Ever since the GDPR came into effect in 2018, GDPR cookie consent has become a buzzword. While cookie popups have become an unavoidable presence on the internet, there’s a long way to go in terms of compliance. Regulations, guidelines and legalese can be quite confusing, especially for small business owners and website publishers that lack dedicated legal teams.
The first section of this blog will show you the simplest way to set up a GDPR-compliant cookie consent banner for your website. The rest of the blog will detail the important concepts that you need to know about GDPR cookie consent.
How to comply with GDPR cookie consent?
The simplest way to implement GDPR cookie consent on your website is with the help of a trusted cookie consent management platform or CMP like CookieYes. You don’t need knowledge of coding or any time-consuming integrations. Add a cookie consent banner on your website in minutes!
Step 1. Sign up on CookieYes for FREE. 14-day free trial. Cancel anytime.
Step 2. Customize your cookie banner design or choose the default GDPR-compliant layout. Here’s a quick video tutorial to set up a cookie consent banner on your website.
Step 3. Copy the banner code and paste it onto your website. You are done!
For global websites, the GDPR cookie consent template will also help you comply with laws like LGPD (Brazil) and POPIA (South Africa). If you cater to users from the US or California, you can comply with both GDPR and CCPA on CookieYes.
Using CookieYes CMP, you can tick off the GDPR cookie consent checklist below!
- Collect consent for using cookies on your website with a cookie banner or popup
- Give users full control to accept, decline or change cookie settings on the banner
- Customize the banner for desktop and mobile devices for accessibility
- Show cookie list on the second layer for full disclosure of cookies
- Show auto-translated banner to users as per their browser language
- Auto-block third-party cookies from loading till the user gives consent
- Record all user consents for proof of compliance
- Add a callback widget for the banner so users can revoke consent at any time
- Display an auto-updated cookie list and policy for continuous compliance
Obtain cookie consent and
Sign up for free
minimize your legal risk
14-day free trialCancel anytime
From startups to large-scale businesses, over 1.4 million websites use the CookieYes cookie consent solution for GDPR compliance. Here are some hand-picked cookie consent examples that are powered by CookieYes.
The GDPR categorizes cookies as ‘online identifiers’, a part of personal data. Therefore to collect information stored in cookies, businesses have to get the user’s consent. Meaning, to store cookies on a user’s browser, websites must ask for their consent. The GDPR and the ePrivacy Directive work together to establish the cookie consent requirements in the EU.
What is GDPR cookie consent?
GDPR establishes certain standards for what constitutes valid consent when collecting personal data from consumers. With regard to cookies, it is often referred to as GDPR cookie consent requirements.
Two main consent requirements of GDPR are:
- Article 4 of GDPR defines consent as a clear affirmative action that should be freely given, specific, informed and unambiguous.
- Article 7 states additional requirements for consent – proof of consent, ability to withdraw consent and that consent requests have to be easily accessible, use clear and plain language.
Consent should involve an affirmative act
Consent should be freely given
As stated above, users must have a free, genuine choice to accept or reject cookies. Pre-ticked boxes in a cookie banner do not represent a free choice. Similarly, notice-only cookie banners without ‘Accept and ‘Reject’ buttons offer no real choice to the user.
Consent should be specific
Users must be able to give specific consent. This means cookie consent cannot be bundled with other terms and conditions. For instance, if you want to drop cookies on a user’s browser, you should ask consent for that purpose only.
Consent should be informed
Consent should be unambiguous
Consent has to be unambiguous i.e. there should be no room for doubt regarding the user’s intention in giving their consent. For instance, actions like browsing a website, closing the cookie consent popup and continuing to use the site cannot be inferred as consent given by the user.
Consent banner should use plain language
Cookie consent banners should have easy-to-understand language and provide transparent information about cookie usage. It is also important that the banner is made available in a language that the user understands. An auto-translated banner that picks up the user’s browser language preferences can help in this regard.
Consent banner should be accessible
Consent notices should be easily accessible. They should include necessary information in the first layer and should not require a user to navigate the site to give or deny consent.
Consent should be recorded
Websites that collect consent should record it and demonstrate that users have given consent, in case of scrutiny by data protection authorities. Proof of consent should include how and when consent was obtained, and the information provided to the user at the time of collecting consent.
Consent should be revocable
Users should be able to revoke or withdraw their consent at any time after they have given consent. It has to be as easy for the user to withdraw consent as it was to give consent. This means it should be easily accessible on the site and the user must know how to access it. Check out more GDPR cookie consent examples on websites in the EU.
- Display your banner where it does not obstruct the content or design elements on your homepage. Optimize the cookie consent banner for mobile and tablet devices to improve accessibility.
- The ‘Accept’ and ‘Reject’ buttons on your cookie banner should have equal emphasis. Don’t display the ‘Reject’ button on the second layer of the banner in which case it takes extra clicks for the user to reject cookies.
- Add a close button on the banner so that users have the choice to dismiss the banner and continue browsing without cookies being set on their devices (as per Italy’s cookie guidelines).
- Keep the toggles for all cookies (except necessary cookies) switched off by default. Pre-ticked boxes or ‘on’ toggles/sliders are not compliant with GDPR.
- If you use Google Analytics on your website, implement IP anonymization to ensure that Google Analytics doesn’t capture data in URLs, forms or fields on your website that could help identify an individual user.
Not sure about the cookies used on your website? Scan your website for cookies and check why your website needs a GDPR cookie consent banner.
