Your guide to manage cookies on your website
Need a guide to understand the whys and the hows of using cookies on your website?
You have decided to dive into the management of cookies on your website, but you find it to be a real head-scratcher …
We prepared a guide to help you see things more clearly!
If your site is an e-commerce site or a school site, don’t hesitate to consult our specific articles.
What is a cookie?
A cookie is a small text file that will be placed on the terminal (computer, smartphone, tablet) or the browser used by the visitor of your website. This file will collect different information depending on the purpose of the cookie.
The purpose of the data collection will determine the category of the cookie and, along with other criteria, whether you need the visitor’s consent to place or read it (if already placed).
You should know that there are also other technologies that can be used nowadays in place of cookies, but these technologies are still subject to the consent rule (and its exceptions).
According to their retention period
It is stored in the browser used by your visitor to browse the site. When the browser is closed, it disappears.
It is stored on the device used to browse the site and has a lifetime defined in the cookie management policy.
According to who has access to the data collected by the cookie
Proprietary / “internal” cookie
The cookie is set by your domain (online location of your site, which is written in the browser’s address bar).
Third party cookie
The cookie is requested by your site but placed by domain other than yours.
e.g. : If your site uses elements from other sites (plugins, images, social network buttons, etc.)
According to their purpose of use
To enable the site to function or to allow the site visitor to use the features they have requested.
e.g.: site security, cookie consent management
To measure and analyze the audience of the site.
e.g.: number of visits to the site, identifying the most visited pages
To enable a user-friendly and personalized experience (improve navigation on the site).
e.g.: integration of content from a third party platform.
To present the visitor with advertisements targeted to their presumed interests or to try to understand their interests.
No official and universal catalog of cookies
These different categories do not correspond to categories defined by law.
You may therefore come across slightly different terminology and the same type of cookie may be listed under different categories from one site to another.
These categories are, above all, there to help the visitor of your website understand your objective (or that of the third party depositing cookies through your website) when you want to deposit a cookie on their computer, smartphone or tablet.
But depositing cookies can only be done under certain conditions, which are well defined by the law based on the European directive EPrivacy.
How to legally collect data via cookies ?
Your visitor must be informed of the fact that your site is going to place cookies on their terminal (PC, smartphone, tablet, etc.) or browser
You should always make sure that you inform the visitor of the presence of cookies (whether you need their consent or not).
In some cases, your visitor must have given his or her consent prior to depositing/reading of cookies.
When consent is NOT required
There are two situations (defined by the EPrivacy Directive) where cookies can be deposited and read without having to ask for your visitor’s consent:
1°/ The cookie is only used to enable or facilitate electronic communication.
This is the case if the cookie is used for one of these three technical aspects:
– routing information on the network, in particular by identifying the terminals targeted by the communication;- exchanging data elements in the intended order, including numbering data packets;
– detecting transmission errors or data loss.
2°/ The cookie is strictly necessary/essential to provide the online communication service requested by the site visitor.
This is the case if the following two conditions are met:
-The functionality does not work without the cookie;
– The functionality was explicitly requested by the visitor.
Examples of cookies that do not require consent :
– cookies that retain the visitor’s choice regarding the deposit of other categories of cookies
– cookies that retain the contents of a shopping cart for a certain period of time
– cookies that authenticate a user account
– security cookies that protect the visitor against malicious login to the user account
– plug-in cookies for sharing content on social networks, only if they are targeted at visitors who are members of the social network in question when they are logged in to that network at the time of browsing.
Additional elements to determine if a cookie can take advantage of one of the exemptions.
Just as there is no official cookie catalog, there is also no definitive list of which cookies can be deposited without your visitor’s consent.
Why is that?
Because the context of the cookie’s use (your specific use, how long it is kept, who will have access to the data) is just as important as the cookie itself.
There are, however, guidelines that we can use to provide additional guidance:
– If a cookie collects information that could be used for more than one purpose, each purpose should be evaluated to determine whether or not it requires the visitor’s consent.
– If the lifetime of the cookie is completely disproportionate to its purpose, it may require consent (whereas under the EPrivacy Directive criteria, it would be exempt).
When consent is required, it is not just any consent.
Indeed, it must meet four criteria defined by the GDPR to be valid.
It must be:
– Unambiguous (without ambiguity)
– Free (without constraint)
– Specific (one use of the data, one consent)
– Informed (having informed the visitor)
Your visitor will always have the right to change their mind and withdraw their consent. Withdrawing consent should be as easy as giving it.
Warning: Setting up a complex system to discourage your visitor from withdrawing consent amounts to using dark patterns and is illegal.
The issue of choosing your cookie management tool
The choice of your cookie management tool is important to guarantee sufficient information and valid consent.
Avoid tools that :
– deposit all cookies by default and delete those not selected by the visitor after they have made their choice;
– provide consent buttons that are pre-checked;
– give more prominence (color, size, location) to the “consent to all cookies” button over a “refuse non-essential cookies” button;
– include a variation of the traditional “if you continue to browse this site, we consider that you consent to the use of all cookies” in the text of their banner.
In fact, these practices do not comply with the legal obligations imposed by the EPrivacy Directive and the GDPR.
Can you use your “legitimate interest” to justify the deposit or reading of data collected via the cookie?
The EPrivacy Directive is very clear on this subject: either you have the consent of your visitor, or you are in a position to dispense with that consent. There are no other options.
However, we still regularly see banners that let the visitor accept or refuse the deposit of marketing cookies from third-party “partner” companies and that, if the visitor refuses, deposit the cookie anyway using the legitimate interest of this partner company as justification.
This very questionable practice should also be avoided, especially if you want to avoid problems.
We hope that you have a better understanding of which cookies to use on your website and how to integrate them in a compliant way.