Cookies and the GDPR: What’s Really Required?
When you think about Data Protection laws and ePrivacy legislations, cookies can easily come to mind as they are directly related to both. This often leads to the common misconception that the Cookie Law (ePrivacydirective) has been repealed by the General Data Protection Regulation (GDPR), when in fact, it has not. Instead, you can think of the ePrivacy Directive and GDPR as complementing each other.
In summary:
- The Cookie Law was not replaced by the GDPR and it still applies.
- Cookie law requires users’ informed consent before storing cookies on a user’s device and/or tracking them.
- Consent to cookies must be informed and based on an affirmative action.
- Consent must be granular, meaning the ‘accept all’ or implied consent for all cookies is not allowed. The cookies must be categorised, for example, Marketing, Statistical, Preference and consent will be required for each category.
- While the Cookie Law does not explicitly require that records of consent be kept, only proof, however, many Data Protection Authorities across the EU have aligned their cookie rules to GDPR requirements. This means that, depending on the country relevant to you, you may be required to maintain records of cookie consent as required under the GDPR.
The ePrivacy Directive 2002/58/EC (or Cookie Law) was established to put guidelines and expectations in place for electronic privacy, including email marketing and cookie usage, and it still applies today. As mentioned above, you can think of the ePrivacy Directive as currently “complementing” the GDPR.
Generally, Directives set certain agreed-upon goals and guidelines in place with member states being free to decide how to make these directives into national legislation. Regulations, on the other hand, are legally binding across all Member States from the moment they are put into effect and they are enforced according to union-wide established rules.
With that said, the ePrivacy Directive is, in fact, going to be replaced soon by the ePrivacy Regulation which is still in draft form and being debated by the various EU member states.
What exactly does the Cookie Law require?
The Cookie Law requires users’ informed consent before storing cookies on a user’s device and/or tracking them.
This means that if your site/app (or any third-party service used by your site/app) uses cookies, you must inform users about your data collection activities and give them the option to choose whether it’s allowed or not; you must obtain informed consent prior to the installation of those cookies on their device.
In practice, you’ll need to show a cookie pop-up at the user’s first visit to the site, showing the visitor the categories of cookie used, listing the cookies under each category with a description of purpose, type and expiry date. A mechanism to allow the user to provide consent, like an on/off slider.
The only category of cookie where consent is not required before setting the cookie on the user’s device are those deemed as strictly necessary. This means cookies that are necessary for the smooth operation of the website and its functions.
How does CookieScan block cookies before consent
CookieScan blocks cookies from a domain level, so before they are set on your device they are blocked until consent is given. CookieScan can also integrate with a tag manager, giving some control to a website developer, CookieScan will communicate with the tag manager and the tag manager will decide, depending on the settings to block or allow cookies. The blocked cookies will require consent before being placed on the user’s device.
Consent to cookies
Consent to cookies must be informed and provided by a clear affirmative action. Therefore, if you use mechanisms such as pre-checked boxes, a single accept all button or saying, by using this site your consent is implied – this is not allowed. CookieScan uses on/off sliders so the user is clear about what they are giving consent to. The on/off sliders are set to green/red as a default, this colour can be changed to match the colour theme of the website.
The European Data Protection Board (EDPB) has updated their guidelines on consent: Guidelines 05/2020 on consent under Regulation 2016/679.
This update is important as it aims to remove any ambiguity on the official position regarding several aspects of cookie usage. Perhaps most significantly, these latest guidelines clearly state that Cookie Walls are prohibited and that the EDPB does not consider consent via scrolling or continued browsing to be valid.
With regards to the refusal to consent or opting out after consent has been given, the law states that users must be “given the possibility” to refuse or withdraw their consent. The Working Party document further elaborates on this point by stating that, with regards to withdrawing or refusing consent, you must provide:
- Information on how users can withdraw consent and the action required to do so.
- A means by which the user can choose to accept or decline cookies.
CookieScan will always display a small grey box, bottom left corner of the website which allows users to open the cookie preference pop-up and change their selected options, so withdrawing consent is as easy as giving it in the first place.
“Freely given” consent
The law mandates that the consent collected must be freely given by the user in order for it to be considered valid. Using coercive methods to obtain consent can make the consent collected invalid. The law does make some concessions (within reason) in cases where the actual ability to provide particular site services are directly affected by the consent or lack thereof.
The Working Party document states:
“Websites should not make conditional “general access” to the site on acceptance of all cookies but can only limit certain content if the user does not consent to cookies.”
Therefore, while certain content (within legitimate reason) can be restricted based on cookie preferences, users’ ability to generally access your site must not be coerced or conditional upon their consent.
Exemptions to the consent requirement
Some cookies are exempt from the consent requirement and therefore are not subject to preventive blocking (though you are still required to inform users about your use of cookies). The exemptions are as follows:
- Technical cookies strictly necessary for the provision of the service.
- Statistical cookies managed directly by you (not third parties), providing that the data is not used for profiling
- Anonymized statistical third-party cookies (e.g. Google Analytics)
- This exemption may not be applicable for many regions and is therefore subject to specific local regulations. For example, this is not allowed under the UK’s ICO guidelines, and the French authority requires the analytics software provider to be appointed as a processor in order for these cookies to be exempt.
- This exemption mainly applies to Italy, may not be applicable for all regions and is therefore subject to specific local regulations.
Proof of consent vs Records of consent
While the Cookie Law indicates that proof of consent rather than records of consent be kept, many EU member states now require that records of consent be kept in alignment with the GDPR.
It is important to note that some EU Data Protection Authorities now require that records of consent – rather than simply proof – be kept. If this applies to your particular situation, you will need to maintain valid records of consent.
Imagine a complaint by a user of your website, that they received unwanted marketing material and did not consent to the marketing cookie being placed on their device. Without proof of consent you have nothing to defend your claim that consent was actually provided by the user.
CookieScan will always record the consent provided by the user. This record of consent will be available to the account holder upon request and without an additional fee.
CookieScan allows you to:
- easily inform users via our cookie pop-up what category of cookie is used and give a simple, easy to understand description of each cookie
- Provides an automatically generated Cookie Notice with a link placed on the Cookie pop-up (you have the option to put a link to your own cookie notice if this is preferable)
- Provides a link to your privacy notice, all you need to do is put the URL for your privacy notice in your admin dashboard
- Saves cookie consent settings
- collect granular, per category consent
- Preventively block all cookies before consent is provided
- maintain records of consent (available to you at your request, just contact our support team).
Our CookieScan pop-up informs the user of:
- categories of cookies, their purpose and how they are used
- the cookie type, HTTP, HTML or Pixel
- how long the cookie will remain on your device
- who provided the cookie, or what domain it comes from.
It gives you further options to:
- choose the colour theme of the pop-up, buttons, text and on/off sliders to match the theme of your website.
- add your own cookie notice and privacy notice
- add an unlimited number of sub-domains (only available with the premium subscription)
- use CookieScan with any tag manager (only available with the premium subscription)
- manually scan your website.