The General Data Protection Regulation (GDPR) changed the way businesses around the world handle personal data. As website owners and operators continue to navigate GDPR compliance, many are wondering what role cookies and cookie consent have to play.
Let’s dive into what the GDPR means for cookies, what GDPR cookie consent entails, and how you can make your cookies compliant with the GDPR.
1. GDPR and Cookies
Business owners and digital operators want to know how the GDPR and cookies intersect. While cookie compliance is often brought up in conversations about the GDPR, the official text of the law only mentions cookies once.
GDPR Recital 30 states:
Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers […] when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
In short, cookies that can be used (on their own or in combination with other data) to identify an individual are considered means of personal data collection under the GDPR.
So while the GDPR doesn’t specify how to lawfully deploy and use cookies, the law’s text does make it clear that cookies are subject to the legislation.
Furthermore, the GDPR serves as a complement to the ePrivacy Directive (also known as the Cookie Law). To comply with GDPR cookie requirements, you need to also bear Cookie Law requirements in mind.
We’ll delve into how you need to establish your cookie consent and cookie policy in a way that meets the requirements of both the GDPR and the ePrivacy Directive.
GDPR: Cookies & Personal Data
To understand the relationship between the GDPR and cookies, we need to understand the GDPR’s rules on collecting and processing personal data.
Because cookies can be used to identify an individual, they are subject to the six principles of processing personal data outlined in the GDPR:
- Personal data must be processed lawfully, fairly, and transparently.
- Personal data must be collected and processed only for specific and legitimate purposes.
- Data collection should be minimized (only collect what is necessary for your stated purposes).
- Accuracy of personal data should be ensured, and timely efforts should be made to rectify incorrect data (or to comply with other data management requests).
- Data should only be stored as long as necessary to fulfill its designated purpose.
- Appropriate security measures need to be in place when processing data.
Most of these guidelines will be met when you implement broad GDPR compliance measures, such as data mapping or bolstered security systems.
The first principle — lawful, fair, and transparent data processing — is the most applicable to your use of cookies, and the broadest mandate. We’ll focus on how you can ensure your use of cookies meets this critical GDPR requirement.
GDPR Cookie Requirements
Keeping the GDPR guidelines for personal data collection in mind, there are GDPR requirements you need to meet when using cookies to track your users. While we’ll expand upon each of these steps in the coming sections, here are the basic guidelines you need to follow to lawfully use cookies under the GDPR:
- Know what cookies your site uses and which cookie category they fall under.
- Clearly outline your cookie use in your privacy policy and cookie policy.
- Make users aware of your privacy and cookie policies.
- Allow users to give clear and explicit consent to your cookie use.
- Only deploy non-essential cookies after each user has consented to those cookies.
- Give users a means of changing their cookie preferences at any time, or withdrawing their cookie consent entirely.
- Honor users’ preferences and consents.
- Keep recoverable logs of the consent preferences of your users.
The main features of your GDPR cookie compliance plan will be your cookie policy, your cookie consent banner, and your cookie consent management plan.
2. GDPR-Compliant Cookie Consent
Cookie consent is a key part of your GDPR compliance plan, but what exactly is it? GDPR cookie consent is clear, specific, and freely given consent to all cookies, or to specific categories of cookies.
This consent relies on two fundamental components:
- Users’ awareness of your cookie use (including cookie categories and purposes)
- Users’ ability to consent to, deny, or set preferences for your use of cookies
To make users aware of your cookie use, you need a comprehensive cookie policy.
To allow users to set their consent preferences, you need a cookie banner (or comparable method displaying cookie options — like a popup).
Finally, you need a method of maintaining both your cookie policy and your consent banner (as well as the user preferences gathered through your banner).
Let’s dive into how you can create and maintain each of these elements for GDPR compliance.
3. GDPR Cookie Policy
A GDPR cookie policy (also referred to as a cookies policy) outlines what cookies your site uses and why those cookies are being used.
A standard cookie policy includes the following information:
- What cookies your site uses
- Which category each cookie falls under
- Why you use those cookies
- What other tracking technologies you use (such as web beacons or pixel tags)
- How users can control their cookie preferences
Keep in mind that a cookie policy supplements your privacy policy, but doesn’t replace it. Make sure you also have a GDPR privacy policy that discusses your use of cookies and links to your cookies policy.
Use of First- and Third-Party Cookies Under the GDPR
The GDPR applies to both first- and third-party cookies. Understanding what cookies you use is the first step to creating a comprehensive cookie policy for GDPR compliance.
Cookies created by your own domain are called first-party cookies. These are commonly used to store information like website settings and user-input data (e.g., items in a shopping cart).
Third-party cookies are any cookies created by a domain other than your own that are deployed by your website and used to monitor the user themselves — not just their interactions on your site.
When it comes to GDPR cookie compliance, it’s important to know which of your cookies are third-party and which are first-party. You’re responsible for understanding how your third-party cookie vendors treat data collected from your users — and ensuring that that treatment is GDPR compliant.
GDPR Cookie Categories
Under the GDPR, cookies need to be sorted into specific categories in your cookie policy.
Because GDPR cookie consent must be specific and granular, users need to know what purposes different cookies serve, and have the ability to consent to or deny those cookies accordingly.
For example, if a user consents to the use of functionality cookies that allow video playback, that doesn’t mean they consent to social networking cookies that collect data on behalf of, say, Facebook.
