Every law results in some myths and misconceptions. People, sometimes, form their theories about it. Or, get influenced by what their peers think or believe. Sometimes, the legal statements are too convoluted to follow and result in misinterpretation. The GDPR and other laws like the ePrivacy Directive are not exceptions from these. There are many questions and confusion related to GDPR cookie consent that need to be addressed.
The GDPR and ePrivacy Directive (also known as the EU cookie law) have laid out several requirements for obtaining consent from the users for using cookies on the website. Unfortunately, a few things have created confusion and cause unintentional (and some intentional) violations of the law.
In this post, we will look into some common misconceptions surrounding the GDPR cookie consent and also provide facts to counter them.
There have been many GDPR cookie consent myths, which have resulted in many violations. We look at seven myths here: implied cookie consent, loading cookies before receiving consent, Non-EU website refusing to ask cookie consent, inadequate banner information, identifying cookies that require consent, and misinformation that cookie consent notices ruined internet experience.
We refute each of the myths with facts.
7 Myths about GDPR cookie consent (and facts to bust them)
Here are seven common myths related to cookie consent under the GDPR and facts to bust all of them.
This is a very common belief among website owners. However, the wrong one.
A 2020 study about consent popups found that 32.5% of websites assume positive consent via implicit actions, such as scrolling through a web page (without noticing the consent banner) or closing the cookie banner.
The GDPR clearly states that one of the conditions for consent to be valid is that it must be unambiguous. The users have to express their consent via affirmative actions.
In the case of cookies, affirmative action could mean clicking an “accept” or “agree” button, or selectively opting in for cookies.
You can adopt the implied consent approach if your website uses only strictly necessary cookies. If the site uses non-necessary cookies, consent implied from non-affirmative actions is deemed invalid. Such action is a violation of the GDPR.
Myth #2 The website can load non-essential cookies as long as the users do not explicitly opt-out of it.
It is quite similar to the first myth. Here, the website assumes that the user is okay with non-essential (tracking) cookies as long as they do not actively deny consent. However, that is not a lawful approach.
Pre-enabling or pre-loading such cookies before the users register their consent is an infringement of privacy.
The concept of affirmative action in the earlier case applies here as well. You can load the cookies only after the users have expressed their consent. Not opting out (yet) does not equal opt-in. So, wait until the users opt-in for cookies.
Myth #3 If the website is not based in the EU, then it does not require (GDPR) consent to use tracking cookies.
The GDPR clearly states that any organization that serves goods and services to people located within the EU and the EEA has to comply with the GDPR. The location of the organization does not matter.
It applies to websites as well.
Any website in the world that receives traffic from the EU and collects the EU visitors’ personal data via cookie identifiers is subject to GDPR compliance.
So, even if your website is not EU-based, you must comply with the GDPR.
Myth #4 The users can be denied access to a website if they decline all cookies.
To answer simply — no.
Denying full services to a user because they refused to consent is not allowed per the law.
This myth is usually associated with the use of cookie walls on websites. A cookie wall is a popup or banner that restricts access to the website unless they accept all cookies. They are also known as “tracking walls,” since they use tracking cookies.
The use of cookie walls has been criticized by many data protection authorities, including the EDPB (European Data Protection Board) on its guidelines for cookies and cookie consent. The EDPB clarifies that the consent obtained via such a method is invalid, considering how it violates the “freely given” condition necessary for GDPR consent. It states that access to websites and their “full” services must not be made conditional on the consent of a user.
Such a “take it or leave it” approach compels the users to accept all the cookies, including the non-essential ones. Hence, the website owners must leave the myth behind and give the website users a free choice.
This is only partially true.
However, if the site uses marketing or analytics cookies that collect user data or track them, the banner must provide more information and an opt-out option. The cookie banner must clarify the purpose of these cookies so that the users can make an informed consent choice.
Myth #6 Consent is required only for third-party cookies under the GDPR.
We often see the mention of “third-party” cookies when it comes to cookie consent. However, there is more to it. Not all third-party cookies require consent and not all first-party cookies are exempted from the requirement of consent.
Consent is required for any cookies that collect personal data and track the user movement on the website. As per Article 29 Working Party’s (WP29) opinion on cookie consent exemption, even some first-party cookies may require consent. E.g., if the users can still access the full services of a website even after they disable such cookies, then the site requires consent to use them.
According to the WP29, consent is not required when “the cookie is “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service”. It means if the cookies are necessary for a service that the user requested; they do not require consent to be loaded on the user device.
Myth #7 The cookie consent popups required for the GDPR ruined the user’s internet experience.
To understand this myth and its arguments, we need to see it from the users’ perspective.
To say that the cookie consent popups or banners have ruined the internet experience for users is debatable.
Are cookie banners a slight inconvenience? Maybe. Having to see a popup asking for consent the users visit a website for the first time may seem quite frustrating. Are they useless? Absolutely no!
Imagine not getting followed by endless targeted advertisements about products the users were searching for just moments ago. Data is the oil of the 21st century. The users and even you do not know what the third parties are doing with the collected personal data. If the users spend a few seconds more to read the information on the cookie banner and make an informed decision, it may save their data from getting into the wrong hands. Even after they make an informed consent choice, the third parties may still violate their privacy. However, now these third parties are legally bound by privacy laws like the GDPR.
What is more important — a small popup on the website or the user data privacy?
Internet experience is not only about appearance or design; it also constitutes how safely one can share their data.
Besides, you can get a minimalist, simple, clutter-free cookie banner for your website. CookieYes can make it happen.
Using a simple script, you can install a CookieYes cookie banner on your website in less than 5 minutes. The banner is fully customizable, and you can decide the information it must provide.
CookieYes also scans your website for cookies and automatically blocks the third-party cookie scripts before the users register their consent. You can also set the cookie banner content in various languages.
It also logs the user consents for audit purposes and you can display the cookie banner based on the users’ location.
CookieYes’ features do not end there. Sign up today!
While trying to find the cookie consent solution for GDPR compliance, you will likely get carried away and believe in myths like these. This is why we recommend seeking legal advice, in case you have any doubts. Also, having a firm understanding of various privacy laws and looking for examples from your immediate environment will help a lot.
Remember — it is better to be safe than sorry.
There are many more cookie consent myths that may not be very common. However, they do exist. We would try to expand this list whenever we come across them.