- GDPR cookie consent involves obtaining users’ consent to activate cookies to collect specific data on a website. Consent may be given for all cookies, for specific cookies, or for no cookies at all. Cookies are considered “online identifiers,” part of personal data.
Cloud-hosted companies that operate websites with global traffic must know about GDPR and cookies. In May 2020, the EU released an update to clarify their specific position around cookie usage.
Cookies give important insights to companies about the activity of their website visitors.
Cookies are small files sent by websites to the visitor’s device, which are used to monitor the visitor’s online behavior and remember information such as login information or cart contents. They’re intended to enhance the visitor’s online experience but concerns around accessing and reselling personal data have given rise to the legal requirement for cookie disclosures.
They store vast amounts of information that can potentially be used to identify you without your consent.
GDPR categorizes cookies as “online identifiers” that are part of personal data, hence they require consent.
Cookies embedded by services like Google Analytics, HubSpot, Shopify, and social media plugins are common ways in which personal data is collected. 80 percent of consumers around the world revealed that they would stop patronizing a brand if their data was used without their permission. Amid growing data privacy concerns, Google intends to stop using third-party cookies by the end of 2023.
EU’s data protection authorities levy fines for failure to implement GDPR cookie consent requirements. Notably, the data protection authority of Austria banned Google Analytics on European websites for violating GDPR rules.
When you comply with GDPR cookie requirements, you also conform to the ePrivacy Directive or Cookie Law (EU). Soon, it may be replaced by an even more specific law called the ePrivacy Regulation.
In this article, we will help you understand GDPR cookie consent and how you can implement it on your website.
What is Cookie Consent?
Cookie consent refers to getting users’ consent to activate cookies and trackers that collect specific data on a website. Cookie consent may be given to all cookies, some cookies based on category (like social media), or no cookies at all.
Global privacy laws like the GDPR, the ePrivacy directive or Cookie Law (EU), and the California Consumer Privacy Act (CCPA) mandate cookie consent.
How Does Cookie Consent Work?
GDPR cookie consent is specific, unambiguous, informed, and freely given consent to website visitors to accept, deny, or set their preferences for the use of all cookies or specific types of cookies on that website. When a visitor first lands on the website, cookie consent is given through banners, clickwraps, or site pop-ups.
Tracking cookies or “trackers” are small files placed on websites by third-party advertisers to monitor the user’s web browsing activity, location, purchase history, device information, search queries, and so on.
Cookie consent is important to prevent companies from violating your data privacy by tracking your personal information.
What is Data Privacy?
Also known as information privacy, data privacy is a branch of information security that is involved in the proper handling of sensitive data, especially personal data, to meet regulatory requirements and protect its confidentiality and integrity. It also involves handling other confidential data like intellectual property data and certain financial data.
Data privacy laws revolve around:
- If and in what manner data is shared with third parties
- How data is legally gathered and stored
- Regulatory limitations like the GDPR, CCPA, GLBA, or HIPAA.
“Privacy forms the basis of our freedom. You have to have moments of reserve, reflection, intimacy, and solitude,” says Dr. Ann Cavoukian, former Information & Privacy Commissioner of Ontario, Canada, and the creator of Privacy by Design (PbD).
GDPR Cookie Consent Requirements
As per GDPR cookie consent requirements, the basic guidelines for legally using cookies are:
- Be aware of what cookies your site uses and which cookie categories they belong to
- Use non-essential cookies only after users have consented to them.
- Allow users to change their cookie preferences at any time or to withdraw consent completely.
- Honor the preferences and consent of users.
- Maintain retrievable logs of users’ consent preferences.
A cookie consent banner is a cookie notice displayed on websites when a user first visits it. The notice informs users about the existence of cookies on the website and their rights with respect to it. It also requests users’ consent to deploy the cookies in the first place.
Cookie consent banners should be used by the following websites:
- Those that have EU-based users i.e that have cookies not actively blocking EU-based users
- Those belonging to an EU-based entity irrespective of whether their users are based in the EU
Cookie notice requirements are:
- Must briefly explain the purpose of the cookies installed by the website
- Should be adequately noticeable
- Must clearly mention whether accept and reject options will signify consent
- Should provide details of the type of cookies, purpose, use, and related third-party activity
Implementing GDPR Cookie Consent on Your Website
Follow these seven steps to get your website GDPR compliant with respect to cookies:
- Get the user’s permission before installing cookies
Before deploying cookies on the user’s device, you need to get prior consent. Cookies have to be classified, labeled, and set according to the consent preferences of the user. This task can be automated using a cookie management platform.
- Make sure checkboxes are not pre-checked
Cookies that handle personal data must be actively opted into by users. For consent to be valid, there should be an unambiguous indication of the user’s wishes in the form of a clear affirmative action or statement.
