Cookie consent must be GPDR valid

The Norwegian DPA announces: the majority of website owners must review their consent gathering solution. We’ve compiled a list of what your cookie consent solution must include.

Since the GDPR came into effect in May 2018, there has been uncertainty among website owners about how the requirements for GDPR consent should be interpreted.

In practice, this results in many websites trying hard to comply with the GDPR when using cookies, but they miss the goal by miles.

Why? Because a lot of them only have cookie pop-up banners that inform users of cookies with no possibility to decline cookies; with no collection of actual consents; and with no respect of prior consent (holding back cookies until consent is given).

This means that the vast majority of website owners must review how their site relates to GDPR and whether there is a need to upgrade their consent-gathering solution, the Norwegian DPA (Datatilsynet) announces.

Link: Is my website GPDR compliant? Get a professional assessment [free]

For you as a website owner or data protection officer of a company website, your cookie consent solution must:

  • Document which cookies your site is using before any data collection and processing takes place.
  • Collect a freely given consent (with a clear option to “say no” to cookies).
  • Hold back cookies until consent is given (prior consent).
  • Provide your users with choices regarding the types of cookies the users consent to when using your site (e.g. functional, statistical, marketing).
  • Store users’ consent to cookies for up to 5 years (also if they decline).
  • Offer the possibility to change or withdraw consent (as easy as it was to give).

No consent to cookies through browser settings

In mid-March 2019, a statement was issued by the European Data Protection Board (EDPB) which states that consent for cookies must be a GDPR valid consent. That is, consent is no longer given through the browser settings.

Link: Opinion – interplay between ePrivacy Directive and GDPR

The recent statement by the EDPB confirms that the GDPR has raised the standard in the EEA countries for consent from the ePrivacy Directive.

Although the requirement for consent using cookies is stated in the ePrivacy Directive, the requirements for collecting a valid consent is written in the GDPR. And it is fairly clear on the aspect of a freely given consent, i.e. the user must be given a choice to reject cookies on a website.

Link: What is the GDPR – and how does it affect your website’s cookies?

Choosing the right cookie consent solution

There are many free cookie consent solutions on the market, many of which do nothing more than provide your website with a pop-up declaring that the website uses cookies.

Link: Most EU cookie ‘consent’ notices are meaningless or manipulative, study finds

This is not valid in respect to the GDPR!

To secure your visitors’ personal data from being processed by third-party vendors (oftentimes large AdTech companies) for marketing purposes, choose a solution which is ePrivacy and GDPR valid.

At Cookie Information we take privacy seriously. We make sure your website is completely ePrivacy and GDPR compliant with tailored solutions that fit your company’s needs.


Share on facebook
Share on twitter
Share on linkedin
Share on email

- Webinars - Webinars - Webinars - Webinars

- Webinars - Webinars - Webinars - Webinars

Where to start with cookies?

Join our webinars about compliance in the Nordics