Contacts
Back
Img
1 August, 2024
Home - Blog - Cookies and GDPR: how to ensure your website is compliant

Cookies and GDPR: how to ensure your website is compliant

intellectual property
8 minutes

What are cookies? For many internet users, this phrase may sound technical and confusing. But in fact, cookies are simply small text files that are stored on a user’s computer or mobile device when they visit a website. They help websites “remember” users and their settings, which makes using the internet more convenient. GDPR is an acronym that is becoming increasingly well-known in Ukraine, because it refers to the European Union’s General Data Protection Regulation, which significantly affects how businesses handle personal data, including that collected through cookies. But ease of use should not be a reason to ignore the legislation. This article will help you understand how cookies and GDPR interact, and how to ensure your website is compliant with the legislation. You will learn about the importance of of the GDPR, how cookies work and what steps you need to take to ensure your site is “clean” before the law and users.

Section 1: Understanding GDPR and cookies

Before diving into the details of ensuring your website is compliant, it’s important to understand the basics. What exactly does the Law on Personal Data Protection of Ukraine regulate and how does it relate to GDPR? What role do cookies play in this process, and why is it so important to understand the principles of their work? Let’s take a closer look at these questions.

1.1 GDPR in Ukraine: The legislative field and its impact on your business

In the digital age, when data has become the new gold, its protection is a priority, especially for business owners. In Ukraine, personal data protection issues are regulated by Law on Personal Data Protection of Ukraine, which is closely aligned with the EU GeneralData Protection Regulation (GDPR). Although Ukraine is not a member of the EU, the GDPR has a direct impact on Ukrainian companies that:

  • Work with EU citizens.
  • Offer goods or services within the EU.
  • Process the personal data of EU citizens in any way.

What exactly does GDPR regulate? GDPR sets out strict rules for the collection, processing, storage and use of EU citizens’ personal data. Key GDPR principles that apply to websites include:

  1. Lawfulness, fairness and transparency: The processing of personal data must be lawful, fair and transparent to the data subject (user).
  2. Purpose limitation: Data may only be collected for clearly defined, explicit and legitimate purposes.
  3. Data minimization: The amount of data must be the minimum necessary to achieve the purpose of the processing.
  4. Accuracy: Data should be accurate and up-to-date.
  5. Retention limits: Data should not be kept for longer than is necessary to achieve the purpose of the processing.
  6. Integrity and confidentiality: Data must be processed in a way that ensures its security and confidentiality.
  7. Accountability: The data controller (website owner) is responsible for ensuring compliance with the above principles.

How does GDPR affect websites? GDPR affects any website that collects, processes or stores personal data of EU citizens, regardless of where the website’s server is located. This includes:

  • Collecting data through forms on the website (contact forms, registration forms, order forms).
  • Use of cookies to track user behavior on the site.
  • Use of analytical tools (e.g. Google Analytics).
  • Integrating with social media.
  • Sending emails for marketing purposes.

Ukrainian Law on Personal Data Protection The Ukrainian law on personal data protection is harmonized with the GDPR, which means that it incorporates the basic principles and requirements of the GDPR. This means that websites that are GDPR compliant are likely also compliant with Ukrainian law. GDPR is a complex document and its interpretation can be tricky. If you have any doubts about how GDPR affects your business, it is best to consult a lawyer specializing in data protection.

