The General Data Protection Regulation (GDPR) changed the way businesses around the world handle personal data. As website owners and operators continue to navigate GDPR compliance, many are wondering what role cookies and cookie consent have to play.
Let’s dive into what the GDPR means for cookies, what GDPR cookie consent entails, and how you can make your cookies compliant with the GDPR.
1. GDPR and Cookies
Business owners and digital operators want to know how the GDPR and cookies intersect. While cookie compliance is often brought up in conversations about the GDPR, the official text of the law only mentions cookies once.
GDPR Recital 30 states:
Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers […] when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
In short, cookies that can be used (on their own or in combination with other data) to identify an individual are considered means of personal data collection under the GDPR.
Furthermore, the GDPR serves as a complement to the ePrivacy Directive (also known as the Cookie Law). To comply with GDPR cookie requirements, you need to also bear Cookie Law requirements in mind.
GDPR: Cookies & Personal Data
To understand the relationship between the GDPR and cookies, we need to understand the GDPR’s rules on collecting and processing personal data.
- Personal data must be processed lawfully, fairly, and transparently.
- Personal data must be collected and processed only for specific and legitimate purposes.
- Data collection should be minimized (only collect what is necessary for your stated purposes).
- Accuracy of personal data should be ensured, and timely efforts should be made to rectify incorrect data (or to comply with other data management requests).
- Data should only be stored as long as necessary to fulfill its designated purpose.
- Appropriate security measures need to be in place when processing data.
Most of these guidelines will be met when you implement broad GDPR compliance measures, such as data mapping or bolstered security systems.
GDPR Cookie Requirements
- Know what cookies your site uses and which cookie category they fall under.
- Make users aware of your privacy and cookie policies.
- Allow users to give clear and explicit consent to your cookie use.
- Only deploy non-essential cookies after each user has consented to those cookies.
- Give users a means of changing their cookie preferences at any time, or withdrawing their cookie consent entirely.
- Honor users’ preferences and consents.
- Keep recoverable logs of the consent preferences of your users.
2. GDPR-Compliant Cookie Consent
Cookie consent is a key part of your GDPR compliance plan, but what exactly is it? GDPR cookie consent is clear, specific, and freely given consent to all cookies, or to specific categories of cookies.
This consent relies on two fundamental components:
- Users’ awareness of your cookie use (including cookie categories and purposes)
To allow users to set their consent preferences, you need a cookie banner (or comparable method displaying cookie options — like a popup).
Let’s dive into how you can create and maintain each of these elements for GDPR compliance.
- What cookies your site uses
- Which category each cookie falls under
- Why you use those cookies
- What other tracking technologies you use (such as web beacons or pixel tags)
- How users can control their cookie preferences
Use of First- and Third-Party Cookies Under the GDPR
Cookies created by your own domain are called first-party cookies. These are commonly used to store information like website settings and user-input data (e.g., items in a shopping cart).
Third-party cookies are any cookies created by a domain other than your own that are deployed by your website and used to monitor the user themselves — not just their interactions on your site.
When it comes to GDPR cookie compliance, it’s important to know which of your cookies are third-party and which are first-party. You’re responsible for understanding how your third-party cookie vendors treat data collected from your users — and ensuring that that treatment is GDPR compliant.
GDPR Cookie Categories
Because GDPR cookie consent must be specific and granular, users need to know what purposes different cookies serve, and have the ability to consent to or deny those cookies accordingly.
For example, if a user consents to the use of functionality cookies that allow video playback, that doesn’t mean they consent to social networking cookies that collect data on behalf of, say, Facebook.
- Essential — Essential cookies are those necessary for the basic functionality of your website. An essential cookie remembers a given user as they browse your site. For example, essential cookies keep track of what page a user is on, or from what account a user is accessing your site. Under the Cookie Law and the GDPR, essential cookies and strictly necessary cookies are the same, and these necessary trackers don’t require user consent.
- Performance and functionality — Unlike essential cookies, these cookies are used to supplement your site’s functionality, but aren’t necessary. For example, performance and functionality cookies can help play videos on your site.
- Analytics and customization — When it comes to the GDPR and tracking cookies, analytics cookies are often at the forefront of the conversation. As the majority of online businesses use analytics cookies in some capacity to track and analyze user behavior, site owners and operators are understandably concerned about disabling these cookies in the absence of lawful GDPR cookie consent.
- Advertising — Advertising cookies are a common form of third-party cookie. If you display ads on your site, those third-party ad owners are tracking your users through cookies attached to their advertisements. Like any third-party cookies, exercise caution when using advertising cookies, as GDPR compliance lapses on your ad vendor’s end could become your own GDPR liability.
- Social networking — If you have any like, share, or subscribe functions on your site that connect with a social media platform, you use social networking cookies. By nature, these cookies are third-party for most sites.
4. GDPR Cookie Banner
Your cookie banner should include the following elements:
- An opt-in mechanism (like a button) that allows users to consent to cookies
- A method of letting users set specific cookie preferences (i.e., a way for users to toggle which cookie categories they consent to)
Here’s a GDPR cookie consent example:
By presenting users with a button they need to click to provide consent to all cookies, this banner satisfies the GDPR requirement that consent must be actively and freely given.
If a user does not wish to consent to all cookies, they can click the “Cookie Preferences” button, which will lead them to the following screen:
You’ll notice that the categories of cookies are listed and unchecked (save for essential cookies, which cannot be opted out of). Once again, allowing users to actively select the cookie categories to which they consent satisfies GDPR rules regarding personal data.
5. Managing GDPR Cookie Compliance
Understanding GDPR cookie consent rules isn’t enough — you need to put them into practice to make your cookie use GDPR-compliant.
Follow these steps to optimize your GDPR cookie compliance.
Step 1: Understand What Cookies You Use
The easiest way to discover your cookies is by using a dedicated cookie scanner. Take Termly’s Cookie Consent Manager as an example:
We first scan your domain for cookies in order to locate and categorize the first- and third-party cookies you use.
Bear in mind that if you aren’t using cookie-finding software with built-in categorization like the example above, you need to sort every cookie into a category based on the purpose it fulfills, so you can obtain granular cookie consent.
Furthermore, you need to assess your cookie use and determine if every cookie you currently deploy is necessary. Recall the GDPR guidelines for personal data processing mentioned above — data minimization (only collecting what you need for designated purposes) is an important component of GDPR compliance. So, you need to evaluate your cookie use and stop using cookies that no longer serve your site.
Notice in the example above how the cookie category is listed, followed by the cookies that are classified under that category. Furthermore, each cookie description links out to any corresponding policies to which users should be given access.
Step 3: Configure and Activate Your Cookie Consent Banner
Banners come in different forms, depending on your own business needs and preferences. For example, banners created through Termly’s Cookie Consent Manager can come in three distinct forms:
Once you’ve finalized your banner’s design and features, it’s time to implement the banner on your site. Your consent mechanism (whether it’s a cookie banner, pop-up modal, or tool-tip) should be set to appear when users first access your site.
To comply with the GDPR, you also need to block non-essential cookies from running before users have consented to their deployment, or set their cookie preferences, through your banner.
Step 4: Track and Record Cookie Consents
With your cookie consent banner and cookie notice in place, you need to begin collecting and recording consents.
Keep your consent logs and user preferences in an accessible location, so you can retrieve proof of GDPR compliance in the event of a claim.
Don’t forget to honor user preferences and consents (or lack thereof) as you receive them.
6. Implement GDPR Cookie Consent Today
Luckily, there are tools online that can help you tackle and maintain cookie compliance. Start today with Termly’s Cookie Consent Manager.