To get valid consent to cookies by category, your users need to be informed of your cookie categories through your cookie policy. Here are the categories we recommend sorting your cookies into when writing your GDPR cookie policy:
- Essential — Essential cookies are those necessary for the basic functionality of your website. An essential cookie remembers a given user as they browse your site. For example, essential cookies keep track of what page a user is on, or from what account a user is accessing your site. Under the Cookie Law and the GDPR, essential cookies and strictly necessary cookies are the same, and these necessary trackers don’t require user consent.
- Performance and functionality — Unlike essential cookies, these cookies are used to supplement your site’s functionality, but aren’t necessary. For example, performance and functionality cookies can help play videos on your site.
- Analytics and customization — When it comes to the GDPR and tracking cookies, analytics cookies are often at the forefront of the conversation. As the majority of online businesses use analytics cookies in some capacity to track and analyze user behavior, site owners and operators are understandably concerned about disabling these cookies in the absence of lawful GDPR cookie consent.
- Advertising — Advertising cookies are a common form of third-party cookie. If you display ads on your site, those third-party ad owners are tracking your users through cookies attached to their advertisements. Like any third-party cookies, exercise caution when using advertising cookies, as GDPR compliance lapses on your ad vendor’s end could become your own GDPR liability.
- Social networking — If you have any like, share, or subscribe functions on your site that connect with a social media platform, you use social networking cookies. By nature, these cookies are third-party for most sites.
Understanding the categories of cookies you use is the foundation of your cookie policy as well as your cookie consent banner.
4. GDPR Cookie Banner
Cookie consent can be obtained through a GDPR-compliant cookie banner. This banner appears when a user visits your site for the first time, and requests that users consent to your use of cookies or set their cookie preferences.
Your cookie banner should include the following elements:
- A link to your cookie policy
- An opt-in mechanism (like a button) that allows users to consent to cookies
- A method of letting users set specific cookie preferences (i.e., a way for users to toggle which cookie categories they consent to)
Here’s a GDPR cookie consent example:
By presenting users with a button they need to click to provide consent to all cookies, this banner satisfies the GDPR requirement that consent must be actively and freely given.
If a user does not wish to consent to all cookies, they can click the “Cookie Preferences” button, which will lead them to the following screen:
You’ll notice that the categories of cookies are listed and unchecked (save for essential cookies, which cannot be opted out of). Once again, allowing users to actively select the cookie categories to which they consent satisfies GDPR rules regarding personal data.
5. Managing GDPR Cookie Compliance
Understanding GDPR cookie consent rules isn’t enough — you need to put them into practice to make your cookie use GDPR-compliant.
Follow these steps to optimize your GDPR cookie compliance.
Step 1: Understand What Cookies You Use
To categorize your cookies and detail them in your cookie policy, you need to actually know which cookies you use. This is easier said than done, as many sites inadvertently deploy more cookies than they realize.
The easiest way to discover your cookies is by using a dedicated cookie scanner. Take Termly’s Cookie Consent Manager as an example:
We first scan your domain for cookies in order to locate and categorize the first- and third-party cookies you use.
Bear in mind that if you aren’t using cookie-finding software with built-in categorization like the example above, you need to sort every cookie into a category based on the purpose it fulfills, so you can obtain granular cookie consent.
Furthermore, you need to assess your cookie use and determine if every cookie you currently deploy is necessary. Recall the GDPR guidelines for personal data processing mentioned above — data minimization (only collecting what you need for designated purposes) is an important component of GDPR compliance. So, you need to evaluate your cookie use and stop using cookies that no longer serve your site.
Step 2: Create and Display Your GDPR Cookie Policy
Once you know what cookies you use and which categories they belong to, you need to create a GDPR-compliant cookie policy.
You can generate a cookie policy through a service, hire a lawyer to draft one for you, or create your own from scratch. Whichever option you choose, ensure your cookie policy meets GDPR transparency standards — namely, being comprehensive, clear, and accessible to users.
Notice in the example above how the cookie category is listed, followed by the cookies that are classified under that category. Furthermore, each cookie description links out to any corresponding policies to which users should be given access.
Lastly, note the brief description of the cookie category. While this isn’t a distinct GDPR requirement, you should strive to make your cookie policy as user-friendly and comprehensible as possible.
Step 3: Configure and Activate Your Cookie Consent Banner
Once you’ve categorized your cookies and created your cookie policy, you need to compile that information into a GDPR-compliant cookie consent banner.
Banners come in different forms, depending on your own business needs and preferences. For example, banners created through Termly’s Cookie Consent Manager can come in three distinct forms:
Once you’ve finalized your banner’s design and features, it’s time to implement the banner on your site. Your consent mechanism (whether it’s a cookie banner, pop-up modal, or tool-tip) should be set to appear when users first access your site.
To comply with the GDPR, you also need to block non-essential cookies from running before users have consented to their deployment, or set their cookie preferences, through your banner.
Step 4: Track and Record Cookie Consents
With your cookie consent banner and cookie notice in place, you need to begin collecting and recording consents.
Keep your consent logs and user preferences in an accessible location, so you can retrieve proof of GDPR compliance in the event of a claim.
Don’t forget to honor user preferences and consents (or lack thereof) as you receive them.
6. Implement GDPR Cookie Consent Today
GDPR cookie consent is an ongoing process for businesses all around the globe. If you use cookies and are subject to comply with the GDPR or the Cookie Law, you need to assess your tracking technologies and put compliance measures in place now.
Luckily, there are tools online that can help you tackle and maintain cookie compliance. Start today with Termly’s Cookie Consent Manager.