GDPR

GDPR Cookie Consent: Is it Required & How to Comply?

gdpr-cookie-consent

If your business falls under any major data privacy regulation, you’ll likely need to implement some form of cookie consent. Sites that fall under the GDPR must comply with GDPR cookie consent rules, which has one of the highest standards.

You may wonder if this applies to your business. And, if so, how can you implement GDPR cookie consent?

In this article, we’ll cover the nuances of GDPR cookie consent requirements and how they apply. We’ll also guide you through tips to implement a GDPR cookie consent notice for thorough compliance.

Let’s get into it!

Key Takeaways

  • If your site collects personal data on EU citizens or monitors EU citizens in any shape or form, you’ll need to comply with GDPR cookie consent.
  • GDPR cookie consent involves understanding what cookies your site uses, communicating it with site users, and requesting permission to deploy cookies.
  • To be compliant with the GDPR, your site’s cookie banner will need to be clear, accessible, and free of non-compliant practices like cookie walls.

Cookie Consent Explained

Cookies are essential for improving website convenience and can be useful for helping developers enhance certain aspects of a website. Some cookies are responsible for site security, while others can collect useful marketing data for businesses. 

Most websites will deploy some types of functional, performance, and marketing cookies, and all sites will deploy essential cookies at the very least.

However, sites that fall under most major data protection

regulations are required to ask users for permission to deploy cookies. This is called “cookie consent.”

However, the process of asking for consent to deploy cookies differs across regulations. For example, GDPR cookie consent banners have different best practices from CCPA or LGDP cookie consent banners. 

You’ve probably noticed that some websites will have pop-up cookie banners covering the content, while others may have a small cookie consent box on the page’s side. It all depends on who a site caters to and which regulations it falls under. 

Does GDPR Require Cookie Consent?

Rupert Brown, CTO and Founder of Evidology System, says:

"The regulations governing cookies are split between the GDPR and the ePrivacy Directive. GDPR typically expects more formal consent to any form of data retention and processing."

However, it is worth noting that there are certain exceptions, such as in the case of strictly necessary cookies. 

In Article 30, the GDPR mentions “cookie identifiers” that can be used to identify and associate with natural persons when “combined with unique identifiers and other information received by the servers.”

Essentially, what this means is that while cookies may not contain personal data directly, they can be used to “create profiles” and “identify” people. As such, you’ll need to obtain user consent for cookie collection under the GDPR principles.

The GDPR cookie consent regulations require businesses to get cookie consent before deploying them. The only exceptions are for strictly necessary cookies. These cookies aren’t used for marketing or to collect users’ data for identification, which makes them exempt from GDPR cookie consent.

Failure to get GDPR cookie consent can result in major fines. In many cases, a cookie consent violation will be regarded as a “less severe” violation, and the business may be fined 2% of its annual revenue or 10 million euros.

How to Comply with GDPR Cookie Consent

Since the GDPR and Eprivacy regulation are one of the strictest data privacy regulations to date, you’ll need to be thorough with your cookie compliance.

Here are some steps to help you comply with GDPR cookie consent:

1. Determine if You’re Applicable

Before you go about ensuring GDPR cookie compliance, first determine whether your site falls under the GDPR.

Your website has to be compliant with cookie consent best practices if it processes EU citizens' data. Article 3 of the GDPR states that this is “regardless of whether the processing takes place in the Union or not.” In other words, the location of your business doesn’t matter. Only the location of the customer does.

You can always check where your site’s traffic is coming from, whether you’re targeting international consumers, and whether EU citizens can use your products or site.

If you have to comply with the GDPR, you’ll need to ensure your privacy policy is in line with GDPR principles. Unless you’re an expert, it’s best to do this with a personal data compliance solutions.

2. Audit Your Cookies

If your website falls under the GDPR, you’ll need to know everything about cookies collected by your site. This includes:

  • The type of cookies your site collects.
  • Why your site collects these cookies.
  • Whether cookie data is shared with third parties.
  • Which cookies can be categorized as “strictly necessary.”

For this, you’ll need to audit your cookies and categorize them properly. You can use a cookie audit tool or check out our compliance services for a more comprehensive cookie audit. 