1.2 Cookies and their role: how they collect data and why this is important for your business

Imagine visiting a website where you have to enter your username and password each time, customize the language of the interface, or search for products you’ve previously viewed. That would be inconvenient, wouldn’t it? That’s where cookies come in. How do cookies work? When you visit a website, your browser (Chrome, Firefox, Safari, etc.) may store small text files – cookies – on your device. These cookies contain information about your activities on the site, settings and other data that the site may use to improve your user experience. What types of cookies are there? There are several types of cookies, each of which performs a different function:

  • Mandatory cookies : These cookies are necessary for the basic functions of the site, such as navigating pages, accessing secure areas of the site, or remembering items in your shopping cart. They do not collect information about you for marketing purposes and do not require your consent.
  • Performance cookies: These cookies collect information about how visitors use the website, such as which pages they visit most often, which links they click, whether they experience errors. This information helps to improve the website and make it more user-friendly.
  • Functional cookies: These cookies allow the website to remember your preferences, such as interface language, font size or region, to provide you with a more personalized experience.
  • Targeting cookies: These cookies are used to show you relevant ads based on your interests. They are also used to limit the number of times ads are shown and to measure the effectiveness of advertising campaigns.

Why is it important to understand the role of cookies? Cookies play an important role on today’s internet, but they can also pose some risks to user privacy. Because cookies can store personal data, their use is governed by GDPR and other data protection laws. As a website owner, it is your responsibility to ensure that the use of cookies on your website complies with legal requirements.

Section 2: Ensuring your website is compliant

Now that we’ve covered the basics of GDPR and cookies, it’s time to get practical. How do you make sure your website is compliant with the legislation on the use of cookies? What steps do you need to take to avoid penalties and maintain the trust of your users? In this section, we will provide you with a clear action plan and practical advice on how to make your website GDPR compliant.

2.1 GDPR cookie requirements: clear rules for your website

GDPR sets out clear rules on the use of cookies. Ignorance of these rules does not exempt you from liability, so it is important to understand exactly what the law requires and how to ensure website compliance with the GDPR in practice. Obtaining consent for cookies One of the key principles of the GDPR is the principle of explicit, informed and unambiguous consent to the processing of personal data. This means that you must obtain the user’s consent to use cookies before they are placed on their device. But do all cookies require consent? No, not all cookies do. As we mentioned earlier, mandatory cookies, necessary for the basic functions of the site, do not require consent. However, you will need to obtain user consent to use performance, functional and targeting cookies. How to obtain valid consent? GDPR requires that consent must be:

  • Voluntary: The user must be able to freely choose whether or not to consent to the use of cookies.
  • Specific: Consent must be given for each individual purpose of data processing.
  • Informed: The user must be informed about which cookies are used, what data they collect and for what purpose.
  • Unambiguous: Consent must be given by a clear action that indicates the user’s agreement (e.g. clicking the “Agree” button).

In practice, this means you need to:

  • Develop a clear and understandable cookie policy that details which cookies are used on your site, what data they collect and for what purpose.
  • Display acookie banner the first time a user visits your site. The banner should contain brief information about the use of cookies and a link to your cookie policy. The user should be able to accept or reject the use of cookies.
  • Allow users tomanage their cookie settings at any time. This can be done, for example, through a special section on your website or through browser settings.

GDPR cookie compliance is not just a formality. It is an important step towards protecting your users’ personal data and avoiding potential fines.

2.2 Practical steps for compliance: from theory to action

Understanding the GDPR requirements is only the first step. The next, equally important step is putting these requirements into practice. How exactly do you bring your website into compliance with GDPR? Let’s take a look at specific steps to help you do just that.

  1. Create a cookie policy:

Your cookie policy is your primary tool for informing users about how you use cookies. It must be accessible:

  • Accessible: Place a link to the cookie policy in a prominent place on your website, such as the footer.
  • Clear: Use simple language that is easy to understand for the average user. Avoid legal terms and complex wording.
  • Informative: Specify which cookies are used on your site, what data they collect, for what purpose and how long they are stored.
  • Up-to-date: Review and update your cookie policy regularly to keep it up-to-date with current legal requirements and your current cookie practices.
  1. Implementing a cookie banner:

A cookie banner is a pop-up window that appears the first time a user visits your website. Its purpose is to notify the user of the use of cookies and to obtain the user’s consent to their use. Your cookie banner should:

