Cookies are small text files that a website server sends to the visitors’ browser to collect their data or track them across the website. Cookies, in general, are harmless. However, its use can be intrusive if it is used for aggressive marketing or behavioral tracking. Over the last few years, such intrusive usage of cookies has come under the scanner of many privacy regulations, with the EU cookie law (ePrivacy Directive) and GDPR being the two prominent of them. It resulted in strict rules for cookie compliance in and outside the EU, wherever applicable.
To define compliance, it is the action of complying with a command or law. When it comes to cookies, cookie compliance is the act of complying with privacy laws for the usage of cookies on a website. The regulations lay out the best practices for deploying cookies that a website is liable to adopt. They vary from law to law but in a broad sense, most laws require similar standards for cookie usage.
Manage cookie compliance on your website easily and for free!
- GDPR and CCPA compliant cookie banner
- Deep scan website for cookies
- Get granular consent for cookies
- Auto-block third-party cookies before consent
- Log cookie consent
How to become cookie compliant?
Achieving cookie compliance has an organized process. Let us dissect it to understand it step-by-step.
#1 Identify cookies
You cannot expect to achieve cookie compliance without knowing what cookies your website sets on users’ devices. Therefore, the first step is to conduct a cookie audit to identify cookies and for that, there are several ways.
You can check for cookies manually using your web browser settings.
However, the best and the easy way is to use an online cookie scanner. It’s fast and free. With a cookie scanner, you can do a deep scan of your web pages to identify all the cookies and categorize them based on their properties. You will get a detailed scan report.
#2 Get cookie consent
The next step after identifying cookies is to get consent for cookies that collect personal data, monitor user behavior, or are set by third-party websites and services.
The most practiced method to collect cookie consent is via a consent banner or popup. When the users visit a website, it shows a banner that informs the users about the cookies and asks for their consent.
Getting consent for the cookies has to follow the legal practices to be valid. Here is a checklist for cookie consent compliance:
- Give adequate information about cookies and their purposes on the consent banner.
- Allow users to record their consent via an explicit method such as clicking a button.
- Allow users the right to accept and deny cookie consent.
- Let users decide which cookie type they want to consent to or not.
- Block cookies until the user consents to them.
- Keep a log of all consent recorded for proof of cookie compliance.
- Let users easily withdraw their consent at any time.
Get to know the best practices for a compliant cookie banner here.
You must include details about all cookies and what they are used for. It is important that the users are aware of what accepting (or denying) cookies would mean. This is also the place to let them inform how they can manage cookies, such as the browser settings to block or remove cookies.
All these details must be expressed in simple and plain language.
Read in detail about the significance and guide to a compliant cookie notice.
What is GDPR cookie compliance?
According to GDPR, cookies are subject to the law since they collect personal data and monitor user behavior and the cookie identifiers can be considered personal data.
The GDPR’s effect on website cookies has been massive. It turned the tide and made websites cautious about the intrusive usage of cookies. With the uncovering of so many cookie compliance violations (that led to huge fines), GDPR cookie compliance is a must-do task if your website falls within the scope of the GDPR.
Cookie compliance under GDPR (and ePrivacy Directive) mainly emphasizes transparency in informing about cookies and getting consent to use them. They together form a strong EU cookie compliance standard.
Article 4 of the GDPR gives four elements of valid consent, such as freely given, specific, informed, and unambiguous.
Article 7 gives additional conditions for valid consent, such as proof of consent and withdrawal of consent.
Let us look at them in detail.
Freely given consent
The data subjects should not feel compelled to give consent to process their personal data. It includes not being able to give consent because of non-negotiable terms and conditions. Any consent that prevents users from exercising their free will is invalid. For example, cookie walls (we will get into that later) ‘force’ users to accept cookies to access website content. It offers no free choice; hence it is not valid.
There are cases when the website asks for a single consent for cookies that has multiple purposes. The users may not want to agree to all of them but are forced to consent since it is bundled. It is also a violation. You can also not force users to consent with the threat of negative consequences of them not agreeing.
Valid consent is specific. It means there must be a specific reason(s) for asking for cookie consent. GDPR stresses upon making specific cookie consent granular. That means if the cookie has more than one purpose, users must have a choice for each of them. Also, the information about the cookie consent must be distinguishable from information about other matters.
GDPR states that consent must be informed. That is, you must provide users with the necessary information about cookies before obtaining their consent. It will help them to make an informed choice. Users should be aware of information such as what they are consenting to, the specific reason for using cookies, and how they can revoke their consent before giving their consent.
A website cannot ‘assume’ user consent if they keep browsing the page without taking action (accept or reject cookies). Such activity (or inactivity) does not indicate that the user has agreed to the use of website cookies. The website can only load cookies if the user has actively opted in for it.
