How to Achieve GDPR Cookie Compliance in Minutes
It can be overwhelming for website owners and mobile application developers to stay up to date with constantly evolving privacy laws.
What was considered the fair game a few years ago could land you in serious trouble these days, as privacy becomes increasingly important in the eyes of legislators and individuals the world over.
A piece of legislation that has certainly rocked the boat over the past few years is the GDPR. Companies worldwide were given an ultimatum to comply with the threat of serious repercussions should they not do so in time.
But what does achieving GDPR cookie compliance actually mean for website owners and mobile application developers?
Table of contents
What is the GDPR and Who Does it Apply to?
The General Data Protection Regulation (GDPR) came into force in 2018, with the objective of regulating the gathering, handling, and processing of personal data in the modern, online world.
It sets guidelines for companies as well as gives significantly more power to individuals when it comes to the control that they have over their data and personal information as well as the traces that they leave on the Internet. In short, it aims to make the whole process more transparent.
The GDPR has a broad scope of application. It is not limited to companies that are physically located in the European Union but rather applies to any website or application that offers goods or services to, and thus processes the data of people that are physically located in the European Union or monitors their behavior, regardless of where the data processing happens.
In other words, the GDPR applies to any business or website that has or could have European customers or users.
Cookies and the GDPR
The GDPR does not have a dedicated section for cookies nor does it go into detail in regards to regulating them. It does, however, address what can be considered personal data. Cookies fall under that definition as online identifiers, when the information that they collect could reasonably be used to identify individuals, either directly or when combined with other available data.
Article 4(1) of the GDPR defines “personal data” as such:
Here is Recital 30 of the GDPR, which specifically mentions cookies and assists in interpreting article 4(1) of the GDPR:
From that perspective, the GDPR specifies that in order to process personal data, one must either have a “legitimate interest” to do so or first obtain consent from the individuals.
The ePrivacy Directive is actually more specific than the GDPR when it comes to cookies, as it explicitly states in article 5(3) and recital 25 of the Preamble that information should be given and consent from users is required (except in the case of strictly necessary cookies) before cookies are stored on their device.
How to Achieve GDPR Cookie Compliance?
As mentioned above, in order to be legally allowed to process user data under the GDPR, businesses must either receive valid consent or have a “legitimate interest” to do so.
Determining if a company has a legitimate interest under article 6(f) of the GDPR in processing personal data is not as easy as it seems. It is a balancing act that involves taking into account the fundamental rights and freedoms of your users and the purpose of data processing.
When it comes to cookies, some do not require express consent from users. These are called strictly necessary cookies - those cookies are essential in order for the website or the application to be able to provide the service requested by a user.
Consent Under the GDPR
For all other cookies, valid consent is required. Under article 4(11) of the GDPR consent means “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
In short, consent is considered valid under the GDPR when it is clear, specific, informed, and voluntary.
Moreover, to be considered freely given under article 7(4) of the GDPR, a user must be able to refuse or withdraw consent without being prejudiced - this means that users should still be able to use your service, website, or application even if they say no to non-necessary cookies.
You should be keeping a record of users’ preferences when it comes to cookies in the event that your website is subject to investigation under EU privacy laws and, of course, make sure that you respect those preferences.
Not everyone is familiar with cookies so the goal is to avoid legalese and vulgarize what can otherwise be considered a complicated concept.
- Brief definition and explanation of cookies
- Stating what type of first-party and third-party cookies are used (as well as any other tracking technologies)
- Explaining what information is stored by these cookies, for how long, and where the data is stored
- The purpose of having those cookies active
- The option to opt-out of cookies, revoke consent or manage preferences when it comes to cookies
Cookie Notice for GDPR
It is becoming increasingly clear that requesting active, affirmative consent from users before using non-essential cookies to process their personal data rather than relying on implied or passive consent is the way to go.
But how do you require active consent?
It is common practice to use a cookie consent banner that pop-ups as soon as a user visits a new website.
To create a GDPR-compliant cookie notice, a website must have an unmissable cookie banner informing users that cookies are used as well as the option to accept or decline.
For some examples of cookie notices as well as a free template that can be customized for any website click here.
Privacy Protection in Europe
The GDPR is no doubt the most advanced privacy regulation in the world and things are bound to evolve over the next few years, as people become increasingly concerned about online privacy, especially in regards to targeted advertising.
The ePrivacy Directive is actually set to evolve and become an updated, more detailed, and legally-binding ePrivacy Regulation any day now - which shall further standardize the application of cookie consent mechanisms across Europe.
This will ensure that you are on top of the latest developments in privacy law and make it easy for you to update your policies and request fresh consent from your users as needed.
- Updated on May 17, 2021