What have we learned from collecting 15 billion consents? Here's a comprehensive checklist to collect valid consent to cookies in the era of the GDPR.
- Block cookies until you user has given consent
- Provide your visitors with the option to decline cookies (and tracking)
- Inform your users of cookies and tracking
- Respect and remember your user's privacy choices
- Provide an easy way for your user to withdraw or change consent
- Log and store all your users' consents
GDPR makes it clear that some cookies by nature will involve the processing of personal data.
This applies to almost all marketing, targeting and analytics cookies that store visitor identifiers.
When collecting and processing personal data, the ePrivacy Directive and the GDPR requires you to collect a valid consent.
Here are 6 key learnings from processing 15 billion consents each year and a comprehensive checklist to collecting valid consent.
1. Block cookies until your user has given consent.
This part is essential for complying with both the ePrivacy Directive (the "cookie law") and the GDPR.
Make sure your website does not allow tags, plug-ins and scripts to set cookies before your visitor has given consent to the storage of cookies in his or her browser.
Choose a consent solution for your website that controls the execution of scripts which set cookies.
Only then are you in control of your cookies.
2. Provide your visitors with the option to decline cookies (and tracking)
Make it possible for your visitor to decline the storage of cookies on their device.
Consent to cookies must be freely given.
Therefore the “Do not accept/Privacy settings” button must be available, visible and based on the purposes for data collection.
This means granular levels of privacy controls with the ability to collect separate consents for statistics and marketing purposes.
If you choose a Consent Pop-up design that displays privacy controls which allows your visitors to opt-in and opt-out on purpose level, the settings must not be pre-selected to accept cookies. The user must actively select cookies by purpose by selecting each check box.
3. Inform your users of cookies and tracking
Inform your users of what kind of data specific cookies are collecting, so they can base their choice of consent on a valid basis.
You. should as minimum provide information about:
Inform users' of cookies
- Who owns the cookies (e.g. Google, Facebook, Amazon etc.)?
- What is the purpose of data collection (e.g. marketing, statistics etc.)?
- When does the cookie expire (how long is it stored in the visitor's browser)?
4. Respect and remember your users' privacy choices
This is essential to maintain trust with your users.
If your users decline cookies or only selects functional cookies, respect their choice.
When you implement your consent pop-up be sure it only allows cookies to be store that your user has consented to.
This is achieved by having full control of which cookies are "fired" - or set - when the user enters your site.
Only then is your consent valid.
Choose a Consent Solution that supports easy implementation of privacy settings and which gives you full control over cookies. This will allow you to respect and remember your visitors’ privacy choices and settings.
5. Provide an easy way for your visitor to withdraw or change consent
It must be as easy for the visitor to withdraw or change consent as it was to give it.
Be prepared to let your visitor change or withdraw a consent. Maybe your user has had a change of mind and no longer wants Google Analytics or Facebook pixel to track his or her presence on your site.
This of course should be respected.
Look for at Consent Solution which provides you and your user for an easy opt-out of cookies.
Upon clicking this feature, your consent pop-up should prompt the user on how to change or withdraw consent to cookies.
6. Log and store all your users' consents
Make sure you log and store each user’s consent and is ready to document each consent in case you are subjected to an inspection from the Data Protection Authorities.
As the data controller, you are responsible for collecting valid consent to cookies!
This regardless of the cookies collecting and processing personal data are owned by Google, Facebook, Amazon or any other third-party provider.
Your Consent Solution should by default collect and store all your users' consent. Even for those who decline cookies.
Consent must be stored for 5 years in case the Data Protection Authorities request them.
Recap of the checklist in short
That was a lot of learning. Here we boil it down to these 6 bullets.
CHECKLIST for collecting valid consent
- Block cookies before you get consent
- Offer an easy way for your user to decline cookies
- Inform your users of cookies
- Respect their privacy choices
- Provide an easy way for change or withdraw consent
- Store their consents for 5 years
Is your current consent solution meeting these requirements?
Although these are quite strict restrictions of what data you can and cannot collect, it is current law (GDPR).
However, it is quite easy to meet all requirements and still run a proper online business with data.
Want to know more?
You can check if your website's consent solution meets these basic requirements.
Just fill the form and will carry out a manual assessment of your consent pop-up.
Check your website's compliance [free]
Cookie Information offers a GDPR valid consent solution for websites who desire to acquire a high level of GDPR compliance.