  • Clearly communicate your use of cookies.
  • Include a link to your cookie policy.
  • Give the user the option to accept or reject the use of cookies.
  • Not interfere with the user’s ability to browse your site.
  1. Allow users to manage their cookie settings:

Users should be able to change their cookie settings at any time. You can provide them with this ability by giving them access to:

  • Cookie Control Panel: This is a special section on your website where users can view and change their cookie settings.
  • Browser settings: Inform users that they can manage cookies through their browser settings.
  1. Using tools to manage consent:

There are specific tools that help automate the process of obtaining and managing cookie consent. These tools can:

  • Display cookie banners.
  • Keep a record of user consent.
  • Block certain types of cookies before consent is obtained.

Remember: Implementing these steps will help you ensure your website is GDPR compliant and protect the privacy of your users.

Section 3: Consequences of non-compliance and additional measures

You already know how to make your website GDPR compliant, but what happens if you don’t? Is it worth the risk of ignoring the legal requirements? In this section, we look at the potential consequences of GDPR non-compliance and additional measures to help you strengthen data protection on your website.

3.1 Risks of non-compliance: the high cost of ignoring the rules

In a world where data protection is becoming increasingly important, ignoring GDPR can have serious consequences for your business. Don’t underestimate the importance of GDPR compliance, because the price for ignoring the rules can be very high. Financial penalties: GDPR provides for significant fines for data protection violations. The amount of the fine depends on the severity of the violation and can reach:

  • Up to €20 million or
  • 4% of the company’s total annual turnover (whichever is greater).

Reputational damage: A GDPR breach can seriously damage the reputation of your business. News of data leaks or negligent treatment of user privacy spreads quickly, which can lead to:

  • Loss of customer trust.
  • Decrease in sales.
  • Difficulties in attracting new customers and partners.

Lawsuits: Users whose rights have been violated have the right to sue for compensation. Litigation can be lengthy and expensive, even if you win your case. Other negative consequences: In addition to financial penalties and reputational losses, GDPR non-compliance can result in:

  • Suspension of your website.
  • Restriction of data processing.
  • Negative media coverage.

Is it worth the risk? As you can see, the consequences of GDPR non-compliance can be very serious. Even if your business is small, ignoring data protection regulations is a risk you shouldn’t take. Implementing the necessary measures to ensure GDPR compliance is an investment in the security of your business and the trust of your customers.

3.2 Additional steps to improve data protection: a holistic approach to security

GDPR compliance is an ongoing effort that requires a comprehensive approach. Beyond the basic steps, consider additional measures to strengthen data protection and build user trust.

  1. Audit your website for GDPR compliance:

A website audit for GDPR compliance is like a tech inspection for your website. It will help:

  • Identify weaknesses in the data protection system.
  • Evaluate the effectiveness of security measures already in place.
  • Create an action plan to correct the problems.
  1. Consultation with a legal professional:

Data protection legislation is constantly changing. Consulting with a lawyer who specializes in GDPR will help:

  • Develop a flawless privacy and cookie policy.
  • Avoid typical GDPRmistakes and problems.
  1. Implement advanced protection systems:

Consider implementing specialized data protection systems such as:

  • Access control systems (IAM).
  • Data leakage prevention systems (DLP).
  • Data encryption systems.
  1. Employee training:

It is important that all employees who handle personal data understand the GDPR requirements. Provide regular training and briefings.

  1. Data protection culture:

Data protection is not just a rule but a principle of operation. Create an atmosphere of respect for privacy and personal data protection in your company. Data security is an ongoing process. By implementing a comprehensive approach, you protect not only user data, but also the reputation of your business.

