Cookie Banners in GDPR
Last updated on October 7th, 2019.
Cookie banners have become a norm on many of the websites. Almost all websites, as a consequence of GDPR, have put up a notification in the form of a banner, or popups, etc. to notify the users of their usage of cookies.
GDPR has not just affected the usage of cookies on a website. Websites are required to notify the users of any form of data collection to their users. But cookies are the most evident ones. The users are notified of the cookies on the first visit to the website.
The purpose of the cookie banners is not just informing the users of the usage of cookies. They are also used to take consent from the users to use the cookies on the website.
Types of Cookie Banners
There are a lot of examples for cookie banners and not all of them are the same. According to the way they inform and take consent from the users, we can classify cookie banners into three:
Informational: Informational cookie banners are only used for informing the visitors of the website about the usage of cookies. They usually do not take consent for using the cookies.
Implicit: Implicit banners are those that not only take consent from the users but also ask for consent before using them. They usually have a button on the banner for the user to register consent. Accepting the cookies will install all the cookies on the user's browser.
Explicit: This type of cookie banners takes a further step to install the cookies on the user's browser. The user will have to go and explicitly select the cookies that they would like the website to use and then click on the confirmation button. This will only install the cookies that the users have given consent to.
Why should you have a banner at all?
GDPR is major online privacy law. It also came in to effect at a time there are rising concerns about the privacy of users online. Even when we say that cookies are a small text file that the websites use to communicate with the servers, they are a cause of the privacy concerns among users.
Some third-party services that may be used on the websites install cookies that track user behavior online once it is set on their browser.
Cookies only store the data as the user interacts with the website and only will have the data as a result of the user's input on the website. But that said, most of the time users are not aware that their actions are in any way being stored.
So, the websites need to show cookie banner on their website as part of the full transparency regarding their data collection practices.
Information on the data collection should be provided where the data is being collected. Since the cookies are being set at the time of the site loads, the banner should be displayed at the time the website loads.
What are the GDPR Requirements for Cookies?
It is important to note that GDPR is not just for cookies. It regulates all the practices that collect data in any way.
Cookies and other tracking technologies like tracking pixels can also be used for collecting data. Data like IP addresses and cookie identifiers are considered as personally identifiable data, which are oftentimes collected by cookies. Which brings cookies and similar technologies under the regulation of GDPR.
The following are the requirements for obtaining consent for the usage of cookies.
- The consent should be informed - User should be provided with information like what data is collected, why they are collected, how they are processed, and how long they will be stored for.
- Consent should be freely given - The users should have a real choice to when it comes to giving consent. Which means, the users should be able to not only give consent with an "Accept" button, they should also have a "Reject" button.
- Given explicitly, with affirmative action - The consent should be recorded with an explicit action that can only be translated to as valid consent. For example, clicking on a button. Conditions like the continued use of a website do not count as valid consent.
- Reversible - Once the user has given consent to use the cookies, they should be able to reverse that consent at any point in time.
- Prior to the data collection - The consent should be taken before any of the data processing takes place.
- Granular - The users should be able to select which individual cookies or categories of cookies that they would like to be using on their browser.
Not all Cookies are the Same
The cookies that enable the proper functioning of the website are called necessary or essential cookies. They usually do not collect any personally identifiable data and do not come under the radar of GDPR. So you do not have to take consent for using these cookies.
But it is still a good practice to inform the users of the usage of such cookies and their purpose.
But when it comes to cookies that are used for tracking purposes, and any cookies that store any personally identifiable user data, and informed consent is mandatory.
A Banner is not Enough
That's right. displaying the banner and informing the users is only halfway there for compliance with the Cookie Law. For a legally valid consent, cookie banners are essentials but that is not adequate.
The next thing is to do to comply with GDPR for the usage of cookies is to block these cookies from setting on the browser until the visitor has given green signal to use them.
CookieYes helps your website display a cookie banner on the first load for a visitor and block the cookies until the user gives consent. It will also scan and categorize the cookies used on your website. All you need to do is register your website that you need to create the cookie banner on.
After registering in CookieYes, add the installation code to your site's source code. This will add the cookie banner on your website. Any future modification to the cookie banner will be reflected automatically on your website after adding the code.
Next, to block the cookies on your website, remove the cookie scripts from your website and add it to CookieYes. And that's it. The cookies will now only be added when the user has given consent.
Disclaimer: We make sure that all our articles are as informative and accurate as possible. But the article is not written by a lawyer and should not be treated as legal advice.