Auditing your cookies can help with designing a GDPR cookie consent banner. It also allows you to remove unnecessary cookies and identify personal data protection and GDPR compliance risks.

3. Create a Detailed Cookies Policy

Once you have a categorized list of cookies on your site, you’ll need to create a detailed cookies policy. Having a detailed cookie policy is part of the GDPR requirements for cookie consent.

A cookie policy informs users about the following: 

  • The type of cookies your site uses.
  • The purpose of collecting these cookies.
  • Whether cookies are shared with third parties.
  • How long the cookies will remain on the users’ devices.

Having a detailed cookie policy shows that your website is committed to transparency and helps consumers feel secure about their data.

4. Implement a Cookie Banner

Once you’ve made it past the hurdle of creating a detailed cookie policy, you can focus on implementation. When designing a GDPR cookie consent banner, remember to link to the cookie policy for more context.

Rupert Brown states that:

"Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, by electronic means, or an oral statement."

Overall, the banner should also inform users of why cookies are collected, the type of cookies collected, and whether their data is shared with third parties.

It’s also helpful to allow users to select which cookies to consent to, although this doesn’t fall under the GDPR requirements.

5. Ensure Third Party Cookie Compliance

If you use elements from other sites that deploy cookies, you’ll be responsible for any cookies that they deploy. These third-party cookies are difficult to regulate, and informing users that they are deployed on your site is crucial.

Since most third-party cookies aren’t essential for your site, and most are used to track user behavior for marketing purposes, they are strictly regulated under the GDPR.

If your site deploys third-party cookies and a user gives consent, you must implement a mechanism that allows them to revoke consent. This helps you stay compliant with the GDPR rights, giving consumers the “right to be forgotten.” 

6. Allow Users to Manage their Preferences

You’ve probably visited sites that allow you to “manage cookie preferences.” This is a great strategy to get people to accept certain types of functional cookies instead of rejecting all cookies.

Allowing users to choose which cookies they prefer isn’t a part of GDPR cookie consent management requirements. If you simply offer an accept and reject option, it’s enough for compliance. However, giving users the option to manage cookie preferences can benefit your site.

It can make the user experience smoother and more pleasant by allowing people to decide what type of data is shared with your site. People may view this as an indication that you’re taking their privacy seriously, improving your site’s reputation.

Tip: The GDPR requires businesses to allow users to withdraw cookie consent. 

Tips to Ensure Compliance with GDPR Cookie Consent

If you fall under the GDPR, you’ll need to ensure that your cookie consent management falls in line with the regulation’s principles and GDPR cookie consent best practices.

Even a slight mistake in your cookie consent banner design or coding could result in hefty fines for non-compliance, and the EU is strict with enforcing data privacy regulations. 

Tony Foly, a consultant at Wolter Kluwer Legal & Regulatory U.S. says:

"In general, GDPR and the ePrivacy Directive require businesses to provide accurate information on the purposes of cookies before obtaining consent, retain documentation on consent, allow users to access a service even if consent is withheld, and make it as easy for users to withdraw consent as it was for them to give it."

With this in mind, let's expand on some tips to ensure compliance with GDPR cookie consent. ALL are important, so I strongly suggest you implement all of them for thorough corporate compliance:

Make the Cookie Banner Accessible

The GDPR has very strict regulations regarding the practice of “masking” personal information. Many sites try to get past cookie consent by placing their cookie banners at the corner or footer of the site.

This is one mistake that you shouldn’t make with the cookie banner design. Remember, under the GDPR, consent options must be clearly placed in front of the user. Having a cookie consent banner with hard-to-read placed on your site’s footer is not GDPR compliant.

The best designs for a GDPR-compliant cookie bar are large pop-ups that display when a user accesses your site for the first time. Make sure the text is large and easily readable. Also, the pop-up should not automatically fade away until the user makes a choice.

Add a Close Button to the Cookie Banner

According to the latest Italian guidelines on cookie consent, you’ll need to have a “reject” button as well as a close “X” button on your site’s cookie banner. You can use the word “close” or add an “x” on the close button, and it should clearly allow users to close the cookie consent box or pop up.

The close button on your site’s cookie bar means that the user rejected cookies, so you’re not allowed to deploy cookies if they simply close the banner.

