How to collect valid cookie consent – here’s a quick overview!
Collect valid cookie consent [checklist]
- Block cookies before you get consent
- Offer an easy way for your user to decline cookies
- Inform your users of cookies
- Respect their privacy choices
- Provide an easy way for change or withdraw consent
- Store their consents for 5 years
Want to check if your website’s consent solution collects valid cookie consent?
Get a free compliance check at Cookie Information
Why you need to collect valid consent to cookies
Cookies and other trackers are great. They can give your website visitor a better experience of your website by remembering language settings or shopping cart items. Cookies can also provide you with insights into the traffic on your site and track your customers’ on various stages of they buyers’ journey.
And according to the GDPR that requires you to collect your users’ consent to cookies.
Here are 6 key learnings you can use to begin collecting valid consent to cookies.
1. Block cookies until your user has given consent
Make sure your website doesn’t place any cookies or other tracking technologies before your user has given consent.
This part is essential for complying with both the ePrivacy Directive (the “cookie law”) and the GDPR.
Choose a Consent Management Platform (CMP) for your website which controls the execution of scripts that set cookies.
Only then are you in control of your cookies.
2. Provide your visitor with the option to decline cookies (and tracking)
Give your visitors an easy way to say no thanks to cookies.
A consent must be freely given: also to cookies.
In your cookie consent banner make sure you have a “Do not accept” button. It doesn’t matter what you call it (e.g. decline, no thanks), as long as it’s clear that your website will not place any cookies if the user declines.
This can be overcome by informing your visitors well of your cookies’ purposes and in your consent pop-up put toggles, so users can select or deselect cookies by purpose.
This means you’ll collect consent at a granular level which is required by the GDPR.
Important: If you choose a Consent Pop-up design that displays privacy controls which allows your visitors to opt-in and opt-out on purpose level, the settings must not be pre-selected to accept cookies (see EU case against Planet49).
The user must actively select cookies by purpose by selecting each check box.
3. Inform your users of cookies and tracking
Inform your users of what kind of cookies and trackers you are using on your site and what kind of data they are collecting.
Then they can give their consent on a valid basis.
You should as minimum provide information about:
- Who owns the cookies (e.g. Google, Facebook, Amazon etc.)?
- What is the purpose of data collection (e.g. marketing, statistics etc.)?
- When does the cookie expire (how long is it stored in the visitor’s browser)?
4. Respect and remember your users’ privacy choices
When you implement your consent pop-up be sure it only allows cookies to be store that your user has consented to.
This is essential to maintaining trust with your users.
If your users decline cookies or only selects functional cookies, respect this choice.
Choose a Consent Solution that supports easy implementation of privacy settings and which gives you full control over cookies.
This will allow you to respect and remember your visitors’ privacy choices and settings.
5. Provide an easy way to withdraw or change consent
It must be as easy for the visitor to withdraw or change consent as it was to give it.
Be prepared to let your visitor change or withdraw a consent.
Maybe your user has had a change of mind and no longer wants Google Analytics or Facebook pixel to track his or her on your site.
This of course should be respected.
Look for at Consent Solution which provides you and your user for an easy opt-out of cookies.
Upon clicking this feature, your consent pop-up should prompt the user on how to change or withdraw consent to cookies.
6. Log and store all your users’ consents
Store your users’ consents to cookies so you easily can retrieve them in case you are subject to an inspection from the Data Protection Authorities.
As the data controller, you are responsible for documenting consent to cookies set by your site.
This regardless of the cookies collecting and processing personal data are owned by Google, Facebook, Amazon or any other third-party provider.
Your Consent Solution should by default collect and store all your users’ consent. Even for those who decline cookies.
Consent must be stored for 5 years in case the Data Protection Authorities request them.