Thanks for all the responses so far.

If you search for “GDRP and cookies”, a lot of the info out there is obviously cut from the same source. Core to the interpretation are GDPR Recitals 30 (when cookies can identify an individual via their device, it is considered personal data, 32 (consent requires a “clear affirmative act” ) and 42 (f users do not consent to the use of their personal information for analytics, they should still be able to use your website).

For a brief look at some of the advice, it looks to me like:

GA is considered as a possible way users can be identified, so classed as personal information and therefore subject to GDPR
Users must be give active consent (no prefilled ‘yes’) and they must always have ready access to change that consent (so a permanent ‘cookie settings’ CTA)
Cookie types must be listed and each must have its own an opt-in/out option
Cookies can’t be set on landing – we might be able to set cookies on second clicks, if a ‘soft opt-in’ is acceptable (being more explicit about what the user’s second action will set a cookie)

There are loads of links out there but here’s a few of the links I’ve been looking at, for ref:

https://www.itgovernance.eu/blog/en/how-the-gdpr-affects-cookie-policies/

https://www.cookielaw.org/blog/2016/5/13/the-gdpr,-cookie-consent-and-customer-centric-privacy/ (has a fairly beefy cookie notice)

https://www.preoday.com/blog/website-cookies-and-gdpr-compliance/

http://privacylawblog.fieldfisher.com/2018/gdpr-plus-e-privacy/

John Benfield

Product Experience Manager

Royal Shakespeare Company

01789 272351

07557 848414

www.rsc.org.uk
LinkedIn

P Please consider the environment before printing this email.

From: Museums Computer Group [mailto:[log in to unmask]] On Behalf Of Dee Ishani
Sent: Tuesday, April 3, 2018 6:21 PM
To: [log in to unmask]
Subject: Re: [MCG] GDPR and cookies

My understanding is that cookies (or any other tracking tools) are only covered under GDPR if they are collecting personal data. Otherwise they are covered by PECR which isn't changing at this time and I think this is why there's been no additional guidance issued. So unfortunately it very much depends on what cookies you're using and what they do.

Re persistent cookie notice - a large number of folk include a clear link to the detailed cookie advice in their footer so that it's always available - which I see RSC already does.

If your cookies are feeding back IP addresses to a tool you use, you'd likely need to combine it with other data in order to be able to take a guess at who the person is. IP addresses might be classified as a pseudonymous if you have other data sources that combine it with in order to identify someone but it totally depends what systems you're using and what else is being collected through that system.

On 3 April 2018 at 17:33, Tony Crockford <[log in to unmask]> wrote:

On 3 Apr 2018, at 11:56, John Benfield <[log in to unmask]> wrote:

You then have to allow users to change their mind at any point via a similar option, which sounds like a persistent cookie notice.

I'm still struggling with the concept that the use of cookies could accurately (beyond all reasonable doubt) identify an individual.

How does anyone know for certain that the person driving my computer is me?

in a shared computer household with multiple devices, does anyone really know that the site visit is by me and not by a family member, or family friend or indeed the family cat?

...and then there's the question of circumstances where IP addresses aren't fixed, how would an IP address recorded by a cookie one week identify an individual if a different household router were awarded the same IP address next week?

how personal is that data now?

:(

**************************************************************** website: http://museumscomputergroup.org.uk/ Twitter: http://www.twitter.com/ukmcg Facebook: http://www.facebook.com/museumscomputergroup [un]subscribe: http://museumscomputergroup.org.uk/email-list/ ****************************************************************

Dee Ishani
07740 356873
[log in to unmask]

twitter: stripysocksrock

skype: nadine.ishani

linkedin: https://uk.linkedin.com/in/nadineishani

**************************************************************** website: http://museumscomputergroup.org.uk/ Twitter: http://www.twitter.com/ukmcg Facebook: http://www.facebook.com/museumscomputergroup [un]subscribe: http://museumscomputergroup.org.uk/email-list/ ****************************************************************