Conclusions

In a world where data has become more valuable than gold, following the rules of the game is the key to success. So what have we learned about cookies and GDPR, and how will this knowledge help your business? Firstly, we found out that the Law of Ukraine “On Protection of Personal Data”, closely related to GDPR, protects the data of EU citizens and has a direct impact on Ukrainian companies that work with the European market. Ignoring these requirements threatens serious fines and loss of reputation. Secondly, we realized that cookies are not just technical details, but a powerful tool that can both improve user experience and pose a privacy threat. The key to success is transparency and respect for user choice. A clear cookie policy, a clear banner and the ability to manage settings are your main tools. Finally, we realized that GDPR compliance is not a one-time action, but an ongoing process that requires a comprehensive approach. Regular audits, consultations with lawyers, implementation of modern data protection systems and employee training – this is what will help you stay one step ahead and guarantee the security of your clients’ data. This is where Polikarpov Law Firm comes in. We provide legal advice on GDPR and data protection issues, helping your business:

  • Conduct a GDPR compliance audit of your website.
  • Develop a clear and understandable privacy and cookie policy.
  • Implement the necessary technical and organizational security measures.
  • Train your employees in the rules of working with personal data.

Contact us and we will help you make your business safe and responsible in the eyes of the law and your customers.

Are there any exceptions when consent to cookies is not required under the GDPR, and how to apply them correctly?

Yes, the GDPR provides for exceptions to the mandatory consent to the use of cookies. However, these exceptions should be interpreted narrowly, and their application requires careful analysis and justification.

Main exception: The use of cookies without consent is permissible if they arestrictly necessary for to operate the website and provide the user with the service they have requested. This applies, for example, to cookies that:

  • Ensure security: protect against fraud, cyberattacks, remember your login for secure access.
  • Ensure technical operability: save the choice of interface language, shopping cart settings in the online store.
  • Temporarily store data entered by the user: for example, when filling out a multi-page form on the website.

The conditions for applying the exceptions are important:

  • Minimum necessary data: cookies must collect only the information that is strictly necessary for the realization of the above purposes and nothing more.
  • No alternatives: it must be impossible to provide the user with the service they have requested without the use of these cookies.

How to apply exceptions correctly:

  1. Conduct athorough audit: determine which cookies your site uses and for what purpose.
  2. Clearly justify: for each cookie for which you plan to apply the exception, document a clear justification of why it is “strictly necessary“.
  3. Inform users: despite the fact that there is no obligation to obtain consent, it is important to inform users about the use of such cookies in the cookie policy on your website.

Important: Incorrect interpretation and application of the exceptions may result in a GDPR violation and fines. If in doubt, it is best to consult a lawyer who specializes in data protection.

What evidence of the use of cookies without consent will be considered sufficient by the court to bring to justice?

Proving the use of cookies without the user’s consent can be difficult, but not impossible. EU case law is already shaping certain standards of proof, and here are some of them:

Direct evidence:

  • Screenshots/videos: capturing a screen showing a cookie banner on a website that does not comply with the GDPR (e.g., does not provide a clear choice or blocks access to the site until consent is obtained).
  • Saved copies of web pages: downloaded through web archives (for example, archive.org) or special software.
  • Server log files: Provided that they are properly stored and demonstrate that data was obtained through a cookie before consent was obtained.

Indirect evidence:

  • Witness statements: users who can confirm that they did not consent to cookies.
  • Expert opinions: cybersecurity or data protection specialists can analyze the website and determine if there are violations in the use of cookies.
  • Analytics data: Although not sufficient evidence on its own, analytics data (e.g., Google Analytics) can be used as an additional argument.

Additional aspects:

  • Preservation of evidence: it is important to record and store evidence in a timely manner, as cookie data can be lost due to user browser settings or actions of the website owner.
  • Protection against falsification: evidence must be reliable and protected from possible accusations of falsification. Using notarization of electronic documents, screenshots, or videos can increase their weight in court.

It is important to remember: Each case is individual. The court will take into account all the circumstances and evidence in the aggregate to make a decision.

If my website already blocks cookies before obtaining consent, can it be held liable for past violations before the GDPR?

Theoretically, yes, it is possible to be held liable for past GDPR violations when using cookies, even if the website already blocks cookies before obtaining consent at the time of the case.

