GDPR Cookie Consent

GDPR Cookie Consent: How to Comply

Published on September 21, 2021

Ever since the GDPR came into effect in 2018, GDPR cookie consent has become a buzzword. While cookie popups have become an unavoidable presence on the internet, there’s a long way to go in terms of compliance. Regulations, guidelines and legalese can be quite confusing, especially for small business owners and website publishers that lack dedicated legal teams. 

The first section of this blog will show you the simplest way to set up a GDPR compliant cookie consent banner for your website. The rest of the blog will detail the important concepts that you need to know about GDPR cookie consent. 

How to comply with GDPR cookie consent?

The simplest way to implement GDPR cookie consent on your website is with the help of a cookie consent solution like CookieYes. You don’t need knowledge of coding or any time-consuming integrations. Add a cookie consent banner on your website in minutes!

Step 1. Sign up on CookieYes. It’s free and no credit card details are required.

Step 2. Customize your cookie banner design or choose the default (GDPR compliant) template

Step 3. Copy the banner code and paste it on your website. You are done!

After you have added a cookie banner to your website, you can enable the consent log in ‘Site Settings’  of CookieYes dashboard, so that all the user consents on your website are recorded. You are all done! Your website is now GDPR compliant with respect to cookies. 

You can also customize your cookie banner any time. CookieYes features 10+ customization options including language, content, layout, design, custom branding and advanced CSS. You can also control the banner behaviour by geo-targeting it for EU users only. 

For global websites, the GDPR cookie consent banner will also help you comply with laws like LGPD (Brazil) and POPIA (South Africa). If you cater to users from the US or California, you can comply with both GDPR and CCPA on CookieYes. 

GDPR cookie consent checklist for websites

Using CookieYes CMP, you can tick off the GDPR cookie consent checklist below!

  • Collect consent for using cookies on your website with a cookie banner or popup
  • Give users full control to accept, decline or change cookie settings on the banner
  • Customize the banner for desktop and mobile devices for accessibility
  • Show cookie table (with name, type, purpose and duration) on the second layer for full disclosure of cookies 
  • Show auto-translated banner to users as per their browser language
  • Auto-block third-party cookies from loading till the user gives consent
  • Record all user consents for proof of compliance
  • Add a callback widget for the banner so users can revoke consent at any time
  • Generate a cookie policy with detailed disclosure of cookie use and link it to your cookie banner
  • Scan your website for cookies to auto-update your cookie list and cookie policy 

Now, let’s take a closer look and understand what cookie consent means and how it affects your website.

What is cookie consent in the EU?

There are two laws that govern the use of cookies in the EU – the ePrivacy Directive (ePD) and the General Data Protection Regulation (GDPR). The ePrivacy Directive also called the EU cookie law, requires that websites get users’ prior consent before storing cookies on their devices except for strictly necessary cookies that are essential for the functioning of a website. 

The GDPR categorizes cookies as ‘online identifiers’, a part of personal data. Therefore to collect information stored in cookies, businesses have to get the user’s consent. Meaning, to store cookies on a user’s browser, websites must ask for their consent. The GDPR and the ePrivacy Directive work together to establish the cookie consent requirements in the EU. 

What is GDPR cookie consent? 

GDPR establishes certain standards for what constitutes valid consent when collecting personal data from consumers. With regard to cookies, it is often referred to as GDPR cookie consent requirements. 

Two main consent requirements of GDPR are:

  • Article 4 GDPR defines consent as a clear affirmative action that should be freely given, specific, informed and unambiguous. 
  • Article 7 states additional requirements for consent – proof of consent, ability to withdraw consent and that consent requests have to be easily accessible, use clear and plain language. 

Consent should involve an affirmative act 

Consent should be given through affirmative or positive action. This can involve an action like clicking on the ‘Accept’ button on a cookie popup. But it will only constitute valid consent if the user is presented with clear information about the use of cookies and also has an option to reject cookies via a ‘Reject’ button.

Consent should be freely given 

As stated above, users must have a free, genuine choice to accept or reject cookies. Pre-ticked boxes in a cookie banner do not represent a free choice. Similarly notice-only cookie banners without ‘Accept and ‘Reject’ buttons offer no real choice to the user.

Cookie walls like this obstruct the user from accessing the website and are not compliant with GDPR cookie consent.

Users must be able to give specific consent. This means cookie consent cannot be bundled with other terms and conditions. For instance, if you want to drop cookies on a user’s browser, you should ask consent for that purpose only. 

Consent should be informed 

Users must have clear information regarding what they are consenting to. The cookie banner should inform that a site uses cookies, the categories of cookies they use and their purposes. This way, the user can make an informed choice to either give or revoke consent.

A GDPR cookie consent banner from CookieYes with a preview of cookie categories.

A GDPR cookie consent banner from CookieYes with the ‘cookie settings’ tab.

Consent should be unambiguous 

Consent has to be unambiguous i.e. there should be no room for doubt regarding the user’s intention in giving their consent. For instance, actions like browsing a website, closing the cookie consent popup and continuing to use the site cannot be inferred as consent given by the user. 

Cookie consent banners should have easy to understand language and provide transparent information about cookie usage. It is also important that the banner is made available in a language that the user understands. An auto-translated banner that picks up the user’s browser language preferences can help in this regard.

Consent notices should be easily accessible. They should include necessary information in the first layer and should not require a user to navigate the site to give or deny consent.

A GDPR cookie consent banner from CookieYes in desktop view.
A GDPR cookie consent banner from CookieYes in mobile view.

