The key legal instruments currently applicable to cookies are:
across the EU, Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications); and
The latter is the UK’s implementing legislation for the former. The consolidated version of the UK regulations is not available on the legislation.gov.uk website and the text of the relevant Regulation (No 6) has been updated since 2003 – so use with care.
New legislation on cookies is currently going through the EU legislative process, but this is not expected to become law until 2020 at the earliest.
After you have downloaded the policy, you will need to open it in your word processing software for editing.
With respect to each of your categories of personal data, you will need to determine the purposes for which the data is processed and – this is often the hard bit – the legal basis for processing. Possible legal bases are individual consent, the performance of a contract, and your legitimate interests.
You will also need to identify recipients or categories of recipients, as well as relevant data retention periods.
Guidance notes are included in the template to help with the editing process.
This policy is intended to be easy to use, but data protection law in general and the GDPR in particular are difficult to use.
Data protection law is necessarily built of abstractions, but some of the abstractions at the heart of the GDPR do not map easily onto the real world. The European Data Protection Board (EDPB) has produced voluminous guidance on the application of the GDPR, but the very existence of this guidance highlights the problem. If the law was clear, the guidance wouldn’t be needed. In many cases, the guidance either overreaches or dodges the difficult issues.