The cookie popups that you often stumble upon on the internet result from privacy regulations like the EU cookie law and the GDPR. Data such as a user’s name, age, gender, location, email ID, IP address, telephone number etc. can all be collected via cookies. As they collect such data that can be used to personally identify someone, their use on a website is strictly regulated in the EU.
This blog will explain the important regulations that affect cookie usage and how to effectively comply with them.
ePrivacy Directive (ePD)
The ePrivacy Directive 2009/136/EC (aka EU cookie law), which came into effect in 2002 and later amended in 2009, is an EU directive on data protection and privacy, including cookie usage.
Article 5(3) talks about the information stored in the terminal equipment of a subscriber or user. This can be read in conjunction with cookies.
- Websites should obtain a user’s consent before storing or retrieving information from a user’s device. except for strictly necessary cookies.
- The user must be provided clear and comprehensive information about the purpose of processing the data.
- The exemptions to consent requirements are:
- Cookies used for the sole purpose of carrying out or facilitating the transmission of a communication or
- Cookies that are strictly necessary in order to provide a service explicitly requested by the user.
Regulation 66 of the ePrivacy Directive sets grounds for third parties who may wish to store/access information from a user’s device.
- Users should be provided with clear and comprehensive information if third-party cookies are used.
- The methods of providing information and offering the right to refuse should be as user-friendly as possible.
Privacy and Electronic Communications Regulation (PECR)
The PECR is the UK’s implementation of the ePrivacy Directive. The official text has not included the term ‘cookie’ anywhere, but it can be read in conjunction with the rules set out for ‘electronic communications network’. The PECR states the same provisions for consent as Article 5(3) of the ePrivacy Directive.
The General Data Protection Regulation (GDPR)
The arrival of GDPR in 2018 cemented the ePrivacy Directive or EU cookie law. Currently, both the ePD and GDPR work together as the laws that regulate cookie usage in the EU.
The GDPR primarily deals with the personal data processing and data privacy rights of EU residents. While GDPR does not explicitly mention cookies (except once), since they can collect personal data, their use is subject to the GDPR.
Recital 30 of the GDPR states that online identifiers like cookies and IP addresses can be used directly or combined with other identifiers to create profiles about individuals and identify them. Hence, they can be considered personal data.
GDPR establishes (Article 6) consent as one of the 6 lawful bases for processing personal data. This means personal data can be processed only after obtaining consent from users. Article 4(11) defines that consent should be freely given, specific, informed and unambiguous, given by clear affirmative action.
Article 7 adds additional conditions for consent.
- The consent mechanism should be made available in an intelligible and easily accessible form, using clear and plain language.
- Users should be able to withdraw consent and it should be as easy to withdraw consent as it was to give consent.
Data Protection Act, UK
The UK Data Protection Act 2018, which has been amended from the UK Data Protection Act 1998 is the UK’s implementation of the GDPR. Therefore, when it comes to cookie usage, the DPA mirrors the GDPR requirements. You can read about it in detail, here.
Checklist to comply with EU cookie law
- Inform users of the cookies you use, their purposes, via a cookie banner.
- Collect users’ active consent to cookies.
- Provide users the option to take affirmative action such as clicking on accept or reject button.
- Give users the option to opt-in to specific cookie categories.
- Cookie notices hould not use pre-ticked or ‘on’ sliders for cookies other than strictly necessary cookies.
- Block third-party cookies until the user gives explicit consent for their use.
- Store consents in case you are subject to regulatory scrutiny.
- Give users the option to revoke or withdraw consent
- Cookie walls that prevent access to the website without cookie consent is not allowed.
- Scrolling or continuing to use a website does not indicate user’s consent.
Comply with EU cookie law
Adhering to EU cookies law and the GDPR may not be quite as easy as it sounds. The quick and efficient way is to implement a consent management solution. CookieYes is one such cookie consent solution used by over 1 million websites for compliance with GDPR and data privacy laws around the world.
Display a cookie banner and provide information about cookie use
As a good rule of thumb, you should provide information about the types of cookies you use, their purpose, how long will their data be retained, and with whom the data will be shared.
Let users give consent by a clear, affirmative action
You should provide users with real choice and control over how you use their personal data. Your cookie consent banner must obtain consent from a user only through a clear, affirmative/positive action. E.g. use of opt-in boxes or toggle buttons to allow users to turn on/off cookies selectively.
CookieYes helps you implement a cookie banner that lets you receive freely given, informed, and unambiguous consent from your site visitors. CookieYes also sets consent banners with all the non-essential categories of cookies toggled off by default.
Allow refusal or withdrawal of consent anytime
Enabling users to change their cookie settings or preferences after they give consent, is another requirement. CookieYes allows you to include a customizable Preferences button on your consent banner.
Keep a record of user consents
According to the GDPR, you are obliged to record and store consents that you obtain from your users. This is important if, in the future, you need to prove to regulatory authorities that you have obtained consent from your users. Also, keeping a record of user consent is necessary to help users revoke their consent.
With CookieYes, the cookie consent management process will be completely automated. You can easily maintain a consent log, where all your users’ consent will be retained securely.
CookieYes also helps you to:
- Geo-target and auto-translate cookie banner in 30+ languages.
- Auto-block 93+ third-party cookies till user give consent.
- Scan your website for cookies and auto-update cookie lists.
- Support browser’s DNT settings.