The ePrivacy Directive requires website operators and other online providers that set cookies on their users' devices to provide visitors with clear and comprehensive information about the purposes for which the cookie is stored and accessed.
The GDPR specifically refers to cookies and states that:
“Natural persons may be associated with online identifiers…such as internet protocol addresses, cookie identifiers or other identifiers…. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.” (Recital 30)
In other words, where a cookie is used to uniquely identify a device, or in combination with other data, the individual associated with or using that device, then it should be treated as personal data. The use of pseudonymisation, for example, random strings of numbers or letters, which is what cookies typically contain to give them uniqueness, still makes them personal data.
As a result of this wide-reaching definition the GDPR and the ePrivacy Directive together are likely to cover nearly all forms of advertising/targeting cookies; web analytics; and functional services such as online chat or login credentials.
Because the GDPR moves away from implied consent and introduces the idea that consent should be given by a clear affirmative act establishing a freely given, specific, informed, and unambiguous indication of agreement to personal data processing then it should come as no surprise that cookies, which may capture personal data, will also require an opt-in style consent.
Falling back on a concept such as legitimate interest is also not recommended. Legitimate interest is not a “free pass” to get around consent and the first port of call should always be an attempt to get fully informed explicit consent in a recorded format. The GDPR sets out conditions for using legitimate interest, for example, considering whether the relationship between the organisation (as data controller) and the data subject is such that, on balance, the interests of the organisation out weight that of the data subject. In the context of a website and, in particular, where the organisation uses third-party cookies for profiling and analytics then it would be difficult to argue that the organisation has a legitimate interest that out weights the rights and freedoms of a data subject. If an organisation were to rely on legitimate interest for the purposes of placing cookies then this would not trump the right of the data subject to object to that processing taking place – so even if the organisation could rely on legitimate interest and set cookies without consent then it would still need to provide the data subject with the ability to opt-out at which point you may as well incorporate opt-in style consent.
It is important to keep in mind that the purpose of the GDPR is to give the data subject greater control over their personal data – the legislation is not drafted with the commercial interests of the organisation in mind. Rather than focusing on legitimate interest or other means that are less optimal, the organisation should focus on ensuring that the website has the requisite functionality and features to handle cookie compliance.
This is not new law and has been around, in some shape or form, since 2011.
How to use this policy
Last Updated: 13:06.2018
Thank you for visiting the Circulation Foundation
Please read the following carefully to understand our views and practices regarding cookies and how we use them when you visit our site.
For convenience, we have divided our data protection policies into three separate pages:
This policy explains more about how we may collect personal information about you via cookies (it also explains what cookies are).
3. Our Retention Policy
You can find out how long we may hold onto your personal information.
If you have any questions please do not hesitate to contact our appointed Data Privacy Officers, Fitwise Management Limited, at email@example.com or, if you prefer to call or write to us, then you can find our contact details at the bottom of this page.
WHO WE ARE
The Circulation Foundation is the charitable foundation of the Vascular Society. Charity Number: 1102769. We are the Vascular Society. We are registered in England as a limited liability company. Our registered number is 05060866 and our registered office is at 146 New London Road, Chelmsford, Essex, England, CM2 0AW.
WHAT IS A COOKIE
A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your device. Cookies are widely used throughout the Internet in order to make sites or other online services work or to be better or more efficient. They can do this because sites and other online services can read and write to the cookies stored on your device, enabling them to recognise you and remember important information that will make your use of them more convenience, for example, by remembering your preferences, username, or showing you pages that you seemed to have a particular interest in.
If you consent to us storing cookies on your computer or other electronic device then you agree that we can store and access cookies as described in this policy.
HOW YOU CONSENT TO US PLACING COOKIES
If you do not click or select the “ok” button that appears in the overlay then we will not place cookies on your device.
The duration of each cookie that we may place on your computer can be found in our Retention Policy [HERE].
There four different categories of cookies that we may use on our site:
Analytical/performance cookies: Performance cookies allow us to recognise and count the number of visitors and to see how visitors move around our site when they are using it. This helps us to improve the way our site works, for example, by ensuring that users are finding what they are looking for easily. These cookies also allow us to see overall patterns of usage on our site and help us record any difficulties you may have with our site.
Functionality cookies: In some circumstances we may use functionality cookies. These are used to recognise you when you return to our site or provide enhanced and more personalised features, for example, to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
Targeting cookies: We and our service providers and partners may use targeting or advertising cookies to record your visit to our site, the pages you have visited and the links you have followed. For example, we may use targeting or advertising cookies to limit the number of times you see the same ad and to help measure the effectiveness of any campaigns. We may also use this information to make our site and any advertising (if applicable) displayed on it more relevant to your interests.
If you would like more information about cookies and how you can manage the settings on your computer, you can visit http://www.allaboutcookies.org/manage-cookies/.
COOKIES WE USE
You can find more information about the individual cookies we use on our site and the purposes for which we use them in the table below:
Purpose and Content
[Example Cookie 1]
Used to distinguish users and sessions when they connect to our site
Randomly generated number
[Example Cookie 2]
Used to determine new sessions/visits
Randomly generated number
The cookies used by Google Analytics are used to collect information about how you use our site. We use this information to compile reports and to help us improve our site. The cookie collects information in an anonymous form, including the number of visitors to our site, where visitors have come to the site from and the pages that they visited.
You can read more about Google’s overview of privacy and safeguarding your data at https://support.google.com/analytics/answer/6004245.
HOW DO I CONTROL COOKIES?
You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our site. You may also delete any cookies stored on your computer at any time.
You can find out more about changing cookie settings on your computer by visiting http://www.allaboutcookies.org/manage-cookies/.
HOW LONG IS COOKIE INFORMATION STORED?
Different cookies may be stored for different periods of time. In many cases these cookies are updated automatically each time you visit our site or may expire and be deleted by your computer automatically. It is important to understand that when a cookie is placed on your computer it will reside on your hard drive until it expires and is deleted or it may reside on your hard drive until you manually delete it – this entirely depends on your individual browser settings and we do not have control over this.
The duration of each cookie that we may place on your computer can be found in our Retention Policy.
Please remember that you can delete or change the way in which you store cookies on your computer at any time.
MORE ABOUT YOUR PRIVACY
Data Privacy Officers
Fitwise Management Limited
Telephone: +44 (0)1506 811077