Essential cookies cannot be disabled because they are whitelisted and necessary for the website to function properly.
- Keep website accessible during the consent choices
Ensure that the user does not encounter a cookie wall that prevents entry to a website unless the user provides full consent to all cookies.
- Check that the consent given can be easily changed
Even after users have granted consent to cookies, enable them to change or withdraw consent at any time. Present this option in the footer, on the cookie declaration page, or as a widget.
Give your users confidence that they can manage their privacy settings on your website any time they want.
- Give an option to easily erase or delete data
Users should have the option to easily erase or delete their data from the website.
- Register given consent
The GDPR requires you to register all consent visitors have granted to place tracking cookies on their devices. The European Data Protection Board (EDPB) allows website owners to do this in any manner they want.
Logs should contain:
- Who? E.g. by logging the IP address
- When? E.g. by logging the date and time
- What? E.g. by logging consent granted along with the category of cookies
- Inform visitors about cookies set by your website
Publish a cookie declaration to ensure your visitors are aware of all the cookies on your website. Provide accurate and precise information about the cookies. List them along with their origin, length, and purpose.
Categorize your cookies (required/essential, analytics, preferences, and marketing) and provide a description of the purpose.
The cookie declaration displays the user’s current consent status and enables them to accept or reject their consent.
Various countries have taken steps to protect the personal data of their citizens, but data privacy law has not been taken seriously. This state of affairs is set to change with the GDPR. Cloud-hosted companies will now have to be extra careful about how they obtain consent and collect, store, and use personal data.
Cookie consent shows how challenging it can be to interpret the GDPR’s guidelines. Throughout its 88 pages, it mentions cookies only once (in Recital 30) and indirectly as “online identifiers.” Thus, cloud-hosted companies attempt to take shortcuts to compliance and consequently attract fines.
FAQ: GDPR Cookie Consent
- How to update the cookie list on GDPR cookie consent?
Different ways in which you can update your Cookie List:
- Add cookies directly from the Cookie Scanner after you scan your website
- Export the results from the scanner, if necessary edit the results, and use the Import from CSV option from the Cookie List to import the results.
- Manually input the cookie details into the Cookie List using the Add New option
- Create a CSV file manually and import it from the Cookie List using the Import from CSV option.
- What is GDPR cookie consent?
The GDPR has specific standards for valid consent when gathering personal data from users. With respect to cookies, these standards are called GDPR cookie consent requirements.
GDPR cookie consent has two main requirements:
- Article 4: defines consent as a clear affirmative action that should be freely given, unambiguous, specific, and informed.
- Article 7: mentions additional requirements for consent, such as providing proof of consent, drafting consent requests in clear, easily accessible, and plain language, and giving the ability to withdraw consent.
- How to comply with GDPR cookie consent?
The GDPR mentions cookies as “online identifiers,” which are a part of personal data. To gather information stored in cookies, companies have to first obtain the user’s consent. This means that websites must seek consent before storing cookies on a user’s browser. The GDPR, along with the ePrivacy directive, establishes cookie consent requirements in the EU.
Cookie consent has the following requirements:
- Consent should involve an affirmative act or positive action like clicking on an “Accept” button
- Consent should be freely given; no pre-checked boxes or notice-only GDPR cookie banners
- Consent should be specific and not bundled with other terms and requirements
- Consent should be informed so users know what they’re accepting or rejecting
- The consent banner should use easy-to-understand, plain language and offer transparent information
- Consent should be unambiguous i.e. there should be no doubt about the user’s intention in giving consent
- The consent banner should be easily accessible, should include necessary information in the first layer, and should not require users to navigate the website to accept or reject the consent
- Consent should be recorded to demonstrate that users have given consent, in case data protection authorities wish to check
- Consent should be revocable at any time the users wish and it has to be easy to revoke consent
- What happens if I don’t comply with the EU GDPR cookie consent WordPress plugin?
If your company does not comply with EU GDPR cookie consent requirements, you can get sanctioned up to 4% of your annual global turnover or fined up to €20 million (whichever is greater).
According to Article 83, there is a tiered approach to levying fines. E.g. you can be fined 2% for not having your records in place, not performing an impact assessment, or not informing the supervising authority and data subject about a data breach.
- How to list my cookies in the GDPR cookie consent plugin?
Follow these steps to activate your GDPR cookie consent plugin:
- Reach your WordPress admin dashboard by scrolling to Plugins -> Add New.
- Click the Install button to start installing Cookie Consent
- Click the Activate button to activate the GDPR Cookie Consent (CCPA) plugin.
The GDPR Cookie Consent (CCPA) plugin will now list your cookies.