GDPR cookie compliance – A checklist
Collecting consent to cookies can be difficult. You may ask:
- What are the rules?
- Do they apply to my website?
- What do I have to do to comply with the GDPR?
So, here is the most comprehensive GDPR cookie compliance checklist you’ll ever need.
This checklist is for you who want to make sure you comply with both national cookie laws and the GDPR.
GDPR cookie compliance Checklist
10 simple steps
- Inform your users of cookies
- Collect consent by cookie purpose
- Allow users to reject cookies
- Collect active consent (no scrolling/swiping for consent)
- Respect your users’ privacy choices
- Pre-ticked boxes must be set to opt-out
- Nudging for consent is not allowed
- Make it easy to withdraw or change consent
- Collect consent before using cookies
- Store all user consents for 5 years
In this guide, we answer all questions about cookies & consent and how the GDPR affects your use of services like Google Analytics and Facebook.
If you are not sure if your website uses cookies that collect personal data, then check here – fast and free!
Are your cookies collecting personal data?
Why do you need to collect valid consent for cookies?
Cookies and other trackers are great. They can give your website visitors a better website experience by remembering language settings or shopping cart items. Cookies can also provide you with insights into the traffic on your site and track your customers at various stages of the buyers’ journey.
But when you use cookies on your website, whether your own cookies or third-party, you are obligated to collect consent. Why?
Because cookies most often collect your users’ personal data, which is processed for marketing purposes.
And according to the GDPR, you must collect your users’ consent to cookies in order to be GDPR compliant.
Here are 10 key learnings you can use to begin collecting valid consent to cookies and to meet the requirements for GDPR compliance.
Let’s go over the checklist in detail.
1. Inform your users of cookies
For consent to be GDPR valid, the user must be informed about cookies, data collection and data processing.
Make sure the information includes:
- which cookies your website uses.
- who owns the cookies (you or a third party e.g., Google).
- what data cookies collect (IP-address, geolocation etc.).
- for which purpose the cookies collect data (statistics, marketing etc.).
- how long time the cookies collect data (cookie expiration date).
All this information can be created automatically by professional Consent Management Platforms like Cookie Information.
We scan your website and display all abovementioned information in your cookie banner and in your cookie policy.
2. Collect consent by cookie purpose (specific)
You don’t have to collect consent for every single cookie! And you don’t have to collect consent for every single data processor or partner.
But consent must be specific, according to the GDPR.
In terms of cookies, that means you must collect a specific consent to each cookie purpose (statistics, marketing, functional cookies etc.).
Solution: Use checkboxes or toggles in your cookie banner, so your users can specify which cookie categories they want to consent to.
3. Allow users to reject cookies
Consent must be freely given, according to the GDPR. That means your user must be able to reject giving consent to cookies.
Most Data Protection Authorities also require that consent must be as easy to reject as it is to give.
Solution: Place a “reject” button in your cookie banner, so your users easily can choose to give or not to give consent. This feature is default in Cookie Information’s overlay banners.
4. Collect active consents (Scrolling/swiping is not considered consent)
Consent must be freely given and unambiguous, according to the GDPR.
- Freely given means that the user is presented with a choice (yes/no).
- Unambiguous means that the user knows exactly what he or she gives consent to by actively clicking a button or ticking a box.
That means clicking an “accept” or “ok” button for giving consent (with the possibility to reject also).
Scrolling a page, swiping on mobile or simply using the website is not considered valid consent under the GDPR.
Solution: Use a cookie banner to collect your users’ active consent to cookies.
Professional Consent Management Platforms like Cookie Information only collects consent where users have been properly informed and know what they give consent to.
5. Respect your users’ privacy choices
If your user rejects cookies, make sure no further personal data is collected or shared with third parties.
Solution: Cookie Information’s CMP ensures that your website respects privacy laws by being able to hold back cookies until you have obtained consent.
6. Pre-ticked boxes must be set to opt-out
Consent is something you chose, something your user actively gives.