Ensure No Pre-Ticked Boxes

Unlike the CCPA, the GDPR requires businesses to have cookie consent banners without any pre-approval. The option to accept cookies cannot be a pre-ticked box, as this will imply consent when a user closes the box.

Instead of pre-ticked boxes, the cookie banner should contain an option to “accept” or “reject” - along with a preferences option to ensure optimal user experience.

This doesn’t mean you can’t use boxes; it’s just that they shouldn’t be pre-ticked. A pre-ticked box can be regarded as manipulation under the GDPR, and it’s not regarded as “positive consent.”

So, if your GDPR cookie consent banner uses boxes, make sure they’re empty.

Ensure No Cookie Walls

Like pre-ticked boxes, a cookie wall is seen as manipulation to get the user's consent. Cookie walls are consent forms designed so that users will have to accept cookies if they want to continue using a site. They are pop-ups without any “close” button and have wording like “accept cookies to continue.” 

However, the absence of a close button isn’t the only reason why cookie walls are non-compliant with the GDPR. The main problem with such practices is that they go against the definition of consent as outlined in Article 4(11) of the GDPR:

“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

This covers cookie walls, pre-ticked boxes, and other restrictive consent techniques.

Use Detailed But Simple Language

You’ll have to be extremely detailed when choosing text for GDPR cookie consent. This includes text used in cookie banners as well as in your site’s privacy policy and cookie policy.

The GDPR requires consent text to be simple and jargon-free as well. It should be easily understood by the average person.

Tip: Avoid giving detailed explanations of your cookies on the cookie banner. Rather, provide a link to a detailed cookie policy where users can check for detailed information if needed. 

Block Cookies Before Consent

A crucial part of the GDPR is that consent must be given beforehand. Unlike with the CCPA or other regulations, you’ll have to block cookies before consent. This prevents your site from collecting user data until the users agree to some or all cookies.

Strictly necessary cookies are an exception to this rule. These cookies aren’t meant for marketing purposes and help the site function properly.

Add an Opt Out Option

The GDPR combines both an opt-in and opt-out approach for cookie consent. Users have the right to opt in and accept cookie consent and opt out from valid consent. This allows them the most flexibility with their personal information.

You’ll have to add an opt-out button on the GDPR cookie consent banner. The opt-out requirements allow users to:

  • Opt out of data collection.
  • Opt out of data processing.
  • Request erasure of data.

It’s important to note that once a user decides to “reject” or opt out of cookie consent, you can’t request consent each time the user visits the site.

Frequently Asked Questions (FAQs)

Does GDPR Require Consent for Cookies?

The GDPR requires valid consent for all cookies that aren’t critical for website functionality. This includes cookies used for marketing, tracking, or analytics, as they can be used to identify “natural persons.”

Check out our guide on strictly essential cookies here.

What are GDPR Cookie Consent Management Best Practices?

GDPR cookie consent best practices include adding clear opt-in and opt-out options, blocking cookies before consent is given, using simple language, and avoiding pre-ticked boxes and cookie walls.

Learn more about cookie consent best practices.

What is the Purpose of Cookie Consent?

The purpose of cookie consent is to inform users of what data is collected and get their permission to process and store cookie data. It’s crucial for compliance with GDPR and other data protection regulations.

Get in touch with our GDPR compliance experts for cookie consent implementation.

Do I Have to Comply With GDPR Cookie Consent?

You must comply with the GDPR cookie consent laws if you collect data on EU citizens. This also applies to US-based businesses that don’t offer physical products or services in the EU.

Check out our ultimate guide on GDPR compliance requirements.

Is GDPR Cookie Consent Free?

GDPR consent is free, although you may need a paid tool to manage consent banners if your site receives a lot of traffic. You may also need a data privacy expert to help set up your site’s privacy and cookie policies.

Explore what a privacy consultant can do for your business.

How Can Captain Compliance Help You?

Cookie consent can be complex. However, even the smallest GDPR compliance mistakes can result in hefty fines for businesses.

At Captain Compliance, we can handle cookie consent for you, so GDPR compliance can become a breeze, and you won't ever have to worry about it again.

So, if remaining compliant with the GDPR is a hassle that you can’t afford, it’s time to outsource compliance to the experts. Get in touch with us now for a free consultation so you can learn what to do to meet all your compliance obligations!