Checklist to collect a valid cookie consent in the era of the GDPR

 

Learnings after collecting 4 billion consents

GDPR makes it clear that some cookies by nature will involve the processing of personal data. This applies to almost all marketing-, targeting-, web-analytics cookies that store visitor identifications. Therefore, collecting a valid cookie consent is essential to fulfill the requirements of the GDPR.

Here are 5 key learnings from processing 4 billion consents each year:  

BlogGrafik6

 

1. Block cookies until the user has given consent. Also, on the landing page

Make sure that your website does not allow tags, plug-ins and scripts to set cookies before the website visitor has consented to the storage of cookies. Choose a consent solution that controls the execution of scripts that set cookies, so you can implement a control of cookies.

 

2. Design the Consent Pop-Ups to enable the visitor’s right to object to and to control privacy settings

Make it possible for the website visitor to decline the storage of cookies on their device. The consent must be freely given. Therefore the “Do not accept/Privacy settings” button must be available, visible and based on the purposes for data collection.

Use the Consent Pop-up to inform the website visitor about the real usage of cookies and be specific about different cookie purposes. Websites that use cookies for different processing purposes need a valid consent mechanism for each purpose. This means granular levels of privacy controls, with the ability to collect separate consents for statistics and marketing purposes. If you choose a Consent Pop-up design that displays privacy controls that allows visitors to opt-in and opt-out on purpose level, the setting must not be predefined as opt-in, thus allowing the visitor to actively opt-in. 

 

3. Respect and remember the choices in the privacy settings made by your visitors

When implementing a Consent Pop-up, you should be certain that your website only sets cookies that the visitor has consented to in the privacy settings. The way to achieve this, is to only set cookies upon receiving a consent from the visitor. This is done by controlling the scripts that set the cookies, and only allowing the scripts to run when a consent have been collected. Remember that gaining full control over which cookies are set by the website is critical, when choosing a consent solution, as a consent otherwise would be considered invalid. Choose a Consent Solutions that support easy implementation of privacy settings that give the website full control over cookies and allows you to respect and remember the visitors’ choice.

 

4. Provide an easy way for the visitor to withdraw or change consent

It must be as easy for the visitor to withdraw or change a consent as it was for them to give it. Websites need always-available privacy settings. So even after getting a valid consent, there must be a way for the visitor to change their mind. If giving consent is as easy as clicking a button on the landing page, then withdrawal of consent must be just as simple.  Look for a consent solution providing functionality to change the consent at any time. Either by embedding the privacy settings on a separate page or, if the privacy settings are displayed in the consent pop-up, then it should be possible to re-open the Consent Pop-up by the click of a button or icon on any page.

 

5. Make sure you log and store each user’s consent and is ready to document each consent in case you are subjected to an inspection from the Data Protection Authorities.

The website owner should be able to provide a detailed log of each visitor's consent upon request of a Data Protection Authority. The consent solution provider should keep a consent log which demonstrates the specific consent collection for each visitor.

Cookie Information is a Privacy Tech Company helping owners of websites and mobile apps becoming GDPR & ePrivacy compliant.  We provide a Consent Management Platform (CMP) and a Compliance Dashboard to manage cookies and privacy risks on websites. We service more than 1,000 organizations and process more than 4 billion consents each year.

Read more information about our solutions here.

Consent: The legal basis for cookies

The e-Privacy Directive from 2002/09, requires, in short, that any “storing or retrieving” of information from an end user’s device be subject to consent unless it is technically necessary to enable the intended communication to take place.  A large majority of all websites use cookies which involves the processing of personal data of visitors such as user-ID, IP address or geolocation. Therefore, consent in the context of electronic communications will need to meet the conditions of the GDPR. If the lawful basis of the processing of personal data is based on consent or you transfer personal data to third-parties e.g. through 3. party vendors’ cookies, consent collection to the storage of cookies and processing of personal information is essential to stay compliant with GDPR.