The General Data Protection Regulation (GDPR) changed the way businesses around the world handle personal data. As website owners and operators continue to navigate GDPR compliance, many are wondering what role cookies and cookie consent have to play.
Let’s dive into what the GDPR means for cookies, what GDPR cookie consent entails, and how you can make your cookies compliant with the GDPR.
1. GDPR and Cookies
Business owners and digital operators want to know how the GDPR and cookies intersect. While cookie compliance is often brought up in conversations about the GDPR, the official text of the law only mentions cookies once.
GDPR Recital 30 states:
Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers […] when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
In short, cookies that can be used (on their own or in combination with other data) to identify an individual are considered means of personal data collection under the GDPR.
Furthermore, the GDPR serves as a complement to the ePrivacy Directive (also known as the Cookie Law). To comply with GDPR cookie requirements, you need to also bear Cookie Law requirements in mind.
GDPR: Cookies & Personal Data
To understand the relationship between the GDPR and cookies, we need to understand the GDPR’s rules on collecting and processing personal data.
Most of these guidelines will be met when you implement broad GDPR compliance measures, such as data mapping or bolstered security systems.
GDPR Cookie Requirements
- Know what cookies your site uses and which cookie category they fall under.
- Make users aware of your privacy and cookie policies.
- Allow users to give clear and explicit consent to your cookie use.
- Only deploy non-essential cookies after each user has consented to those cookies.
- Give users a means of changing their cookie preferences at any time, or withdrawing their cookie consent entirely.
- Honor users’ preferences and consents.
- Keep recoverable logs of the consent preferences of your users.
2. GDPR-Compliant Cookie Consent
Cookie consent is a key part of your GDPR compliance plan, but what exactly is it? GDPR cookie consent is clear, specific, and freely given consent to all cookies, or to specific categories of cookies.
This consent relies on two fundamental components:
- Users’ awareness of your cookie use (including cookie categories and purposes)
To allow users to set their consent preferences, you need a cookie banner (or comparable method displaying cookie options — like a popup).
Let’s dive into how you can create and maintain each of these elements for GDPR compliance.
Use of First- and Third-Party Cookies Under the GDPR
Cookies created by your own domain are called first-party cookies. These are commonly used to store information like website settings and user-input data (e.g., items in a shopping cart).
Third-party cookies are any cookies created by a domain other than your own that are deployed by your website and used to monitor the user themselves — not just their interactions on your site.
When it comes to GDPR cookie compliance, it’s important to know which of your cookies are third-party and which are first-party. You’re responsible for understanding how your third-party cookie vendors treat data collected from your users — and ensuring that that treatment is GDPR compliant.
GDPR Cookie Categories
Because GDPR cookie consent must be specific and granular, users need to know what purposes different cookies serve, and have the ability to consent to or deny those cookies accordingly.
For example, if a user consents to the use of functionality cookies that allow video playback, that doesn’t mean they consent to social networking cookies that collect data on behalf of, say, Facebook.
4. GDPR Cookie Banner
Your cookie banner should include the following elements:
- An opt-in mechanism (like a button) that allows users to consent to cookies
- A method of letting users set specific cookie preferences (i.e., a way for users to toggle which cookie categories they consent to)
Here’s an example of a GDPR cookie banner:
By presenting users with a button they need to click to provide consent to all cookies, this banner satisfies the GDPR requirement that consent must be actively and freely given.
If a user does not wish to consent to all cookies, they can click the “Cookie Preferences” button, which will lead them to the following screen:
You’ll notice that the categories of cookies are listed and unchecked (save for essential cookies, which cannot be opted out of). Once again, allowing users to actively select the cookie categories to which they consent satisfies GDPR rules regarding personal data.
5. Managing GDPR Cookie Compliance
Understanding GDPR cookie consent rules isn’t enough — you need to put them into practice to make your cookie use GDPR-compliant.
Follow these steps to optimize your GDPR cookie compliance.
Step 1: Understand What Cookies You Use
The easiest way to discover your cookies is by using a dedicated cookie scanner. Take Termly’s Cookie Consent Manager as an example:
We first scan your domain for cookies in order to locate and categorize the first- and third-party cookies you use.
Bear in mind that if you aren’t using cookie-finding software with built-in categorization like the example above, you need to sort every cookie into a category based on the purpose it fulfills, so you can obtain granular cookie consent.
Furthermore, you need to assess your cookie use and determine if every cookie you currently deploy is necessary. Recall the GDPR guidelines for personal data processing mentioned above — data minimization (only collecting what you need for designated purposes) is an important component of GDPR compliance. So, you need to evaluate your cookie use and stop using cookies that no longer serve your site.
Notice in the example above how the cookie category is listed, followed by the cookies that are classified under that category. Furthermore, each cookie description links out to any corresponding policies to which users should be given access.
Step 3: Configure and Activate Your Cookie Consent Banner
Banners come in different forms, depending on your own business needs and preferences. For example, banners created through Termly’s Cookie Consent Manager can come in three distinct forms:
Once you’ve finalized your banner’s design and features, it’s time to implement the banner on your site. Your consent mechanism (whether it’s a cookie banner, pop-up modal, or tool-tip) should be set to appear when users first access your site.
To comply with the GDPR, you also need to block non-essential cookies from running before users have consented to their deployment, or set their cookie preferences, through your banner.
Step 4: Track and Record Cookie Consents
With your cookie consent banner and cookie notice in place, you need to begin collecting and recording consents.
Keep your consent logs and user preferences in an accessible location, so you can retrieve proof of GDPR compliance in the event of a claim.
Don’t forget to honor user preferences and consents (or lack thereof) as you receive them.
6. Implement GDPR Cookie Consent Today
Luckily, there are tools online that can help you tackle and maintain cookie compliance. Start today with Termly’s Cookie Consent Manager.