That’s the Way the Cookie Crumbles, If You Want to Comply with European Union Regs.

The European Union (the “EU”) adopted the General Data Protection Regulations (the “GDPR”) in 2016 with the intention of protecting all EU citizens from privacy and data breaches. The GDPR officially went into effect on May 23, 2018, but many US businesses that process the personal data of EU citizens have yet to update their privacy policies and internal procedures to reflect the required changes. If a business is found in breach of the GDPR, it can be fined up to 4% of its annual global turnover or €20 million, whichever is greater. A cookie policy is a crucial aspect of any company’s privacy policy, and this article aims to provide an overview of the required updates necessary to protect your company from excessive fines.

If you’re reading this article, you’re likely already familiar with how cookies enhance a website for both the user and the company. If you aren’t, it might be helpful to watch the brief video below before reading any further.

Cookies can identify a particular computer, tablet, or mobile device (a “Device”) that accesses a company’s website. The information a cookie collects about a Device includes, but is not limited to:

• The name of the provider the Device operates through
• The location of the Device
• The amount of time spent on a website or webpage
• Browsing history on a particular website
• The browser used to access the website

In the US, none of this information is considered “personal data” because none of the information can personally identify an individual user. This means that none of the information collected by the cookie is protected. The GDPR sets a different standard for any website that reaches EU citizens.

Under the GDPR, any information collected by a cookie that can be used to identify an individual, either directly or indirectly, is considered personal data. Therefore, almost all information collected by cookies from EU users is protected. A company with foreseeable EU citizen users must update its cookie policy and procedures to reflect the different standards for protected information. Perhaps the simplest and most effective way to update your cookie policy is to draft a new section outlining the GDPR’s definition of personal data and what information collected through the website falls under that umbrella. Review your privacy policy’s existing sections, and wherever there’s a disconnect between what the US and the EU consider “personal data,” make a note in italics directing the EU user to your GDPR section so they know what applies to them.

Updating your cookie policy is the first step. You should also ensure that the other requirements of the GDPR are met, such as obtaining consent from EU users to collect and use the information collected. Then you need to ensure that your procedures for collecting, storing, and using the information complies with your policy and the GDPR requirements.

If you have any questions about the GDPR or updating your cookie policy, please do not hesitate to reach out to our firm. We at Sebaly Shillito + Dyer would be happy to help you with all your GDPR needs.