Legal guidance for Cookies
We have collected legal information about cookies and consents that are important to understand when using CookieTractor.
You who use CookieTractor are the data controller for the cookies you place on your website. Cookies refer to all cookies, trackers, pixels, and similar technologies. CookieTractor does not process any personal data to handle your consents.
There are requirements for you as a personal data controller according to GDPR to:
- Obtain consent when needed
- Manage obtained consents
- Ensure that there is a legal basis by GDPR for the processing done without the support of consents
- Inform about the processing of visitors' personal data in accordance with pre-determined rules
CookieTractor helps you to obtain the necessary consent directly in the tool.
When do you need consent?
According to E-privacy directive 2002/58/EC, consent is not required for cookies necessary to provide a service explicitly requested by the user. It may be to:
- Enable an app, game, or other services to work
- Store a shopping cart until the purchase of e-commerce
- Remember that the visitor consented (to certain cookies)
- Save other information that the visitor has chosen to save
Visitor statistics and marketing
Consent is required by the E-Privacy Rules for activities such as:
- Other monitoring of user behavior
Consent as a legal basis for personal data processing under the Data Protection Regulation 2016/679/EU (GDPR) is almost always required for:
- Saved shopping carts
- Marketing to Custom Audiences and Lookalike Audiences
- Lead forms, lead ads
- Remarketing, retargeting
- Other collection of personal data for marketing purposes
This type of activity/cookie should always be defined as visitor statistics or marketing in the tool. If it does not end up there automatically, you need to enter and change the category of the cookie, which will move it to another category. You also need to customize your script integrations so that they respect the choices made in the consent box. Learn how to do this in the setup instructions.
For those cookies that require consent, certain rights are attached. This means that the visitor should be able to:
- Choose not to consent
- Withdraw their consent
- Block cookies
- Review which cookies may be placed
- Delete the placed cookies
CookieTractor helps with the processing of your consents in the following way:
Choose not to consent
The visitor can choose directly in the consent modal to actively consent to visitor statistics and marketing cookies, or only one of these categories, or opt-out.
Withdraw their consent
You place a link to change the cookie settings on your website that enables the visitor to withdraw their consent through renewed settings directly in the consent box. Learn how to do this in the setup instructions.
By not actively selecting Visitor Statistics and/or Marketing, these cookies will be blocked for the visitor.
Review which cookies may be placed
By following the link Read more about our cookies in the consent modal, the visitor can review which cookies may be placed.
Please note that the information provided about each cookie is based on CookieTractor's standard texts of known cookies. You need to verify this information for each cookie. You may need to supplement with information if it is missing.
Delete the placed cookies
Cookies are a technology that can entail personal data processing, such as storing an IP address or information about user behavior that can be linked to an individual. For all personal data processing, explicit legal support is needed according to Article 6 GDPR, a so-called legal basis.
Consent as a legal basis
Consents that comply with the requirements set out in Article 7 GDPR constitute a legal basis for processing personal data. This means that the consent:
- Must be proven
- Must be voluntary
- Shall be specific, explicit and distinct, and separate from other consents or approvals
- Must be informed
- Can be revoked
You prove that consent has been given by storing the consents obtained in CookieTractor. Each consent receives a specific key that the visitor can see when they open the consent modal again. If the visitor has questions about what consent has been given, they can provide this key to you, after which you can verify the consent by searching for it in the tool.
The website must be functional without consent for visitor statistics and marketing cookies. These cookies may never be placed until consent has been obtained. CookieTractor will help you with that, but remember that you need to customize your script integrations to respect the choices made in the consent box. Learn how to do this in the setup instructions.
CookieTractor separates consents for cookies from other approvals that can be made on your website. The visitor chooses which cookies consent is given to at a category level for it to be easy to understand what one agrees to. We strive to use as simple language as possible in CookieTractor's standard texts; if you think something is unclear, you should correct it. The same requirements apply to the formulations you add regarding the cookies that do not have standard text.
See more under section 4 Information about personal data processing below.
A consent must at any time be able to be revoked as simple as it was to give the consent. This can be done by the visitor following the website's link to the consent box and renewing their choices. By not actively selecting Visitor Statistics and/or Marketing, these cookies will be deleted. Third-party cookies are deleted in the browser settings.
Balancing of interests as a legal basis
If you do not obtain consent for cookies that involve personal data processing, you will need a different legal basis under Article 6 GDPR. An example of this is a legitimate interest, also known as the balancing of interests. A balance of interests shall be documented and may, for example, be applied to provide certain services, such as functionality on a website.
Information about cookies
According to Chapter 6, Section 18 of the Electronic Information Act, a visitor receives information about which cookies are placed and the purposes of each cookie's processing. This information is provided directly in CookieTractor. If it is missing from our standard texts, you need to fill in what purposes you have with a cookie.
Information about personal data processing under Articles 12-14 GDPR
According to GDPR, there are pre-determined rules about what you as a data controller must inform about when processing personal data. You can easily do this in a personal data policy or similar available on your website.
Please note that the GDPR's information requirements apply in addition to the requirements of the Electronic Communications Act regarding the cookies that involve personal data processing (e.g., IP addresses or information about user behavior that can be linked to an individual). An example, according to Articles 13 GDPR and 14 GDPR, is in addition to the purposes of the processing, what legal basis you have for the personal data processing, who besides you can access the data, and what rights exist for the individual according to the data protection regulations.
Good to know
To inform, you need to know which cookies you use on the website. It is important to have an initial inventory and a routine to pay attention to when you start using new tracking. CookieTractor will automatically conduct a monthly search of cookies and add/remove changes to your cookies. You will receive an email after each search informing you of what changes have occurred. It is also good to review whether you use your cookies or if some can be discontinued because they are not actively in use.
When you use third-party services, such as various plug-ins, like-buttons, and similar, there is a high risk that you are jointly responsible for the personal data controllers with the third party whose service you use. The requirements for joint data controllers can be found in Article 26 GDPR and mean that you need to develop a joint arrangement with the third party to determine your respective responsibilities according to the data protection regulations.
You also need to review your agreements with the third party to determine whether they comply with applicable laws and regulations concerning third-country transfers. You also need to keep track of how the agreements are updated and monitor the changes that are being made, which may impact your personal data responsibility and, for example, the information you should provide.
Third country transfers
With the Schrems II judgment (C-311/18), the legal situation for third-country transfers to the United States became unclear. Third-country transfer means that you (the cookie you are responsible for placing) distribute personal data (such as IP addresses or information about user behavior) to a party (a company or organization) that has its registered office in a country outside the EU/EEA. It does not matter if the party has its servers within the EU/EEA if someone in the company or organization has access to the personal data.
If you wish to use services that involve third-country transfers of personal data, you must ensure that you have special legal support for it under Chapter 5 of the GDPR.