Key points:

  • GDPR retrospective: the GDPR applies to all data collected after May 25, 2018, regardless of when the breach itself occurred.
  • The statute of limitations: The GDPR does not set a clear statute of limitations for prosecution. As a general rule, it is 3years from the date when the aggrieved party learned or should have learned of the breach, but not more than 5 years from the date of the breach itself.

Practice of application:

Although it is theoretically possible to hold a company liable for past violations, in practice it is less likely if:

  • The violations were minor: these are cases of unintentional or insignificant violations of GDPR requirements.
  • The website owner remedied the violation in a timely manner: implemented cookie blocking before obtaining consent and took other necessary measures to bring the website into compliance.
  • No user complaints: Data protection authorities often initiate investigations based on complaints from affected parties.

Recommendations:

  • Don’t ignore past violations: Even if your site is already GDPR compliant, analyze your previous cookie practices and take steps to address any identified deficiencies.
  • Keep documentation: record all changes and improvements made to your website to ensure GDPR compliance. This will be an additional argument in case of claims from regulatory authorities or users.

Remember: Each situation is individual, and only a legal examination of a particular case can provide an exhaustive risk assessment and recommendations for protection.

What is the responsibility for violating the GDPR when using cookies if my website uses third-party services (analytics, advertising)?

The use of third-party services (analytics, advertising) does not relieve the website owner of responsibility for violations of the GDPR when using cookies. The GDPR provides for joint liability for both the data controller (website owner ) and the dataprocessor (third-party service).

Responsibility of the website owner:

  • Duty of due diligence: before connecting any third-party service that uses cookies, the website owner is obliged to carefully check it for compliance with the GDPR (availability of a privacy policy, technical and organizational security measures).
  • Conclusion of a contract with the data processor: the contract should clearly define the rights and obligations of the parties regarding the processing of personal data, including the terms of use of cookies, data transfer, security, etc.
  • Informing users: the website owner is obliged to inform users about the use of cookies by third-party services, obtain consent to their use (if necessary) and provide the opportunity to manage settings.

Responsibility of the third-party service:

  • Compliance with GDPR requirements: the data processor is also obliged to comply with all GDPR requirements regarding the processing of personal data, including the use of cookies, even if it is data received through another website.
  • Restrictions on data processing: the data processor has the right to process personal data only within the framework of a contract with the data controller and in accordance with its instructions.

Consequences of violations:

In case of violation of the GDPR requirements when cookies are used by third-party services, liability may be imposed on both the website owner and the third-party service, or both at the same time. The amount of the fine and other sanctions will depend on the severity of the violation and other circumstances of the case.

Important: The use of third-party services does not relieve the website owner of responsibility for the protection of users’ personal data. You should carefully choose the services and monitor their operation in terms of GDPR compliance.

Can a user claim compensation for violations of the GDPR when their data collected through cookies is used? If so, under what conditions?

For example, the GDPR gives users the right to claim compensation for material and moral damages caused by a violation of their personal data protection rights, including the illegal use of cookies.

Conditions for compensation:

  1. Violation of theGDPR: it must be proven that the website owner has actually violated the GDPR when using cookies (for example, collected data without consent, failed to provide access to data or failed to ensure its security).
  2. Damage: the user must prove that he or she has suffered material (financial loss) or non-pecuniary (stress, loss of reputation) damage as a result of the violation.
  3. Causation: there must be a direct link between the GDPR violation and the damage caused to the user.

The procedure for claiming compensation:

  1. Pre-trial settlement: the user must first file a claim with the website owner for damages.
  2. Lodging a complaint with adata protection authority: if the pre-trial settlement fails, the user has the right to lodge a complaint with the relevant authority.
  3. Legal action: the user has the right to defend his or her rights in court if the previous steps are ineffective.

