Since the GDPR came into effect in May 2018, there has been uncertainty among website owners about how the requirements for GDPR consent should be interpreted.
In practice, this results in many websites trying hard to comply with the GDPR when using cookies, but they miss the goal by miles.
Why? Because a lot of them only have cookie pop-up banners that inform users of cookies with no possibility to decline cookies; with no collection of actual consents; and with no respect of prior consent (holding back cookies until consent is given).
This means that the vast majority of website owners must review how their site relates to GDPR and whether there is a need to upgrade their consent-gathering solution, the Norwegian DPA (Datatilsynet) announces.
For you as a website owner or data protection officer of a company website, your cookie consent solution must:
- Document which cookies your site is using before any data collection and processing takes place.
- Collect a freely given consent (with a clear option to “say no” to cookies).
- Hold back cookies until consent is given (prior consent).
- Provide your users with choices regarding the types of cookies the users consent to when using your site (e.g. functional, statistical, marketing).
- Store users’ consent to cookies for up to 5 years (also if they decline).
- Offer the possibility to change or withdraw consent (as easy as it was to give).
No consent to cookies through browser settings
In mid-March 2019, a statement was issued by the European Data Protection Board (EDPB) which states that consent for cookies must be a GDPR valid consent. That is, consent is no longer given through the browser settings.
The recent statement by the EDPB confirms that the GDPR has raised the standard in the EEA countries for consent from the ePrivacy Directive.
Although the requirement for consent using cookies is stated in the ePrivacy Directive, the requirements for collecting a valid consent is written in the GDPR. And it is fairly clear on the aspect of a freely given consent, i.e. the user must be given a choice to reject cookies on a website.
Choosing the right cookie consent solution
This is not valid in respect to the GDPR!
To secure your visitors’ personal data from being processed by third-party vendors (oftentimes large AdTech companies) for marketing purposes, choose a solution which is ePrivacy and GDPR valid.
At Cookie Information we take privacy seriously. We make sure your website is completely ePrivacy and GDPR compliant with tailored solutions that fit your company’s needs.