Every law results in some myths and misconceptions. People, sometimes, form their theories about it. Or, get influenced by what their peers think or believe. Sometimes, the legal statements are too convoluted to follow and result in misinterpretation. The GDPR and other laws like the ePrivacy Directive are not exceptions from these. There are many questions and confusion related to GDPR cookie consent that need to be addressed.
The GDPR and ePrivacy Directive (or the EU cookie law) have laid out several requirements for obtaining consent from the users for using cookies on the website. Unfortunately, a few things have created confusion and cause unintentional (and some intentional) violations of the law.
In this post, we will look into some common misconceptions surrounding the GDPR cookie consent and facts to counter them.
10 Myths about GDPR cookie consent (and facts to bust them)
Here are the most common misconceptions related to cookie consent under the GDPR and facts to bust all of them.
Myth 1: If users don’t interact with cookie banner, they agree to cookies
This is a very common belief among website owners. However, this is wrong. A 2020 study about consent popups found that 32.5% of websites assume positive consent via implicit actions, such as scrolling through a web page (without noticing the consent banner) or closing the cookie banner.
The GDPR clearly states that one of the conditions for consent to be valid is that it must be unambiguous. The users have to express their consent via affirmative actions.
In the case of cookies, affirmative action could mean clicking an “accept” or “agree” button, or selectively opting in for cookies. You can adopt the implied consent approach if your website uses only strictly necessary cookies. If the site uses non-necessary cookies, consent implied from non-affirmative actions is deemed invalid. Such action is a violation of the GDPR.
Myth 2: Websites can load non-essential cookies if user does not opt-out
Most often websites assume that the user is okay with non-essential (tracking) cookies as long as they do not actively deny consent or opt-out of these cookies. However, that is not a lawful approach. Pre-enabling or pre-loading such cookies before the users register their consent is an infringement of privacy.
The concept of affirmative action in the earlier case applies here as well. You can load the cookies only after the users have expressed their consent. Not opting out does not equal opt-in. So, wait until the users opt-in for cookies.
Myth 3: Non-EU websites does not require cookie consent
The GDPR clearly states that any organization that serves goods and services to people located within the EU and the EEA has to comply with the GDPR. The location of the organization does not matter. It applies to websites as well.
Any website in the world that receives traffic from the EU and collects the EU visitors’ personal data via cookie identifiers is subject to GDPR compliance. So, even if your website is not EU-based, you must comply with the GDPR.
Myth 4: If users decline all cookies, they can be denied access to a website
To answer simply — no. Denying full services to a user because they refused to consent is not allowed per the law. This myth is usually associated with the use of cookie walls on websites. A cookie wall is a popup or banner that restricts access to the website unless they accept all cookies. They are also known as “tracking walls,” since they use tracking cookies.
The use of cookie walls has been criticized by many data protection authorities, including the EDPB (European Data Protection Board) on its guidelines for cookies and consent. The EDPB clarifies that the consent obtained via such a method is invalid, considering how it violates the “freely given” condition necessary for GDPR consent. It states that access to websites and their “full” services must not be made conditional on the consent of a user.
Such a “take it or leave it” approach compels the users to accept all the cookies, including the non-essential ones. Hence, the website owners must leave the myth behind and give the website users a free choice.
Create a custom cookie banner for your website
Myth 6: Only third-party cookies require consent
We often see the mention of “third-party” cookies when it comes to cookie consent. However, there is more to it. Not all third-party cookies require consent and not all first-party cookies are exempted from the requirement of consent.
Consent is required for any cookies that collect personal data and track the user movement on the website. As per Article 29 Working Party’s (WP29) opinion on cookie consent exemption, even some first-party cookies may require consent. E.g., if the users can still access the full services of a website even after they disable such cookies, then the site requires consent to use them.
According to the WP29, consent is not required when “the cookie is “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service”. It means if the cookies are necessary for a service that the user requested; they do not require consent to be loaded on the user device.
Myth 7: Cookie notice ruins user experience
Are cookie banners a slight inconvenience? Maybe. Having to see a popup every time one visits a website may seem quite frustrating. Are they useless? Absolutely no! Here are 10 cookie consent examples that show how you can effectively implement cookie notices without disrupting the user experience and design.
Imagine not getting followed by endless targeted advertisements about products the users were searching for just moments ago. Data is the oil of the 21st century. The users and even you do not know what the third parties are doing with the collected personal data. If the users spend a few seconds more to read the information on the cookie banner and make an informed decision, it may save their data from getting into the wrong hands. Even after users make an informed consent choice, the third parties may still violate their privacy. However, now third parties are legally bound by privacy laws like the GDPR.
Myth 8: Analytic cookies don’t need consent
The French CNIL guidelines do extend consent exemptions to analytic cookies. It only applies to analytics cookies that measure user data on behalf of the web publisher (first-party analytic cookies) and must be used solely to produce anonymous statistics. The personal data collected through these cookies cannot be shared with third parties or used for any other purpose.
Myth 9: Cookie banners affect SEO
No. Cookie consent banners by themselves do not affect SEO. They have to be implemented correctly so that they are not intrusive. Google asks websites to avoid using intrusive interstitials, but they clarified that cookie consent notices will not negatively impact a site’s search performance.
GoogleBot will be able to crawl your website if you display your cookie banner where it does not obstruct the content on the page. It should also be optimized for different devices so that banners do not block content or take up space, for instance in mobile view.
Myth 10: Websites can use ‘legitimate interests’ to set cookies, so they don’t require consent
Cookies in all likelihood, cannot come under the scope of legitimate interest. This means they cannot be processed by citing legitimate interest as a lawful basis as per the GDPR. Why? Remember that under the ePrivacy Directive, cookies require explicit consent to be set on user’s devices, after users are given clear and comprehensive information. The only exception to consent is cookies that are strictly necessary for the function of the website/application.
Also, in the GDPR, processing data under legitimate interest requires that processing is absolutely necessary and even if it’s deemed necessary, it has to be weighed against the user’s fundamental rights and freedoms. Therefore, is not advisable that a website use it for setting cookies without getting valid consent.
What is more important — a popup on the website or the user’s data privacy?
Internet experience is not only about appearance or design; it also constitutes how safely one can share their data. Besides, you can display a simple, clutter-free cookie banner for your website.
CookieYes can make it happen. Using a simple script, you can install a CookieYes cookie banner on your website in less than 5 minutes. The banner is fully customizable, and you can decide the content, layout, design, behaviour and branding.
Start your cookie compliance right away!