Blog

Checklist for GDPR cookie compliance

Collect valid cookie consent in the era of the GDPR! Here's what have we learned from collecting 41 billion consents to cookies a year.

How to collect valid cookie consents – here’s a quick overview!

Collect GDPR compliant cookie consent [checklist]

  • Block cookies before you get consent
  • Offer an easy way for your user to decline cookies
  • Inform your users of cookies
  • Respect their privacy choices
  • Provide an easy way to change or withdraw consent
  • Store their consents for 5 years
Want to check if your website’s consent solution collects valid cookie consent?

Get a free compliance check at Cookie information

Why do you need to collect valid consent for cookies?

Cookies and other trackers are great. They can give your website visitors a better website experience by remembering language settings or shopping cart items. Cookies can also provide you with insights into the traffic on your site and track your customers at various stages of the buyers’ journey.
But when you use cookies on your website, whether your own cookies or third-party, you are obligated to collect consent. Why?
Because cookies most often collect your users’ personal data, which is processed for marketing purposes.

And according to the GDPR, you must collect your users’ consent to cookies in order to be GDPR compliant.

Here are 6 key learnings you can use to begin collecting valid consent to cookies and to meet the requirements for GDPR compliance.

1. Block cookies until your user has given consent

Ensure your website doesn’t place any cookies or other tracking technologies before your user has consented.

This part is essential for complying with the ePrivacy Directive (the “cookie law”) and the GDPR.

Choose a Consent Management Platform (CMP) for your website, which controls the execution of scripts that set cookies.

Only then are you in control of your cookies.

2. Provide your visitor with the option to decline cookies (and tracking)

Give your visitors an easy way to say no thanks to cookies.
Consent must be freely given: also to cookies.
Make sure you have a “Do not accept” button in your cookie consent banner. It doesn’t matter what you call it (e.g., decline, no thanks), as long as it’s clear that your website will not place any cookies if the user declines.
As your website may use cookies for various purposes (e.g., marketing, statistics, functional), you need valid consent for each purpose.
This can be overcome by informing your visitors well of your cookies’ purposes and in your consent pop-up, put toggles so that users can select or deselect cookies by purpose.
This means you’ll collect consent at a granular level which the GDPR requires.

Important: If you choose a Consent Pop-up design that displays privacy controls that allows your visitors to opt-in and opt-out on a purpose level, the settings must not be pre-selected to accept cookies (see EU case against Planet49).

The user must actively select cookies by purpose by selecting each check box.

3. Inform your users of cookies and tracking

Inform your users what kind of cookies and trackers you are using on your site and what data they are collecting.
Then they can give their consent on a valid basis.
You should, as minimum provide information about:
  • Who owns the cookies (e.g., Google, Facebook, Amazon, etc.)?
  • What is the purpose of data collection (e.g., marketing, statistics, etc.)?
  • When does the cookie expire (how long is it stored in the visitor’s browser)?

4. Respect and remember your users' privacy choices

When you implement your consent pop-up, be sure it only stores cookies the user has consented to.
This is essential to maintaining trust with your users.
Respect this choice if your users decline cookies or only select functional cookies.

Choose a consent solution that supports easy implementation of privacy settings and gives you full control over cookies.

This will allow you to respect and remember your visitors’ privacy choices and settings.

5. Provide an easy way to withdraw or change the consent

It must be as easy for the visitor to withdraw or change consent as it was to give it.
Be prepared to let your visitor change or withdraw consent.
Maybe your user has had a change of mind and no longer wants Google Analytics or Facebook pixel to track them on your site.
This, of course, should be respected.

Look for a consent solution, which provides you and your user with an easy opt-out of cookies.

Your user should be able quickly to find a way to change or withdraw consent either by clicking an icon present on your page or in the cookie policy.
Upon clicking this feature, your consent pop-up should prompt the user on how to change or withdraw consent to cookies.

6. Log and store all your users' consent

Store your users’ consent to cookies so you can easily retrieve them if you are subject to an inspection from the Data Protection Authorities.
As the data controller, you are responsible for documenting consent to cookies set by your site.
Regardless of the cookies that Google owns, Facebook, Amazon, or any other third-party provider that are collecting and processing personal data.

Your consent solution should, by default, collect and store all your users’ consent, even for those who decline cookies.

Consent must be stored for 5 years if the Data Protection Authorities request them.

Learn more about cookies and GDPR compliance requirements

Facebook
Twitter
LinkedIn
Email

- Webinars - Webinars - Webinars - Webinars

- Webinars - Webinars - Webinars - Webinars