The General Data Protection Regulation (GDPR) has changed how organizations worldwide handle personal data. Website owners and operators continue to work to navigate GDPR compliance, and many continue to wonder how the GDPR, cookies, and consent interact.
Let’s dive into how the GDPR and cookies intersect, what GDPR cookie consent entails, and how to make your cookies compliant with the GDPR.
1. GDPR and Cookies
Everyone operating a website with international traffic needs to know how the GDPR and cookies are connected. The GDPR is often mentioned in conversations about cookies, but the official text of the law only mentions cookies once.
GDPR Recital 30 states:
Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers […] when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
Cookies are considered unique identifiers since they can be used independently or combined with other data to identify an individual. As a result, they’re considered a means of personal data collection under the GDPR.
The GDPR isn’t static, however. In May 2020, the European Union (EU) released an update to remove ambiguity regarding their official position on aspects of cookie usage, along with several other clarifications. This update specifically names cookies as a form of unique identifier instead of implying that they are. The update also gives specific rules for how cookie consent may not be acquired.
Furthermore, the GDPR is intended to interact with the ePrivacy Directive (also known as the Cookie Law). Complying with GDPR cookie requirements means you must also comply with the Cookie Law.
However, the ePrivacy Directive may soon be replaced with an alternative known as the ePrivacy Regulation, an even more specific law.
We’ll delve into how you need to establish your cookie consent and cookie policy in a way that meets the requirements of both the GDPR and the ePrivacy Directive or Regulation.
GDPR: Cookies & Personal Data
The relationship between the GDPR and cookies is dependent on the GDPR’s rules surrounding the collection and use of personal data.
Because cookies can be used to identify an individual, they are subject to the seven principles of processing personal data outlined in the GDPR:
- Personal data must be processed lawfully, fairly, and transparently.
- Personal data must be collected and processed only for specific and legitimate purposes.
- Data collection should be minimized (only collect what is necessary for your stated purposes).
- Accuracy of personal data should be ensured, and timely efforts should be made to rectify incorrect data (or comply with other data management requests).
- Data should only be stored as long as necessary to fulfill its designated purpose.
- Appropriate security measures need to be in place when processing data.
- Organizations must take responsibility and be accountable for the data they collect by maintaining records of consent.
If you implement broad GDPR compliance measures like data mapping or bolstered security systems, you’ll meet most of these requirements without further effort.
The first principle — lawful, fair, and transparent data processing — is the most applicable to your use of cookies and the broadest mandate. We’ll focus on how you can ensure your use of cookies meets this critical GDPR requirement.
GDPR Cookie Requirements
Under the GDPR guidelines for personal data collection, there are several requirements for GDPR cookies used for tracking users. Later, we’ll go into depth on each of these requirements, but the basic guidelines for lawfully using cookies under the GDPR are as follows
- Know what cookies your site uses and which cookie category they fall under.
- Clearly outline your cookie use in your privacy policy and cookie policy.
- Make users aware of your privacy and cookie policies with clear GDPR cookie consent language.
- Allow users to give clear and explicit consent to your cookie use.
- Only deploy non-essential cookies after each user has consented to those cookies.
- Give users a means of changing their cookie preferences at any time or withdrawing their cookie consent entirely.
- Honor users’ preferences and consents.
- Keep recoverable logs of the consent preferences of your users.
The main features of your GDPR cookie compliance plan will be your cookie policy, your cookie consent banner, and your cookie consent management plan.
2. GDPR-Compliant Cookie Consent
So, GDPR cookie consent is fundamental to your GDPR compliance plan. But what is cookie consent? It’s defined as clear, specific, and freely given consent to all cookies or to specific categories of cookies.
This consent relies on two fundamental components:
- Users’ awareness of your cookie use (including cookie categories and purposes)
- Users’ ability to consent to, deny, or set preferences for your use of cookies
To make users aware of your cookie use, you need a comprehensive cookie policy that they can easily access and that is prominently displayed on your site.
The simplest way to let users set their consent preferences is to institute a cookie banner or a comparable method like a popup.
Lastly, you need to maintain your cookie policy and consent banner while collecting the user preferences you gather.
Let’s dive into how you can create and maintain each of these elements for GDPR compliance.
3. GDPR Cookie Policy
A GDPR cookie policy (also referred to as a cookies policy) outlines what cookies your site uses and why those cookies are being used.
A standard cookie policy includes the following information:
- What cookies your site uses
- Which category each cookie falls under
- Why you use those cookies
- What other tracking technologies you use (such as web beacons or pixel tags)
- How users can control their cookie preferences
- What cookies your site uses
- Which category each cookie falls under
- Why you use those cookies
- What other tracking technologies you use (such as web beacons or pixel tags)
- How users can control their cookie preferences
Cookie policies should supplement your privacy policy, not replace it. You should also have a GDPR privacy policy covering your cookie use and links to your specific cookie policy.
Use of First- and Third-Party Cookies Under the GDPR
The GDPR applies to all cookies, third- and first-party alike. To create a comprehensive cookie policy and maintain GDPR compliance, you need to understand the cookies you’re using.