Consent may never be assumed or something that a user must deselect in a cookie banner by unticking several boxes preselected for giving consent.
When you ask for consent for a specific purpose (statistics, marketing etc.) the checkboxes in your cookie banner must not be pre-ticked for consent.
The user must actively tick these to agree to the different purposes.
This was made clear by the European Court of Justice in 2019 in the ruling against German lottery website Planet49.
Solution: Make sure your CMP by default can segment between cookie purposes and that you can set these to opt-in.
7. Nudging for consent is not allowed
Consent must be as easy to reject as it is to give.
Using ‘dark patterns’ to nugde the user into giving consent is not valid consent under the GDPR.
Also, it must be easy for your users to distinguish between a ‘yes’ and a ‘no’ to cookies. Of course, you can use signal colors or your brand colors in your cookie banner to distinguish between buttons.
Solution: Cookie Information’s Consent Pop-up is fully customizable so you can design how you collect consent. We guide you to best practices.
8. Make it easy to withdraw or change consent
Your users have the right to withdraw their consent at any time.
Make it easy for your users to modify their consent preferences. Simply deleting cookies in their browser is not an option.
Solution: Place a link on your website or cookie policy that reopens your cookie banner. Then you comply with article 7.1 and article 13.2(c) in the GDPR.
9. Collect consent before using cookies (prior consent)
This is one of the more important parts of the GDPR and the ePrivacy Directive.
As a website owner, you must obtain valid cookie consent from your visitor before you place or read any cookies on his or her computer/phone.
*Except for technically necessary cookies.
Solution: Use a Cookie Information’s Cookie Control SDK to prevent cookies from being fired before consent is given (just as the law requires).
10. Store all user consents for 5 years
The GDPR requires all consents to be stored for 5 years! Just in case documentation is needed to prove consent.
You will also need those historic consents if the data protection authorities want to audit your website.
Solution: Cookie Information stores all your users’ consents for 5 years securely on Azure Servers within the EU/EEA.
GDPR compliance - Why do you need to collect valid consent for cookies?
Because of privacy laws like the ePrivacy Directive (the “European cookie law”) and the GDPR.
ePrivacy Directive & cookies
The ePrivacy Directive – and all the national cookie laws following it – is the reason we saw cookie banners emerge from 2010 onwards.
The ePrivacy Directive (2002) states that you must:
- Collect consent for storing or gaining access to information on a user’s terminal equipment (computer/phone/tablet).
- That consent is based on clear and comprehensive information.
Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC.
Consent according to the ePrivacy Directive is informed and freely given.
GDPR & cookies
The GDPR on the other hand is all about the processing of personal data. And it applies to much of the data cookies store and collect.
If you use cookies that collect your users’ personal data for further processing, the rules for consent under the GPDR apply.
1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
Consent according to the GDPR recital 32 is:
- Freely given (yes or no to cookies).
- Specific (consent for each purpose – marketing, statistics, functional cookies).
- Informed (tell you visitors which cookies you use).
- Unambiguous (it must be clear what the user gives consent to).
These requirements for consent are why we cannot simply collect cookie consent by saying: ”We use cookies” and then show an OK button.
If you need to comply with the GDPR, follow the checklist in this guide.
GDPR cookie compliance – what is personal data?
Cookies and other tracking technologies collect a lot of data that the GDPR defines as personal data.
Personal data in the GDPR is data that can directly or indirectly identify an internet user. Either on its own or combined with other data.
The GDPR’s article 4(1) defines personal data as “any information which are related to an identified or identifiable natural person”.
What is personal data according to GDPR?
Personal data is (but not limited to):
- Name
- Identification number
- Location data/positioning data
- Online identifiers
- IP-Address
- Cookie identifiers
- Device ID
According to GDPR recital 30
Most of the services you (probably) use like Google Analytics, Facebook, TikTok, LinkedIn, Hotjar, Amazon, Snapchat etc. place and read cookies through your website.
And these cookies collect a lot of personal data about your visitors. This data is used for profiling and realtime bidding (RTB).
