At the time of writing, cookies are mentioned just once in the entire GDPR, and only in relation to whether they count as ‘personal information’ (only when combined with other identifiers). Because so much of paid digital marketing relies on cookies – analytics, tracking, behavioural targeting, remarketing etc – you can see why the ICO’s vagueness in this area has left a lot of room for speculation and a fair amount of panic.
It's worth remembering that the e-Privacy cookie laws still exist after GDPR launches. These new regulations only apply in terms of explicit basis for lawful processing (Consent or Legitimate Interests).
- First party cookies are ‘owned’ by the domain you’re currently on, meaning a user will be recognised between sessions and pages (remember logins, passwords, sire settings, products added to cart etc).
- Third-party cookies are ‘owned’ by any other domain to the one you’re currently browsing and will track users across multiple sites to enable remarketing.
GDPR will probably have no impact on first party cookies, as they clearly improve users’ online experience. With third party cookies, it will depend on whether cookie data is viewed as ‘personally identifiable information’, which the ICO has not fully clarified.
The question on every digital marketer’s mind: are we about to see the rise of ‘not provided’ limiting our analytics potential? We think not.
The tracking for Google Analytics is done via a first party cookie, so it’s unlikely to be hit by some of the intricacies of the regulations. Secondly, we have good reason to believe that Analytics falls under legitimate interests as a basis for lawful processing. Read this statement from WP29:
“Controllers may have a legitimate interest in getting to know their customers’ preferences so as to enable them to better personalise their offers and ultimately, offer products and services that better meet the needs and desires of the customers.”
Working Party under Article 29, 2014
Translating that, if we’re using collective data (which is and always will be non-identifiable in GA), to make decisions that will ultimately lead to users enjoying better brand experiences on and offline, then we could argue it’s in everyone’s best interest.
The age of user-friendly cookie and privacy statements
The most noticeable impact of GDPR from the public’s view is going to be a shift towards actually-readable and comprehensive Privacy Statements.
Transparency is a key pillar of the regulations, meaning that the realms of legal waffle are about to be condensed into “concise, transparent, intelligible information, written in clear and plain language”.
We can’t wait.
Some larger companies have already rolled out new, user-friendly privacy policies. We’ve already sung our praises about Google’s, so here is another extract from AO that we’re particularly fond of:
ao.com On how Cookies are used for Functionality, Advertising and Analytics
Cookies are small text files used to transfer information. Site functionality cookies allow you to navigate the site and use our features. When you return to the site we’ll be able to remember the products you’ve compared or added to your basket.
Cookies also enable us to show adverts relevant to you when you’re browsing online, for example deals or products you’ve looked at.
Analytics cookies help us to learn where we’re going wrong, and which elements of the site you find easier to use. We’ll track the volume of people on our site, where they click, and where they exit the site.
As we see an increase in user-friendly, transparent and open explanations of tracking technologies, will the average user become more marketing savvy?
It’s already an attitude change we’re seeing with younger, technology-focused generations, and it will be an interesting one to watch over time. Will more transparent use of data lead to more or less uptake of adblockers, for example? Only time will tell.