Cookies created by your own domain are called first-party cookies. These are commonly used to store information like website settings and user-input data (e.g., currency preferences or items in a shopping cart).
Third-party cookies are any cookies created by a domain other than your own deployed by your website and used to monitor the user — not just their interactions on your site.
When it comes to GDPR cookie compliance, it’s essential to know which of your cookies are third-party and which are first-party. You’re responsible for understanding how your third-party cookie vendors treat data collected from your users. More importantly, you’re responsible for ensuring that that treatment is GDPR compliant.
GDPR Cookie Categories
Under the GDPR, cookies need to be sorted into specific categories in your cookie policy.
Because GDPR cookie consent must be specific and granular, you need to tell users the different purposes your cookies serve and give them the ability to accept or deny those cookies accordingly.
For example, just because users consent to functionality cookies that allow video playback, they may not consent to social networking cookies that collect data for Facebook.
To get valid consent to cookies by category, you must give your users information about your cookie categories through your cookie policy. We recommend sorting your cookies into the following five categories when you request GDPR cookie consent.
- Essential — Essential cookies are necessary for the basic functionality of your website. An essential cookie remembers a given user as they browse your site. For example, essential cookies keep track of what page a user is on or from what account a user is accessing your site. Under the Cookie Law and the GDPR, essential cookies and strictly necessary cookies are the same, and these necessary trackers don’t require user consent.
- Performance and functionality — Unlike essential cookies, these cookies are used to supplement your site’s functionality but aren’t necessary. For example, performance and functionality cookies can help play videos on your site.
- Analytics and customization — When it comes to the GDPR and tracking cookies, analytics cookies are often at the forefront of the conversation. As most online businesses use analytics cookies in some capacity to track and analyze user behavior, site owners and operators are understandably concerned about disabling these cookies in the absence of lawful GDPR cookie consent.
- Advertising — Advertising cookies are a common form of third-party cookie. If you display ads on your site, those third-party ad owners are tracking your users through cookies attached to their advertisements. Like any third-party cookies, exercise caution when using advertising cookies, as GDPR compliance lapses on your ad vendor’s end could become your own GDPR liability.
- Social networking — If you have any like, share, or subscribe functions on your site that connect with a social media platform, you use social networking cookies. By nature, these cookies are third-party for most sites.
Understanding your cookie categories is the foundation of your cookie and your cookie consent banner.
4. GDPR Cookie Banner
Cookie consent can be obtained through a GDPR-compliant cookie banner. You must display this banner when a user visits your site for the first time to request that users consent to your use of cookies or set their cookie preferences.
Your cookie banner should include the following elements:
- A link to your cookie policy
- An opt-in mechanism (like a button) that allows users to consent to cookies
- A method of letting users set specific cookie preferences (i.e., a way for users to toggle which cookie categories they consent to)
Here’s a GDPR cookie consent example:
By presenting users with a button they need to click to provide consent to all cookies, this banner satisfies the GDPR requirement that consent must be actively and freely given.
If a user doesn’t want all cookies, they can click the “Cookie Preferences” button, which will lead them to the following screen:
You’ll notice that the categories of cookies are listed and unchecked (save for essential cookies, which cannot be opted out of). Once again, allowing users to actively select the cookie categories to which they consent satisfies GDPR rules regarding personal data. Checking all non-essential cookie categories requires users to opt out of cookies, which is not considered active consent.
GDPR Cookie Consent Language
The language in which you write your cookie collection policy is just as important as the rest of the policy. You need to write your policies in clear, understandable language. The policy should also be provided in every language your site is available in. Your GDPR cookie consent language should be accessible to all site visitors and cover all the necessary details.
Here’s a GDPR cookie consent language example:
Essentially, your cookie consent language shouldn’t be confusing. Unnecessarily complicated wording can obscure the point of your cookie consent banner, which may be interpreted as impairing your visitors’ ability to actively consent.
5. GDPR Updates
As mentioned earlier, the GDPR hasn’t remained static. The update in May 2020 has added some critical context to the GDPR. Meanwhile, the EU Parliament is preparing to vote on an update to the ePrivacy Directive. These updates primarily add restrictions to specific methods of consent collection and cookie deployment. Here’s how these updates have altered the GDPR.
Banned GDPR Cookie Consent Methods
The GDPR update was put in place after several years of observing how companies interpreted the Regulation’s original text. The update clarifies several items to end situations where companies had been following the text and not the law’s intention.
Regarding cookies, the update specifically bars three types of consent collection: cookie walls, consent by scrolling, and consent by continuing to browse. Here’s what that means for your site.
Cookie Walls: A cookie wall is a script or popup screen that bars users from seeing a site’s content unless they consent to cookies. The wall may show the GDPR cookie information, but that is not a necessary element of a cookie wall.
The fundamental element of a cookie wall is that it blocks the visitor from accessing content unless they click the “Accept cookies” button on the popup.
Here’s an example of a cookie wall. Notice that there’s only one button and no way for users to opt out of cookies.
The EU has determined that this is not lawful, since it does not give the user a genuine choice. Cookie popups cannot bar the user from visiting the site as a whole based on cookie acceptance. Sites may limit access to certain content, but the user must be able to achieve “general access” without consenting to cookies.