As the data controller (owner of the website), you are responsible for collecting your users’ GDPR consent.
But I don’t use cookies, you may say! Or do you?
GDPR compliance - What is a cookie?
All websites use cookies!
Some cookies are used to make the website work (and are defined as technically necessary cookies).
Others collect information for analytics and marketing.
A cookie is just a small text filed that is stored in the visitor’s browser by your website.
These text files usually contain information about preferred language or shopping cart items. But they can also hold a range of information including personal data.
When a visitor enters your website for the first time, cookies are placed in his or her browser (Chrome, Firefox, etc.).
The second time your user comes to your website, these cookies are read and updated.
If they collect personal data, this data is passed to the owner of the cookie to be processed and used primarily to:
- Identify the user (used for filling ad space across websites).
- and track the user’s behavior (for future ad space auctions).
Go in detail about what cookies are and how they work here:
LINK: What is a cookie?
But what about Google Analytics? Is it a necessary cookie?
GDPR compliance - What is a cookie?
Question is: can you use Google Analytics without collecting consent?
Short answer is no.
Google Analytics places numerous cookies through your website. These stores and collect information about your visitors.
Most of this information is categorized as personal information.
That is userID, cookieID, device type, IP-address, geolocation etc.
But we don’t collect any personal information, you may say.
No, but Google does.
And according to the GDPR, you are the data controller and therefore, responsible for collecting valid consent for the cookies that are used through your website.
Google Analytics can be tweaked to anonymize and pseudonymize IP-addresses, but still collect a lot of information about your visitors that is categorized as personal data under the GDPR.
That is also why the Austrian, Italian and French Data Protection Authorities have banned Google Analytics based on complaints by privacy organization NOYB.
But then how do I get traffic data to Google Analytics if visitors say no to cookies? Introducing Google Consent Mode!
GDPR compliance - Cookies and Google Consent Mode
Compliance and traffic data to Google Analytics? AND Google Ads!
It’s possible. Read on.
Cookie Information is one the world’s few Google Consent Management Platform (CMP) partners.
That means Google points to Cookie Information as a trusted partner for collecting valid consent to cookies!
Therefore, we integrate Google’s Consent Mode in our Consent Solution as a default feature.
What exactly does Consent Mode do?
Google Consent Mode works with your CMP (Consent Management Platform). It offers websites and marketeers more flexibility when using Google products together with cookie banners.
With Consent Mode you can recover important traffic and conversion data for Google Analytics and Google Ads even if your users reject cookies.
Consent Mode can change the behavior of Google Tags dependent on whether your visitor gives consent or not.
If your visitor gives consent, cookies work as usual. If your visitor rejects cookies, cookies are not fired. A ping is sent to Analytics or Ads instead.
You can therefore still see that a specific campaign converted or that a specific blog post is read. However, all data is aggregated and anonymous.
Google Consent Mode works with both Google Analytics, Google Ads, Floodlight and other Google products.
How do you get it?
Become GDPR compliant without losing your data
Cookie Information ensures your GDPR compliance.
- We make sure your website or app collects valid GDPR consent to cookies.
- We make sure all consents are securely stored for documentation
- You do not have to worry about cookie GDPR cookie compliance agai
Sign up for a free trial here and discover how easily you can get data for your Google products and remain compliant with the GDPR.
FAQ:
We get a lot of questions about cookies and consent. Here is a list of the most frequent.
GDPR compliance - Is it mandatory to show a cookie consent banner?
Yes – if you use cookies or other tracking technologies, you are required by the ePrivacy Directive and the GDPR to use a cookie banner on your website.
According to the ePrivacy Directive (“the European cookie law”), you need to collect an informed consent for placing cookies on your user’s computer/phone and/or gaining access to the information in these cookies.
According to the GDPR, you must collect GDPR consent if any of the cookies set through your website (including Google Analytics, Facebook Pixels, LinkedIn insight tags etc.) collect your users’ personal data.
