Cookie consent must be GPDR valid

The Norwegian DPA announces: the majority of website owners must review their consent gathering solution. We’ve compiled a list of what your cookie consent solution must include.
Table of Contents
Since the GDPR came into effect in May 2018, there has been uncertainty among website owners about how the requirements for GDPR consent should be interpreted.
In practice, this results in many websites trying hard to comply with the GDPR when using cookies, but they miss the goal by miles.

Why? Because a lot of them only have cookie pop-up banners that inform users of cookies with no possibility to decline cookies with no collection of actual consents, and with no respect for prior consent (holding back cookies until consent is given).

This means that the vast majority of website owners must review how their site relates to GDPR and whether there is a need to upgrade their consent-gathering solution, the Norwegian DPA (Datatilsynet) announces.

For you, as a website owner or data protection officer of a company website, your cookie consent solution must:

  • The document which cookies your site is using before any data collection and processing takes place.
  • Collect a freely given consent (with a clear option to “say no” to cookies).
  • Hold back cookies until consent is given (prior consent).
  • Provide your users with choices regarding the types of cookies the users consent to when using your site (e.g., functional, statistical, marketing).
  • Store users’ consent to cookies for up to 5 years (also if they decline).
  • Offer the possibility to change or withdraw consent (as easy as it was to give).

No consent to cookies through browser settings

In mid-March 2019, a statement was issued by the European Data Protection Board (EDPB), which states that consent for cookies must be a GDPR valid consent. That is, consent is no longer given through the browser settings.
The recent statement by the EDPB confirms that the GDPR has raised the standard in the EEA countries for consent from the ePrivacy Directive.
Although the requirement for consent using cookies is stated in the ePrivacy Directive, the requirements for collecting valid consent are written in the GDPR. And it is fairly clear on the aspect of freely given consent, i.e., the user must be given a choice to reject cookies on a website.

Choosing the right cookie consent solution

There are many free cookie consent solutions on the market, many of which do nothing more than providing your website with a pop-up declaring that the website uses cookies.
This is not valid in respect to the GDPR!
To secure your visitors’ data from being processed by third-party vendors (often large AdTech companies) for marketing purposes, choose an ePrivacy and GDPR valid solution.
At Cookie Information, we take privacy seriously. We make sure your website is completely ePrivacy and GDPR compliant with tailored solutions that fit your company’s needs.