Court practice:

The number of cases regarding compensation for GDPR violations when using cookies is constantly growing. The courts consider each case individually and take into account all the circumstances of the case to make a decision.

Important: Do not underestimate the risk of claims for damages from users. Ensuring website compliance with the GDPR, including the use of cookies, is a reliable way to avoid financial and reputational losses.

Resources
Rating

5 / 5. 56

Leave a Reply

Your email address will not be published.

*

Related services

Icon
Trade secret protection and protection of confidential information
offers advice in the field of protection of trade secrets and confidential information
Learn more
Icon
Contracts, corporate law and support for business
provides complex legal services for businesses of all sizes, including contract drafting, review, and negotiation, as well as support for corporate law matters
Learn more
Icon
Developing strategies for protecting the intellectual property
involves developing tailored strategies for protecting the intellectual property of our clients
Learn more
Icon
Legal support in verification of advertising and promotion activities and product regulatory compliance
covers support to our clients in verifying their advertising and promotional activities, as well as ensuring their compliance with product regulations
Learn more
You may be interested
Read Blog
Non-Use of Trademarks in Ukraine: Key FAQs Answered
Anton Polikarpov | 27 August, 2024
Non-Use of Trademarks in Ukraine: Key FAQs Answered
Insights
5 minutes

As in most countries, Ukrainian law provides for the grounds for termination of a trademark certificate due to non-use. At the same time, the application of this provision has a lot of nuances that our clients often ask about. In this article, we have decided to briefly describe the procedure itself, as well as to […]
Conference “Defence Tech: Legal Challenges for the Industry” held in Kyiv
Anton Polikarpov | 31 July, 2024
Conference “Defence Tech: Legal Challenges for the Industry” held in Kyiv
Insights
3 minutes

On 10.07.2024, Kyiv hosted the conference “Defence Tech: Legal Challenges for the Industry“, organized jointly by Polikarpov Law Firm and AVELLUM. The event brought together company founders, investors and corporate lawyers to discuss current legal challenges and solutions for the development and scaling of the defence technology sector in Ukraine. We addressed Critical legal issues […]
Copyright vs. trademark: how to protect rights to characters more effectively
Anton Polikarpov | 24 May, 2024
Copyright vs. trademark: how to protect rights to characters more effectively
Insights

Over the years, cinema, television and literature have given us many favourite characters that we can recognize just by one of their phrases or characteristic images. Undoubtedly, such intellectual property requires proper legal protection. That is why today we will follow the “life path” of a character: from his birth to his death (of course, […]
Contact us
We will find the best solution for your business

    Thank you for your request!
    We will contact you within 5 hours!
    Image
    This site uses cookies to improve your experience. By continuing, you agree to our Privacy Policy.

    Privacy settings

    When you visit websites, they may store or retrieve data in your browser. This storage is often required for basic website functionality. Storage may be used for marketing, analytics and site personalization purposes, such as storing your preferences. Privacy is important to us, so you can disable certain types of storage that may not be necessary for the basic functioning of the website. Blocking categories may affect the performance of the website.

    Manage settings


    Necessary

    Always active

    These cookies are necessary for the website to function and cannot be disabled in our systems. They are usually only set in response to actions you take that constitute a request for services, such as adjusting your privacy settings, logging in, or filling out forms. You can set your browser to block these cookies or notify you about them, but some parts of the site will not work. These cookies do not store any personal information.

    Marketing

    These elements are used to show you advertising that is more relevant to you and your interests. They can also be used to limit the number of ad views and measure the effectiveness of advertising campaigns. Advertising networks usually place them with the permission of the site operator.

    Personalization

    These elements allow the website to remember your choices (such as your username, language or region you are in) and provide enhanced, more personalized features. For example, a website may provide you with local weather forecasts or traffic news by storing data about your current location.

    Analytics

    These elements help the website operator understand how their website works, how visitors interact with the site and whether there may be technical problems. This type of storage usually does not collect information that identifies the visitor.