LINK: https://cookieinformation.com/what-is-a-cookie-consent-under-the-gdpr/
According to the ePrivacy Directive (“the European cookie law”), you need to collect an informed consent for placing cookies on your user’s computer/phone and/or gaining access to the information in these cookies.
According to the GDPR, you must collect GDPR consent if any of the cookies set through your website (including Google Analytics, Facebook Pixels, LinkedIn insight tags etc.) collect your users’ personal data.
LINK: https://cookieinformation.com/what-is-a-cookie-consent-under-the-gdpr/
What needs to be included in the cookie policy?
A cookie policy is meant to give your users an overview of the cookies you use and what data they collect. This is the page where you can include all the required information about cookies:
What cookies does your website use?
Who owns the cookies?
What data do the cookies collect?
For how long do the cookies collect data?
A cookie policy is based on in-depth scans of your website and is updated after each scan.
LINK: https://cookieinformation.com/what-is-a-cookie-policy
What cookies does your website use?
Who owns the cookies?
What data do the cookies collect?
For how long do the cookies collect data?
A cookie policy is based on in-depth scans of your website and is updated after each scan.
LINK: https://cookieinformation.com/what-is-a-cookie-policy
Does GDPR apply to all cookies?
No. Only cookies that collect EU citizens’ personal data (for further processing). Personal data in the GDPR is defined as “any information which are related to an identified or identifiable natural person”.
That is any data that can lead to the identification – directly or indirectly – of an EU citizen. That includes identifiers such as names, online identifiers, location and positioning data, IP-addresses, deviceIDs etc.).
It’s the ePrivacy Directive that defines the rules for how to collect consent for using cookies (and other tracking technology), but it’s the GDPR that sets the rules for how to obtain consent for collecting and processing personal data.
LINK: https://cookieinformation.com/what-is-the-gdpr/
That is any data that can lead to the identification – directly or indirectly – of an EU citizen. That includes identifiers such as names, online identifiers, location and positioning data, IP-addresses, deviceIDs etc.).
It’s the ePrivacy Directive that defines the rules for how to collect consent for using cookies (and other tracking technology), but it’s the GDPR that sets the rules for how to obtain consent for collecting and processing personal data.
LINK: https://cookieinformation.com/what-is-the-gdpr/
Are all cookies personal data?
No. Some cookies contain no data considered to be personal. These can be cookies that just make your website work. Often these cookies are labelled “technically necessary cookies” and do not require your users’ consent.
These can be shopping cart cookies that remember items put in the basket. According to the ePrivacy Directive (art.5.3), some cookies are exempt from consent including cookies used solely for “carrying out the transmission of a communication over an electronic communications network or cookies strictly necessary to provide a service explicitly requested by the user”.
LINK: https://cookieinformation.com/what-is-the-gdpr/
These can be shopping cart cookies that remember items put in the basket. According to the ePrivacy Directive (art.5.3), some cookies are exempt from consent including cookies used solely for “carrying out the transmission of a communication over an electronic communications network or cookies strictly necessary to provide a service explicitly requested by the user”.
LINK: https://cookieinformation.com/what-is-the-gdpr/
Do I have to put a cookie warning (consent pop-up) on my website?
If you use cookies or other tracking technology – YES. If you don’t use cookies on your site or these cookies are labelled strictly necessary cookies, then no.
Most websites use cookies or other forms of tracking technology (e.g., fingerprinting) and most websites use services like Google Analytics or have integrated a pixel from Facebook, a LinkedIn Insight Tag or other third-party scripts.
These services set cookies through your site. You are data controller according to the GDPR and therefore responsible for collect valid consent to cookies.
LINK: https://cookieinformation.com/what-is-a-cookie-consent-under-the-gdpr/
Most websites use cookies or other forms of tracking technology (e.g., fingerprinting) and most websites use services like Google Analytics or have integrated a pixel from Facebook, a LinkedIn Insight Tag or other third-party scripts.
These services set cookies through your site. You are data controller according to the GDPR and therefore responsible for collect valid consent to cookies.
LINK: https://cookieinformation.com/what-is-a-cookie-consent-under-the-gdpr/
