Blog

How to Achieve GDPR Cookie Compliance in Minutes

It can be overwhelming for website owners and mobile application developers to stay up to date with constantly evolving privacy laws.

What was considered the fair game a few years ago could land you in serious trouble these days, as privacy becomes increasingly important in the eyes of legislators and individuals the world over.

A piece of legislation that has certainly rocked the boat over the past few years is the GDPR. Companies worldwide were given an ultimatum to comply with the threat of serious repercussions should they not do so in time.

But what does achieving GDPR cookie compliance actually mean for website owners and mobile application developers?

What is the GDPR and Who Does it Apply to?

The General Data Protection Regulation (GDPR) came into force in 2018, with the objective of regulating the gathering, handling, and processing of personal data in the modern, online world.

It sets guidelines for companies as well as gives significantly more power to individuals when it comes to the control that they have over their data and personal information as well as the traces that they leave on the Internet. In short, it aims to make the whole process more transparent.

The GDPR has a broad scope of application. It is not limited to companies that are physically located in the European Union but rather applies to any website or application that offers goods or services to, and thus processes the data of people that are physically located in the European Union or monitors their behavior, regardless of where the data processing happens.

In other words, the GDPR applies to any business or website that has or could have European customers or users.

Cookies and the GDPR

The GDPR does not have a dedicated section for cookies nor does it go into detail in regards to regulating them. It does, however, address what can be considered personal data. Cookies fall under that definition as online identifiers, when the information that they collect could reasonably be used to identify individuals, either directly or when combined with other available data.

Article 4(1) of the GDPR defines “personal data” as such:

Article 4(1) of the GDPR defines “personal data”

Here is Recital 30 of the GDPR, which specifically mentions cookies and assists in interpreting article 4(1) of the GDPR:

Recital 30 of the GDPR, which specifically mentions cookies and assists in interpreting article 4(1) of the GDPR

From that perspective, the GDPR specifies that in order to process personal data, one must either have a “legitimate interest” to do so or first obtain consent from the individuals.

Note that the use of cookies in the European Union is not only governed by the GDPR but also complemented by the Privacy and Electronic Communications Directive or ePrivacy Directive, best known as the EU Cookie Law.

The ePrivacy Directive is actually more specific than the GDPR when it comes to cookies, as it explicitly states in article 5(3) and recital 25 of the Preamble that information should be given and consent from users is required (except in the case of strictly necessary cookies) before cookies are stored on their device.

As mentioned above, in order to be legally allowed to process user data under the GDPR, businesses must either receive valid consent or have a “legitimate interest” to do so.

Determining if a company has a legitimate interest under article 6(f) of the GDPR in processing personal data is not as easy as it seems. It is a balancing act that involves taking into account the fundamental rights and freedoms of your users and the purpose of data processing.

When it comes to cookies, some do not require express consent from users. These are called strictly necessary cookies - those cookies are essential in order for the website or the application to be able to provide the service requested by a user.

Users however still need to be aware that those cookies are used, which further confirms the need for an easily-accessible cookie policy.

For all other cookies, valid consent is required. Under article 4(11) of the GDPR consent means “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

In short, consent is considered valid under the GDPR when it is clear, specific, informed, and voluntary.

Moreover, to be considered freely given under article 7(4) of the GDPR, a user must be able to refuse or withdraw consent without being prejudiced - this means that users should still be able to use your service, website, or application even if they say no to non-necessary cookies.

You should be keeping a record of users’ preferences when it comes to cookies in the event that your website is subject to investigation under EU privacy laws and, of course, make sure that you respect those preferences.

Any website or application that uses cookies must have an easy-to-read and accessible cookie policy, which serves to warn and inform users that data is collected through the use of cookies.

Not everyone is familiar with cookies so the goal is to avoid legalese and vulgarize what can otherwise be considered a complicated concept.

At a minimum, a cookie policy should include:

  • Brief definition and explanation of cookies
  • Stating what type of first-party and third-party cookies are used (as well as any other tracking technologies)
  • Explaining what information is stored by these cookies, for how long, and where the data is stored
  • The purpose of having those cookies active
  • The option to opt-out of cookies, revoke consent or manage preferences when it comes to cookies

There should be a clear reference to cookies in your website’s privacy policy, as well as a link to the page where your cookie policy is hosted should your users want to read it in detail.

Read Cookie Policy: The Ultimate Guide to learn more about what a cookie policy should include as well as best practices, such as how and where to display your policy.

It is becoming increasingly clear that requesting active, affirmative consent from users before using non-essential cookies to process their personal data rather than relying on implied or passive consent is the way to go.

But how do you require active consent?

It is common practice to use a cookie consent banner that pop-ups as soon as a user visits a new website.

However, having a pre-ticked consent box or a simple warning that a website uses cookies is not enough. Users must take clear, affirmative action and be given the option to opt-out partly or completely while still being able to use a website.

To create a GDPR-compliant cookie notice, a website must have an unmissable cookie banner informing users that cookies are used as well as the option to accept or decline.

It should also link to the detailed cookie policy so that users can learn which information is tracked, how long the cookie will be active, who the data will be shared with, and where it will be stored.

For some examples of cookie notices as well as a free template that can be customized for any website click here.

Privacy Protection in Europe

The GDPR is no doubt the most advanced privacy regulation in the world and things are bound to evolve over the next few years, as people become increasingly concerned about online privacy, especially in regards to targeted advertising.

The ePrivacy Directive is actually set to evolve and become an updated, more detailed, and legally-binding ePrivacy Regulation any day now - which shall further standardize the application of cookie consent mechanisms across Europe.

It would therefore be wise for online players to ensure that they at least have a valid and detailed cookie policy in place, as well as a cookie notice that meets the current basic requirements under both the GDPR and the EU Cookie Law, while they await this new regulation.

Drafting a GDPR-compliant cookie policy or creating a cookie notice doesn’t have to be complicated.

Our cookie consent banner generator takes into account the latest GDPR and EU cookie legislation, integrates seamlessly into your website, and links to your cookie policy, which you can create using our attorney-drafted cookie policy generator.

This will ensure that you are on top of the latest developments in privacy law and make it easy for you to update your policies and request fresh consent from your users as needed.