GDPR pain point 2 – Cookies

A flurry of GDPRings

Leading up to and following the recent introduction of comprehensive European Union data protection regulation, in the form of the GDPR, we’ve been prolifically posting about: how we initially achieved world class information security status in the form of our newly minted ISO 27001 accreditation; our broad position in relation to our own GDPR compliance requirements and the nuanced handling of our client’s data subject’s personal information; our comprehensive suite of GDPR documents and implementations; and a pain point we encountered on our GDPR journey involving third parties and third countries.

This is probably the last GDPR post in this round, dealing as it does with our final GDPR pain point, cookies.

What is a cookie?

A cookie, in this context, is

A small text file (up to 4KB) created by a website that is stored in the user’s computer either temporarily for that session only or permanently on the hard disk (persistent cookie). Cookies provide a way for the website to recognize you and keep track of your preferences.

~ PC Magazine Encyclopedia. (n.d.). Retrieved from

Cookies and GDPR

Interestingly the GDPR makes only one, albeit far reaching, mention of cookies in Recital 30, stating:

“Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers […]. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”

Taken alongside recital 26, the GDPR is clearly stipulating that if a cookie can identify an individual via their device, the information processed by that cookie must be considered personal data.

The arduous nature of compliant cookie handling under GDPR

Arguing for a lawful basis of cookie processing that isn’t “consent” is awkward to say the least. None of the other lawful basis the GDPR offers really fit the cookie use case. This is important because if consent is the lawful basis given for cookie processing, then website owners are in a situation where explicit opt-in for cookie processing is required. This gives rise to the need to block essentially all cookies from operating until an explicit opt-in is received from the visitor.

Technically speaking this is a very tricky problem to solve. Cookies come from a vast array of places, especially within a WordPress website where all sorts of plugins might be installed. What’s more, the code for many of the scripts operating those cookies is minified, which essentially makes them unreadable and, therefore, inaccessible to external control. Meaning there is no obvious way a website can block the cookie before explicit consent is received.

As already stated.. arduous.

A Pragmatic Solution

Mindful that the GDPR is very young legislation with no case history, we’re taking the view that producing the most robust and complete GDPR compliance we can right now will be enough for the ICO. Especially since we’re not just stopping there, we fully intend (some might say “rabidly intend”) to deliver the 100% compliant solution as soon as possible. In the meantime though a workable “best foot forward” is in order.

Our initial (Alpha) GDPR compliance release handled this pain point in a fairly simple way. We assert “legitimate interest” as the legal basis for our cookie processing, put a clear cookie banner on our site offering the visitor the opportunity to accept cookies, whilst pointing them to a privacy notice that tells them how to block all cookies (using their browser settings) if they wish. Aside from “legitimate interest” being a rather awkward legal basis for cookie processing, this is a watertight GDPR solution. Given that the fully compliant solution is just out of reach right now we’re confident the ICO will accept this as a temporary compliance measure.

We call this the Atlassian solution to GDPR cookie compliance because we first came across it on the Atlassian privacy policy. Since then we’ve noticed many of the worlds major technology providers adopting the same kind of solution.

The Bull by the Horns

As mentioned, we’re not stopping here. As of this writing our support and information security departments are grappling with an existing WordPress cookie solution that’s at least 85% of the way to a full power across-the-board GDPR cookie solution. We are in conversation with the plugin authors trying to figure out how to plug the remaining 15%.

Barring acts of God and truly impossible technical impasses, we are confident that we’ll have a 100% GDPR compliant cookie solution on our website and available for our customers in the not too distant future. For sure we’ll keep you posted.

Leave a Reply