As the General Data Protection Regulation (GDPR) came into effect, organisations needed to take steps to ensure they are compliant with the new regulation. One area of compliance that is often overlooked is cookie consent management.
Companies that collect or process the personal data of EU citizens must get explicit consent from individuals before doing so. This includes cookies. Getting cookie consent right is vital for companies to avoid heavy fines, but it can be a challenge. In this article, we’ll share some tips on how to get cookie consent right.
What are cookies and what is a cookie consent?
Cookies are small text files that are placed on your computer by websites that you visit. They are used to store information about your visitor’s behavior, such as your preferred language and other settings. This can make your next visit to the site faster and more convenient. Cookies can also be used to track your movements across different websites, allowing advertisers to target you with relevant ads.
Website visitors must consent to cookies before allowing a company to place one in their browser to gather specific information about them. It is only with cookie consent that you may lawfully collect most of the types of data you collect via cookies.
Cookie Laws, the GDPR and ePrivacy
GDPR and data protection authorities regulate cookie consent because they store a wealth of data. In particular, this data could be used to identify users.
Cookies are one of the most common identifiers that advertisers and businesses use to track user behavior online. As a result, advertisers can target their ads in a very specific way toward each user. Because of the number of data cookies can contain, they are able in many cases to personally identify individuals. Therefore, they are covered by GDPR and data privacy.
We should first discuss the types of cookies that need consent before going into detail about the specifics of the data protection directive.
- Third-Party Cookies: Rather than the website placing cookies on the user’s device, third-party places them. This could be an advertiser or an analytics tool.
- First-Party Cookies: Thee first-party cookie is placed on a user’s device by the website they visit.
The cookie’s purpose
- Marketing: Advertisers use these cookies to deliver specific ads or limit how many times the user sees them depending on the user’s online activity. So, these cookies are usually third-party cookies. They collect data for marketing purposes and usually share it with advertisers.
- Cookies used for statistics: sometimes called performance cookies, they gather data and information on how the user navigates a website. These are solely there to make the websites more functional.
- Sometimes called functionality cookies, preference cookies allow a website to remember and store a user’s choices. For automatic log-in, these details could include the language preference, username, and password.
- Cookies that are strictly necessary – as the name implies, these cookies are necessary for the website and its features to work properly. For example, they allow the website to remember shopping cart information. Users do not always need to give their consent for these, but there should be information on their existence.
The lifespan of each cookie
- In a persistent cookie, the cookie remains on the user’s computer until they delete it or the browser. This is determined by the code embedded in the cookie. These cookies all have a coded expiration date. According to the ePrivacy Directive, these cookies should not last longer than a year, but they can if no action is taken.
- Session cookies are temporary and automatically expire when the browser is closed and the search is completed.
Since the accessibility of third-party cookies is complex and potentially open to abuse, the ePrivacy Directive works alongside the GDPR, and in some cases overrides it, in terms of the confidentiality rules surrounding electronic communications and tracking.
In addition, there are a number of risks of not complying with the cookie rules, such as fines, bad PR, damaged reputation, and loss of access to your data.
How to get cookie consent right
There are a few different ways to get cookie consent, but the most important thing is to make sure that you are getting explicit consent from individuals. One way to do this is to have a pop-up on your website that explains what cookies are and why you are collecting them. The pop-up should also include a button that individuals can click to give their consent. Another way to get cookie consent is to include a link on your website that takes individuals to a page where they can learn more about cookies and how you are using them. The page should also include a button that individuals can click to give their consent.
Tips for getting cookie consent right
Cookie compliance has many requirements. You must:
- know what cookies you’re using and why.
- Display a cookie banner on your website.
- Be aware of the difference between necessary and non-necessary cookies, and ensure consent is obtained before tracking for non-necessary cookies.
- Before setting non-necessary cookies, obtain consent from visitors to your website.
- Ensure your users’ cookie settings are easy to change and your information is comprehensible.
- Make your cookies policy easily accessible on your website.
- Make sure you maintain an audit trail to document the cookie consents you received from users. In addition, you should also document the language used to obtain this consent in the cookie banner.
- Don’t forget to log and store cookie consents for as long as required by law, e.g., up to five years in some countries.
- Think about the purpose of the cookies you have obtained consent for – do they fit that purpose?
What should you include in your cookie consent widget?
You should provide your users with the following information in your cookie widget or banner:
- Provide granular options to accept or reject non-necessary cookies.
- Give information about your cookie providers
- Each cookie’s duration (also known as its expiration date).
- Informe which third-party you plan to share the information with.
As per a court decision, your widget must not include pre-ticked buttons or fields. Users must decide for themselves whether or not they want to accept non-necessary cookies.
Overall, getting cookie consent right is vital for organisations to avoid heavy fines. While it can be a challenge, there are a few things you can do to ensure you get it right. First, make sure you are getting explicit consent from individuals. Second, use a pop-up or link to a page that explains what cookies are and why you are collecting them. Finally, include a button on the pop-up or page that individuals can click to give their consent. Following these tips will help you stay compliant with the GDPR and avoid any penalties.
Click below for a free consultation with us! We will review your company’s data protection challenges and give you the next steps for compliance.