Article 7(1) of the GDPR states that you must be able to prove that you have received valid consent. Obtaining consent for using cookies is not enough. You must record all of the user consents. Consent records will help to show proof of your transparency and cookie compliance. GDPR stresses that it is a data controller’s (website owner) obligation to show proof. You are free to use any method to log consent.
Withdrawal of consent
Article 7(3) of the GDPR says that withdrawal of consent must be made as easy as giving it. If a website has an easy method of asking for consent from users, it must also make it easy for them to withdraw it at any time. For instance, the cookie consent banner should be easily accessible at any time to withdraw the consent. The idea is to make the process of withdrawal as easy and simple as possible, preferably in one step. Once the users withdraw their consent, the website must stop using cookies immediately.
GDPR cookie consent is a legal requirement and violating it will make your website bear huge fines.
EDPB guidelines on cookie compliance
On 4 May 2020, the European Data Protection Board (EDPB), an independent European body that ensures the GDPR implementation in the EU, revised the guidelines for cookies and consent. The document provided further clarifications regarding:
- The use of cookie walls
- The scrolling and swiping through a webpage
Consent via cookie walls is not valid.
A cookie wall is a popup about cookies on a website that restricts access to the website unless they accept the cookies. It is also known as tracking walls since the cookies can track the user’s online activities for analytics and advertising purposes.
The users cannot “break the wall” unless they agree to the use of all cookies. The content of the website remains unavailable if they do not accept it. The only content they can see is the popup and information about the cookies.
The use of cookie walls attracted negative attention from consumers and data protection regulators since it forces users to give their consent. EDPB has clarified that consent obtained from using cookie walls is invalid. It violates the “freely given” condition for valid consent. EDPB states that —
“In order for consent to be freely given, access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user (so called cookie walls)”
A website cannot restrict full access to its content to obtain the users’ consent to store cookies on their device. Such consent obtained via a cookie wall is invalid under GDPR since it does not give users a genuine choice.
Scrolling or swiping does not constitute consent.
The guideline further clarifies the nature of valid consent regarding scrolling or browsing a website without consenting or dismissing a cookie notice.
“Actions such as scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirement of a clear and affirmative action”
It also violates the additional condition for consent: withdrawal of consent. The GDPR states that withdrawal of consent should be as easy as giving it. In this case, the users cannot withdraw their consent by a simple scroll or swipe, or any method since the users did not directly consent in the first place.
What is CCPA cookie compliance?
The US state-wide law, California Consumer Privacy Act (CCPA) classifies cookies as unique identifiers. Therefore, they are subject to the Act and are considered personal information.
What are the different types of cookie compliance banners?
We now know that using cookie banners or pop-ups is the most used method to collect consent for compliance. There are various types of cookie compliance banners depending on the type of cookies you use and the law applicable.
Let us look at the three common types of banners that websites use:
- Informational: This type of cookie banner only informs users about cookies and does not request consent.
They are most suitable when your website uses only strictly necessary cookies or cookies that are created by the website and they do not collect or track users’ information. If you use tracking cookies, such a banner is not recommended as it is a violation of GDPR and CCPA.
- Opt-in: This is the most accepted type of cookie consent banner when it comes to compliance. Here, the website offers its users an option to give consent accompanied by an option to decline it. If the user does not opt-in, the site must not load the cookie script.
The banner should also give the users the option to selectively consent to cookies by their category.
- Opt-out: This type of banner is mostly suitable for websites that are subject to CCPA as it requires them to let users opt-out of cookies.
For CCPA, you can place the “Do Not Sell My Personal Information” link instead of the opt-out button as it means the same thing.
What are the consequences of non-compliance?
The GDPR’s penalty for violation has two levels:
- Lower levelthat could go up to 1o million or 2% of the annual global turnover, whichever is higher.
- Upper level for severe violations, that could go up to 20 million or 4% of the annual global turnover, whichevr is higher.
Cookie consent violations such as failing to get consent or informing them about cookies usage and how to opt-out could result in upper-level fines.
Therefore, cookie compliance is necessary if you use non-essential cookies and your website falls within the scope of GDPR.
Frequently asked questions
What is a GDPR compliant cookie message?
All the messages in the banner should convey the necessary information that a user needs to make an informed decision to consent to cookies or not.
What cookies are allowed under GDPR?
The GDPR allows all cookies but with the users’ consent. However, you do not require consent for cookies that do not collect personally identifiable information of the users or track their browsing activities. Unless the cookies are strictly necessary for the website to provide the basic services that the users expect it to, you need to get cookie consent to comply with GDPR.
Is there a cookie law in the US?
The US does not have a dedicated cookie law or any privacy law that has specific guidelines for cookies. However, the territorial scope of GDPR is not just limited to websites established in the EU. If your website, regardless of its origin, collects and processes the personal data of EU residents via cookies, then it will be subject to GDPR compliance.