The demand for data privacy by Internet users is at its peak, and it will continue to grow. Anything that does not give them enough control, especially when it comes to their data, will be frowned upon. And rightfully so. With proofs of data leaks and privacy violations coming up far more frequently, users’ concern for their data privacy is not far-fetched. According to Pew Research Center, eight-in-ten or more Americans feel that they have very little or no control over their data collected by organizations. This includes the (in)famous website cookies. Cookie control is, in fact, one of the most vital parts of a website’s privacy compliance.

data control survey by pew research center
Source: Pew Research Center

When data privacy seems elusive, people will naturally gravitate towards solutions that offer them more control over their personal data. Tools that complicate privacy compliance is more of a burden than a solution. In today’s digital age, automated systems are far superior. 

CookieYes believes in simplifying cookie compliance and giving you the best and affordable cookie control solution. And to be the cherry on top, it’s all automated!

But first, let us look at the cookie control around the world and then how CookieYes’ automatic cookie control works.

What is cookie control?

Cookie control is all about managing user consent for cookies and compliant use of cookies to protect the data and privacy of users. It is a widely discussed and analyzed subject in the digital space, since the enforcement of the EU’s General Data Protection Regulation (GDPR).

Cookie Control involves obtaining and managing valid user consent to use cookies and how you can give the users more control over their data collected via cookies.

What are the rules on cookies?

Cookie control has been carried out by many privacy regulations in the world. Among these, the EU’s GDPR, ePrivacy Directive, and the US’ CCPA (California Consumer Privacy Act) have stricter rules and wider territorial reach. Both the EU and US laws give users the right to deny websites from using third-party cookies that sell or share their data with third parties. 

Scan your website for cookies and receive a detailed report on cookies on your website.

Cookie consent isn’t exactly a walk in the park. There are some conditions that you need to fulfill for your consent to be deemed valid. Let us take a quick look at how the EU and US laws regulate the use of cookies. We will also look at how the UK GDPR post-Brexit fares against them.

Cookie control in the EU

The EU has the most stringent rules for data protection in the world. Their laws are comprehensive and have a wider reach. Perhaps, that is why they are the blueprint for many other data protection laws that have been implemented all around the world. We can say that cookie control in the EU member countries set a benchmark for other countries. 

ePrivacy Directive (EU Cookie Law) and the GDPR regulate the use of cookies in the EU. According to both the laws, websites that collect and use the personal data of EU users to offer services and goods cannot use cookies without users’ consent. Cookies, here, are those that collect personal data and track user activity. The laws exempt strictly necessary cookies that are necessary for a website to function properly from requiring consent. 

Understand what makes a cookie strictly necessary here.

To summarize, you must follow these best practices to comply your website with the EU Cookie Law and GDPR:

  • Inform users about cookies and their purpose and who sets them
  • Obtain consent to use non-essential cookies via an explicit mechanism such as a button, toggle, or checkbox.
  • Do not use pre-ticked checkboxes for cookie opt-in
  • Block such cookies until the user gives consent
  • Allow users to opt out of cookies
  • Let users have granular consent control, i.e. selective consent to some cookies
  •  Allow users to withdraw consent and it should be as easy as giving consent
  • Do not register consent via implicit methods such as scrolling or browsing through the web page or closing the cookie consent banner
  • Avoid using cookie walls that make full access to the website conditional on consent. 
Cookie control banner on CookieYes
Cookie banner to ask consent for cookies and give controlled consent to users

You can provide detailed information about cookies on a cookie policy page (which can also be part of the privacy policy page).

Cookie control in the US

The US data protection laws may not be as stringent as the EU laws. However, they do regulate how websites must handle the personal data of users, including cookie identifiers. The most important and popular among them is the California Consumer Privacy Act (CCPA). It is the first robust data protection law in the country. The state-wide law applies to all businesses that deal with the personal data of California residents. After CCPA, Virginia’s CDPA and Colorado Privacy Act followed suit and strengthened the US data protection regime.

The CCPA does not require websites to obtain consent for using cookies. However, the users must be able to opt out of cookies that sell their personal information of users. The same holds for the other two laws.

To comply with US privacy laws for cookies, you must follow these rules:

  • Inform users about the cookies via a notice before or at the time of collecting user information.
  • Disclose the type of cookies used, what data they collect and their purposes, and who set them.
  • Let users opt out of cookies that sell or share personal data with third parties.
  • The opt-out link/button can be placed on the notice and on the homepage of the website titled “Do Not Sell My Personal Information”.

Like GDPR, you must disclose the cookie information and other details in the privacy or cookie notice with the link to opt-out. The link to the cookie notice can be placed on the consent notice. 

cookieyes cookie policy generator

Cookie control in the UK

Following the UK’s exit from the EU (Brexit), the EU GDPR ceased to apply in the UK, unless the businesses in the country offer goods and services to EU customers. The Information Commissioner’s Office (ICO) became the primary data protection authority. Currently, the Data Protection Act 2018 and the UK-GDPR govern data protection in the UK. 

Cookie control in UK laws resembles EU laws. The ICO’s guidelines on cookies and similar technologies propose almost the same rules for cookies.

Therefore, a website that uses cookies to collect and process the personal data of UK users must adopt these practices to comply with the DPA 2018 and UK GDPR.

