GDPR cookie compliance – A checklist
- What are the rules?
- Do they apply to my website?
- What do I have to do to comply with the GDPR?
GDPR cookie compliance Checklist
10 simple steps
- Inform your users of cookies
- Collect consent by cookie purpose
- Allow users to reject cookies
- Collect active consent (no scrolling/swiping for consent)
- Respect your users’ privacy choices
- Pre-ticked boxes must be set to opt-out
- Nudging for consent is not allowed
- Make it easy to withdraw or change consent
- Collect consent before using cookies
- Store all user consents for 5 years
Are your cookies collecting personal data?
Why do you need to collect valid consent for cookies?
And according to the GDPR, you must collect your users’ consent to cookies in order to be GDPR compliant.
Here are 10 key learnings you can use to begin collecting valid consent to cookies and to meet the requirements for GDPR compliance.
1. Inform your users of cookies
- which cookies your website uses.
- who owns the cookies (you or a third party e.g., Google).
- what data cookies collect (IP-address, geolocation etc.).
- for which purpose the cookies collect data (statistics, marketing etc.).
- how long time the cookies collect data (cookie expiration date).
All this information can be created automatically by professional Consent Management Platforms like Cookie Information.
2. Collect consent by cookie purpose (specific)
But consent must be specific, according to the GDPR.
Solution: Use checkboxes or toggles in your cookie banner, so your users can specify which cookie categories they want to consent to.
3. Allow users to reject cookies
Most Data Protection Authorities also require that consent must be as easy to reject as it is to give.
4. Collect active consents (Scrolling/swiping is not considered consent)
- Freely given means that the user is presented with a choice (yes/no).
- Unambiguous means that the user knows exactly what he or she gives consent to by actively clicking a button or ticking a box.
Scrolling a page, swiping on mobile or simply using the website is not considered valid consent under the GDPR.
Professional Consent Management Platforms like Cookie Information only collects consent where users have been properly informed and know what they give consent to.
5. Respect your users’ privacy choices
6. Pre-ticked boxes must be set to opt-out
When you ask for consent for a specific purpose (statistics, marketing etc.) the checkboxes in your cookie banner must not be pre-ticked for consent.
7. Nudging for consent is not allowed
Consent must be as easy to reject as it is to give.
8. Make it easy to withdraw or change consent
Make it easy for your users to modify their consent preferences. Simply deleting cookies in their browser is not an option.
9. Collect consent before using cookies (prior consent)
As a website owner, you must obtain valid cookie consent from your visitor before you place or read any cookies on his or her computer/phone.
Solution: Use a Cookie Information’s Cookie Control SDK to prevent cookies from being fired before consent is given (just as the law requires).
10. Store all user consents for 5 years
The GDPR requires all consents to be stored for 5 years! Just in case documentation is needed to prove consent.
GDPR compliance - Why do you need to collect valid consent for cookies?
ePrivacy Directive & cookies
- Collect consent for storing or gaining access to information on a user’s terminal equipment (computer/phone/tablet).
- That consent is based on clear and comprehensive information.
Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC.
GDPR & cookies
1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
Consent according to the GDPR recital 32 is:
- Freely given (yes or no to cookies).
- Specific (consent for each purpose – marketing, statistics, functional cookies).
- Informed (tell you visitors which cookies you use).
- Unambiguous (it must be clear what the user gives consent to).
GDPR cookie compliance – what is personal data?
What is personal data according to GDPR?
- Identification number
- Location data/positioning data
- Online identifiers
- Cookie identifiers
- Device ID
Most of the services you (probably) use like Google Analytics, Facebook, TikTok, LinkedIn, Hotjar, Amazon, Snapchat etc. place and read cookies through your website.
As the data controller (owner of the website), you are responsible for collecting your users’ GDPR consent.
GDPR compliance - What is a cookie?
- Identify the user (used for filling ad space across websites).
- and track the user’s behavior (for future ad space auctions).
But what about Google Analytics? Is it a necessary cookie?
GDPR compliance - What is a cookie?
Question is: can you use Google Analytics without collecting consent?
But we don’t collect any personal information, you may say.
And according to the GDPR, you are the data controller and therefore, responsible for collecting valid consent for the cookies that are used through your website.
That is also why the Austrian, Italian and French Data Protection Authorities have banned Google Analytics based on complaints by privacy organization NOYB.
But then how do I get traffic data to Google Analytics if visitors say no to cookies? Introducing Google Consent Mode!
GDPR compliance - Cookies and Google Consent Mode
Cookie Information is one the world’s few Google Consent Management Platform (CMP) partners.
What exactly does Consent Mode do?
Become GDPR compliant without losing your data
- We make sure your website or app collects valid GDPR consent to cookies.
- We make sure all consents are securely stored for documentation
- You do not have to worry about cookie GDPR cookie compliance agai
According to the ePrivacy Directive (“the European cookie law”), you need to collect an informed consent for placing cookies on your user’s computer/phone and/or gaining access to the information in these cookies.
According to the GDPR, you must collect GDPR consent if any of the cookies set through your website (including Google Analytics, Facebook Pixels, LinkedIn insight tags etc.) collect your users’ personal data.
What cookies does your website use?
Who owns the cookies?
What data do the cookies collect?
For how long do the cookies collect data?
No. Only cookies that collect EU citizens’ personal data (for further processing). Personal data in the GDPR is defined as “any information which are related to an identified or identifiable natural person”.
That is any data that can lead to the identification – directly or indirectly – of an EU citizen. That includes identifiers such as names, online identifiers, location and positioning data, IP-addresses, deviceIDs etc.).
It’s the ePrivacy Directive that defines the rules for how to collect consent for using cookies (and other tracking technology), but it’s the GDPR that sets the rules for how to obtain consent for collecting and processing personal data.
No. Some cookies contain no data considered to be personal. These can be cookies that just make your website work. Often these cookies are labelled “technically necessary cookies” and do not require your users’ consent.
These can be shopping cart cookies that remember items put in the basket. According to the ePrivacy Directive (art.5.3), some cookies are exempt from consent including cookies used solely for “carrying out the transmission of a communication over an electronic communications network or cookies strictly necessary to provide a service explicitly requested by the user”.
These services set cookies through your site. You are data controller according to the GDPR and therefore responsible for collect valid consent to cookies.