Learnings after collecting 4 billion consents
GDPR makes it clear that some cookies by nature will involve the processing of personal data. This applies to almost all marketing-, targeting-, web-analytics cookies that store visitor identifiers. Therefore, collecting a valid cookie consent is essential to fulfill the requirements of the GDPR.
Here are 5 key learnings from processing 4 billion consents each year:
1. Block cookies until the user has given consent. Also, on the landing page
Make sure that your website does not allow tags, plug-ins and scripts to set cookies before the website visitor has consented to the storage of cookies. Choose a consent solution that controls the execution of scripts that set cookies, so you can implement a control of cookies.
2. Design the Consent Pop-Ups to enable the visitor’s right to object to and to control privacy settings
Make it possible for the website visitor to decline the storage of cookies on their device. The consent must be freely given. Therefore the “Do not accept/Privacy settings” button must be available, visible and based on the purposes for data collection.
3. Respect and remember the choices in the privacy settings made by your visitors
When implementing a Consent Pop-up, you should be certain that your website only sets cookies that the visitor has consented to in the privacy settings. The way to achieve this, is to only set cookies upon receiving a consent from the visitor. This is done by controlling the scripts that set the cookies, and only allowing the scripts to run when a consent have been collected. Remember that gaining full control over which cookies are set by the website is critical, when choosing a consent solution, as a consent otherwise would be considered invalid. Choose a Consent Solutions that support easy implementation of privacy settings that give the website full control over cookies and allows you to respect and remember the visitors’ choice.
4. Provide an easy way for the visitor to withdraw or change consent
It must be as easy for the visitor to withdraw or change a consent as it was for them to give it. Websites need always-available privacy settings. So even after getting a valid consent, there must be a way for the visitor to change their mind. If giving consent is as easy as clicking a button on the landing page, then withdrawal of consent must be just as simple. Look for a consent solution providing functionality to change the consent at any time. Either by embedding the privacy settings on a separate page or, if the privacy settings are displayed in the consent pop-up, then it should be possible to re-open the Consent Pop-up by the click of a button or icon on any page.
5. Make sure you log and store each user’s consent and is ready to document each consent in case you are subjected to an inspection from the Data Protection Authorities.
The website owner should be able to provide a detailed log of each visitor's consent upon request of a Data Protection Authority. The consent solution provider should keep a consent log which demonstrates the specific consent collection for each visitor.
Cookie Information is a Privacy Tech Company helping owners of websites and mobile apps becoming GDPR & ePrivacy compliant. We provide a Consent Management Platform (CMP) and a Compliance Dashboard to manage cookies and privacy risks on websites. We service more than 1,000 organizations and process more than 4 billion consents each year.
Read more information about our solutions here.
Consent: The legal basis for cookies