Cookie control in Google Chrome and other web browsers

In January 2020, Google made a landmark decision to phase out support for third-party cookies in its web browser, Chrome by 2023. This makes Chrome the third major browser to part with third-party cookies after Apple’s Safari and Mozilla Firefox. This decision is a result of its need to meet the increasing demand for “greater privacy–including transparency, choice and control over how (the users’) data is used”.

Google’s third-party cookie control was followed by their introduction to an alternative –  Federated Learning of Cohorts (FLoC). FLoC is an interest-based advertising feature for browsers without disclosing the user’s identity.

Many web browsers have included cookie blocking features to control their use. This has its fair share of disadvantages as it will adversely affect the basic functionality of a website controlled by first-party cookies. There are options to block only third-party cookies as well.

Read how to control and remove cookies from your web browser here.

Cookie control support by noyb

NOYB, an Austrian-based non-profit organization advocating for digital rights across Europe, was in news recently. On May 31, 2021, noyb sent over 500 draft complaints to organizations for using unlawful cookie banners, the largest since the implementation of the GDPR.

To curb the use of confusing cookie consent banners and using dark patterns to compel visitors to agree to the use of cookies, noyb developed a GDPR software to detect unlawful banners and automatically generate complaints. It gave organizations a one-month transition period to rectify and comply with EU laws before filing the complaints.

According to noyb, what started as a genuine intention of giving people more control over their data and keeping a check on data privacy, the websites now trick people into agreeing with their terms. This resulted in people seeing GDPR as a nuisance. The GDPR intends to make data privacy as simple as possible. However, the misuse of laws has made it all the more complicated. The complicated banner settings make people see GDPR cookie consent more as an inconvenience than an actual privacy solution. Some may interpret noyb’s effort as an end of cookie banners. However, it only elevates their significance and how to legally use them. 

As per the latest developments, noyb filed 422 complaints with ten data protection authorities to organizations (82%) that have not fully stopped violating the GDPR, even after the warning. Only 42% of all violations “were remedied within 30 days”.

cookie violations by websites, noyb
Most common cookie violations: remedied (green) vs. yet to be remedied (red), following noyb’s complaints (Source: noyb)

For the next phase, noyb will aim at 10,000 websites within one year.

We expect the first decisions by the end of the year. By then we should see most other websites switch to simple ‘yes’ or ‘no’ options.”  Max Schrems, Chairperson, noyb.

Threats via cookies may seem smaller compared to other data breaches, but processes like cookie hijacking aren’t new and they still exist. Stringent laws are necessary to combat such potential threats to users’ data.

Automatic cookie control solution by CookieYes

CookieYes is a cloud-based tool to obtain consent for cookies and control scripts that set third-party cookies. You can add a cookie banner to ask consent from your website visitors and comply with laws like GDPR, CCPA, LGPD, ePrivacy Directive, and CNIL. The banner templates are designed to comply with the requirements of major privacy regulations and you can fully customize the banner to suit your website’s design. There are opt-in and opt-out for consent and the visitors can selectively enable or disable consent for cookie categories (necessary, advertisements, functional, analytics, etc.) that CookieYes identifies from its scanning. You can display the list of cookies in the audit table too.

cookieyes cookie control
Customize cookie banner and control its behavior using CookieYes web app

CookieYes automatically blocks third-party cookies before receiving consent but you can also manually add scripts that set such cookies. Not only that, if the users want to withdraw their consent at any time, there is an option for that too. And, to demonstrate proof of consent, you can enable CookieYes to log the consents received (without storing any personal information of the users!). The users have control to view their consent status without worrying about the website storing their personal data.

Wait… that’s not all. There is more!

CookieYes cookie banners are geo-targeting, i.e. you can display them to visitors depending on their location (EU, UK, and US/California). 

A website’s compliance is incomplete without disclosing its data collection and processing practices. For that, you need privacy and/or a cookie policy. CookieYes has in-app privacy and cookie policy generators that will help you to create these pages quickly and without any additional cost.

You can implement cookie control on any content management system, such as WordPress, Wix, Shopify, and Squarespace.

All these features (and more) plus a simple and intuitive UI with affordable pricing — that’s CookieYes for you!

Get your website the best cookie consent and control solution with CookieYes.

Frequently asked questions

Why are there cookie warnings?

Data regulation laws like GDPR, ePrivacy Directive, and CCPA require websites to inform users about cookies and details such as their purposes, source, type of data they collect, and how to control them. Cookie warnings are necessary to disclose the use of cookies and ask for their consent. Failing to implement them will result in huge fines. 

Is cookie consent required in the US?

Cookie consent is not required in the US. However, the website must let users opt out of using cookies that sell or share their personal data. 

Should I accept cookies?

Accepting cookies is a choice. It depends on what you feel about them. 
The underlying point here is that no matter what your choice is, the website should work just fine.
We’d recommend avoiding accepting cookies on unencrypted websites or third-party cookies that collect your personal data (this may break some parts of the website), especially where you have to share your private information, such as banking details or medical data.

Is a cookie policy required?

Yes, a cookie policy is necessary to comply with GDPR and CCPA. Your website must disclose cookie details such as type, data collected, who generates them, and their purposes. This will help users make an informed decision about whether to accept cookies. 

Does Google Analytics require cookie consent?

As long as Google Analytics uses cookies to track users, user consent is required. However, Chrome will phase out support for third-party cookies by 2023. Therefore, the new version of Analytics will use Machine Learning to adapt itself to work with or without cookies.

are you an agency?

Deploy cookie banners on multiple client websites with our agency platform.

Partner with CookieYes

Up to 50% off on licenses