Basically, you must let users visit the general portion of your site without consenting to cookies in any way. Still, you can require them to consent to cookies to access limited information.
GDPR Cookie Consent by Scrolling: Sites who claimed to obtain “consent by scrolling” would place a narrow banner at the top of the screen with their GDPR consent information and state that “by continuing to scroll, you provide consent to the use of cookies.”
However, the update makes it clear that the EU doesn’t consider this full consent. The act of scrolling to consent cannot be clearly distinguished from scrolling to read the rest of the webpage. Therefore, the EU has banned consent by scrolling and requires more purposeful consent collection.
Consent by Continuing to Browse: Like consent by scrolling, consent by continuing to browse sites offer a small banner informing the user that should they continue to browse, they are consenting to the use of cookies. However, the EU has determined that “continuing to browse” isn’t a clear and affirmative action. The site must require the user to take a purposeful action to consent to cookie collection.
Updates to the Cookie Law
The ePrivacy Directive was passed in 2002, making it relatively old by technological standards. As of February 2021, the EU Council has finalized a draft regulation known as the ePrivacy Regulation, which is intended to replace the ePrivacy Directive. While this bill has not been finalized, it would expand the types of communications covered by the law. Changes include:
- Defining location data
- Broadening the scope of the regulation to include businesses processing electronic communications data outside the European Economic Area
- Requiring companies to share anonymized statistical personal data from electronic communications to conduct Data Protection Impact Assessments
- Requiring companies to inform users about their intended data processing activities
Currently, the ePrivacy Regulation is not yet in effect. It will go into effect two years after it is passed into law. Should the EU Parliament choose to approve the law, it may come into effect as soon as 2023.
It will not replace the GDPR; the draft makes it clear that the Regulation is intended to complement this law. While you are not yet required to follow the law, you should prepare for this law or one very similar to go into effect in the next several years.
6. Managing GDPR Cookie Compliance
Understanding GDPR cookie consent rules and the updates to the law aren’t enough. You need to put these rules into practice to make your cookie use GDPR-compliant.
Follow these steps to optimize your GDPR cookie consent compliance.
Step 1: Understand What Cookies You Use
To categorize your cookies and detail them in your cookie policy, you need to actually know which cookies you use. This is easier said than done, as many sites inadvertently deploy more cookies than they realize.
The easiest way to discover your cookies is by using a dedicated cookie scanner. Take Termly’s Cookie Consent Manager as an example:
We first scan your domain for cookies to locate and categorize the first- and third-party cookies you use.
Bear in mind that if you aren’t using cookie-finding software with built-in categorization like the example above, you need to sort every cookie into a category based on the purpose it fulfills, so you can obtain granular cookie consent.
Furthermore, you need to assess your cookie use and determine if every cookie you currently deploy is necessary. Recall the GDPR guidelines for personal data processing mentioned above — data minimization (only collecting what you need for designated purposes) is a critical component of GDPR compliance. So, you need to evaluate your cookie use and stop using cookies that no longer serve your site.
Step 2: Create and Display Your GDPR Cookie Policy
Once you know what cookies you use and which categories they belong to, you need to create a GDPR-compliant cookie policy.
You can generate a cookie policy through a service, hire a lawyer to draft one for you, or create your own from scratch. Whichever option you choose, ensure your cookie policy meets GDPR transparency standards — namely, being comprehensive, clear, and accessible to users.
Notice in the example above how the cookie category is listed, followed by the cookies that are classified under that category. Each cookie description links out to any related policies to which users should be given access.
Note the brief description of the cookie category and the understandable GDPR cookie consent language. While this isn’t a distinct GDPR requirement, you should strive to make your cookie policy as user-friendly and understandable as possible.
Step 3: Configure and Activate Your Cookie Consent Banner
Once you’ve categorized your cookies and created your cookie policy, you need to compile that information into a GDPR-compliant cookie consent banner.
Banners come in different forms, depending on your own business needs and preferences. For example, banners created through Termly’s Cookie Consent Manager can come in three distinct forms:
Once you’ve finalized your banner’s design and features, it’s time to implement the banner on your site. Your consent mechanism (whether it’s a cookie banner, pop-up, or tool-tip) should be set to appear when users first access your site. Make sure that the user can still access your site around the banner or without consenting to cookies so your banner doesn’t become a cookie wall.
To comply with the GDPR, you also need to block non-essential cookies from running before users have consented to their deployment or set their cookie preferences through your banner.
Step 4: Track and Record Cookie Consents
With your cookie consent banner and cookie notice in place, you need to collect and record consents. Keep your consent logs and user preferences in an accessible location, so you can retrieve proof of GDPR compliance in the event of a claim.
Don’t forget to honor user preferences and consents (or lack thereof) as you receive them.
7. Implement GDPR Cookie Consent Today
GDPR cookie consent is an ongoing process for businesses around the globe. If you use cookies and are subject to compliance with the GDPR or the Cookie Law, you need to assess your tracking technologies and put compliance measures in place now.
Luckily, there are tools online that can help you tackle and maintain cookie compliance. Start today with Termly’s Cookie Consent Manager.
