The consent must be renewed once every year and in some cases, once every six months.

Glossary