Scan your website for cookies
Scan for free
and check your compliance
Country-wise GDPR cookie consent guidelines
Source: DSK (in German)
Source: CNIL (in French)
Source: GPDP (in Italian)
Further reading: 10 GDPR cookie consent myths busted
- A disclosure of cookies and other tracking technologies used
- What cookies are
- What is the purpose of each of the cookies
- Is the data collected shared with any third-parties
- How users can change cookie settings or revoke consent
FAQ on GDPR cookie consent
Do you need consent for cookies?
Yes, you need cookie consent on your website. Consent is a key requirement for using cookies in the EU and the UK, under the provisions of the GDPR. The ePrivacy Directive (or EU cookie law) also mandates that websites should obtain user consent before setting cookies on their device.
As cookies are part of online identifiers, they are categorised as personal data in multiple privacy laws around the world. Hence, cookie consent is also a requirement under laws such as LGPD (Brazil), POPIA (South Africa), and CCPA (California).
Does GDPR require consent for cookies?
Yes. GDPR requires websites to take consent before setting cookies on a user’s device. The consent should meet certain conditions set forth by the GDPR in Article 4(11) and Article 7.
Consent is defined in Article 4(11) as:
“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
Article 7 sets out further conditions for consent:
- Data controllers (website owners in this case) should be able to demonstrate proof of consent.
- Consent requests should be available in an intelligible and easily accessible form, using clear and plain language.
- Individuals (website’s users) should have the right to withdraw consent easily and at any time.
Is cookie consent required in the UK?
Yes, cookie consent is required in the UK. As per UK’s Information Commissioner’s Office (ICO), “you must tell people if you set cookies, and clearly explain what the cookies do and why. You must also get the user’s consent”.
Do performance cookies require consent?
Yes, performance cookies require consent. While these cookies don’t collect any identifiable information on visitors, they require explicit consent from users because they are not strictly necessary to provide a service to the user.
Performance cookies collect anonymous data on how visitors use a website, which pages users visit the most etc., which is then used to improve how a website works. For example, cookies set by Google Analytics are performance cookies.
Why does GDPR require cookie consent?
GDPR mandates that any organisation processing personal data need to have a valid legal basis for it. In GDPR, processing involves any operation which is performed on personal data such as collection, recording, storage, adaptation or alteration, restriction, erasure etc. Consent is one of the lawful bases for data processing where the individual gives explicit consent for processing their personal data.
Cookies are considered personal data, as Recital 26 of the GDPR states that any data that can be used to identify an individual directly or indirectly can be considered personal data. Online identifiers like cookies associated with an individual’s tools, applications, or devices like computers, smartphones can be used to identify them. Hence, cookies require consent.
How do you set GDPR cookie consent?
You need to implement a cookie banner and obtain consent for cookie use to set GDPR cookie consent on your website. This involves collecting valid consent (freely given, specific, informed and unambiguous), recording proof of consent and providing the ability to withdraw consent. You can achieve all this with the CookieYes consent solution.
Do all cookies require consent in the EU?
Cookies other than strictly necessary ones fall under the scope of GDPR i.e. they require consent. These include first-party cookies set by the domain you are visiting. They are usually functional cookies that remember login details, your shopping cart, browser preferences etc.
Third-party cookies are set by a different domain, i.e. a third party, (Google Analytics, Facebook, LinkedIn, etc.) and require explicit user consent. They usually include advertising or tracking cookies that track your browsing history, online behaviour, spending habits to display targeted ads.
Broadly speaking, all cookies except strictly necessary cookies are required to obtain GDPR cookie consent. The ePrivacy Directive details two cases for exemption from consent requirements.
- Cookies whose sole purpose is to carry out the transmission of a communication over a network such as a load balancing cookie.
- Cookies intended for a legitimate purpose such as facilitating information society services (services that are delivered electronically through the internet via websites, apps, etc.). For example, authentication or session cookies.
What is the ePrivacy Directive or EU cookie law?
The ePrivacy Directive or the EU cookie law is a set of rules that regulate new digital technologies and the use of electronic communications such as emails and cookies. Passed in 2002 and amended in 2009, it requires websites to get user’s consent before storing cookies on their devices. The Directive makes an exception for cookies that are strictly necessary for the functioning of a website.
While the ePrivacy Directive is not a law, it currently supplements the GDPR and together comprise the EU cookie consent rules. A proposed ePrivacy Regulation is set to replace the Directive and become a law that will apply directly in all EU member states. The upcoming Regulation will enhance the provisions of the Directive and the GDPR.
Read about the key differences between GDPR and ePrivacy Regulation.
Will GDPR cookie consent affect SEO?
Ever since GDPR came into effect, there have been concerns that cookie consent notices will hurt SEO and your website’s search engine ranks. If implemented correctly, and if cookie banners are not intrusive, cookie banners will not affect your SEO and GoogleBot will be able to crawl your website. While Google stresses avoiding intrusive interstitials, they clarified that important requests like cookie consent notices will not negatively impact a site’s search performance.
Is GDPR cookie consent applicable to US websites?
GDPR cookie consent applies to any website that has users from the EU. If a US-based website has visitors from the EU, then it should implement a GDPR compliant cookie consent banner. The extra-territorial scope of the GDPR requires that the personal data of EU users are protected as per GDPR rules. This means any website from around the world, that is accessed by users in the EU need to be GDPR compliant.