Websites that collect consent should record it and demonstrate that users have given consent, in case of scrutiny by data protection authorities. Proof of consent should include how and when consent was obtained, and the information provided to the user at the time of collecting consent. 

Consent should be revocable 

Users should be able to revoke or withdraw their consent at any time after they have given consent. It has to be as easy for the user to withdraw consent as it was to give consent. This means, it should be easily accessible on the site and the user must know how to access it.

Check out effective GDPR cookie consent examples in the EU.

GDPR cookie consent: Things to remember

  • Display your banner where it does not obstruct the content or design elements on your homepage. Optimize the cookie consent banner for mobile and tablet devices to improve accessibility. 
  • The ‘Accept’ and ‘Reject’ buttons on your cookie banner should have equal emphasis. Don’t display the ‘Reject’ button on the second layer of the banner in which case it takes extra clicks for the user to reject cookies.
  • Keep the toggles for all cookies (except necessary cookies) switched off by default. Pre-ticked boxes or ‘on’ toggles/sliders are not compliant with GDPR.
  • Do not use cookie popups that obstruct users (cookie walls) from accessing your website. Cookie walls are not GDPR compliant. The user should be able to use your website even if they don’t consent to the use of cookies.
  • If you use Google Analytics on your website, implement IP anonymization to ensure that Google Analytics doesn’t capture data in URLs, forms or fields on your website that could help identify an individual user. Read how to do it here

Not sure about the cookies used on your website? Scan your website for cookies and check why your website needs a GDPR cookie consent banner.

What is a GDPR compliant cookie policy?

GDPR cookie consent requirements also include a cookie policy for your website because as per the GDPR and the ePrivacy Directive, users should be informed about how their data is processed. Therefore, a complaint cookie policy should include a detailed declaration about the cookies used on a website, their purposes, and how users can control the usage of cookies by a website. 

The cookie policy can be included within the privacy policy or as a separate cookie policy page. It should be linked in your cookie consent banner so users have easy access to detailed information about cookies. A cookie policy should include the following information:

  • A disclosure that cookies, other tracking technologies 
  • What cookies are
  • What is the purpose of each of the cookies
  • Is the data collected shared with any third-parties
  • How users can change cookie settings or revoke consent

On CookieYes, you can create a cookie policy with our cookie policy generator. Go to your CookieYes dashboard and click on Cookie Policy and generate a custom cookie policy for your website. 

FAQ on GDPR cookie consent

Why does GDPR require cookie consent?

GDPR mandates that any organization processing personal data need to have a valid legal basis for it. In GDPR, processing involves any operation which is performed on personal data such as collection, recording, storage, adaptation or alteration, restriction, erasure etc. Consent is one of the lawful bases for data processing where the individual gives explicit consent for processing their personal data.

Cookies are considered personal data, as Recital 26 of the GDPR states that any data that can be used to identify an individual directly or indirectly can be considered personal data. Online identifiers like cookies associated with an individual’s tools, applications, or devices like computers, smartphones can be used to identify them. Hence, cookies require consent. 

Do all cookies require consent in the EU?

Cookies other than strictly necessary ones fall under the scope of GDPR i.e. they require consent. These include first-party cookies set by the domain you are visiting. They are usually functional cookies that remember login details, your shopping cart, browser preferences etc. 

Third-party cookies set by a different domain, i.e. a third party, (Google Analytics, Facebook, LinkedIn, etc.) explicit user consent. They usually include advertising or tracking cookies that track your browsing history, online behaviour, spending habits to display targeted ads. 

Broadly speaking, all cookies except strictly necessary cookies are required to obtain GDPR cookie consent. The ePrivacy Directive details two cases for exemption from consent requirements. They are:

  • Cookies whose sole purpose is to carry out the transmission of a communication over a network such as a load balancing cookie.
  • Cookies intended for a legitimate purpose such as facilitating information society services (services that are delivered electronically through the internet via websites, apps, etc.). For example, authentication or session cookies.

What is the ePrivacy Directive or EU cookie law?

GDPR is not the only law that governs the use of cookies in the European Union. The ePrivacy Directive commonly referred to as the EU cookie law also regulates the use of cookies.

The ePrivacy Directive or the EU cookie law is a set of rules that regulate new digital technologies and the use of electronic communications such as emails and cookies. Passed in 2002 and amended in 2009, it requires websites to get user’s consent before storing cookies on their devices. The Directive makes an exception for cookies that are strictly necessary for the functioning of a website. 

While the ePrivacy Directive is not a law, it currently supplements the GDPR and together comprises the EU cookie consent rules. A proposed ePrivacy Regulation is set to replace the Directive and become a law that will apply directly in all EU member states. The upcoming Regulation will enhance the provisions of the Directive and the GDPR.

Read about the key differences between GDPR and ePrivacy Regulation.

Will GDPR cookie consent affect SEO?

Ever since GDPR came into effect, there have been concerns that cookie consent notices will hurt SEO and your website’s search engine ranks. If implemented correctly, and if they are not intrusive, cookie banners will not affect your SEO and GoogleBot will be able to crawl your website. While Google stresses avoiding intrusive interstitials, they clarified that important requests like cookie consent notices will not negatively impact a site’s search performance.

Is GDPR cookie consent applicable to US websites?

GDPR cookie consent applies to any website that has users from the EU. If a US-based website has visitors from the EU, then it should implement a GDPR compliant cookie consent banner. The extra-territorial scope of the GDPR requires that the personal data of EU users are protected as per GDPR rules. This means any website from around the world, that is accessed by users in the EU need to be GDPR compliant.

Start a 14-day free trial

Trials start with all our features enabled. Cancel anytime. No credit card required.