How to have a GDPR-compliant cookie banner
Ensure that the cookie banner complies with recent CNIL instructions on cookies and trackers. Learn more about it here!
Following the CNIL guidelines publication on cookies and tracers, a certain number of criteria must be respected in order to ensure the compliance of its cookie banner.
What is a cookie or tracer?
While surfing the Internet, various actors are following your habits of consultation, consumption, movement, and navigation,... for a purely lucrative purpose. Placing cookies on your device, it allows companies to provide so-called “targeted” advertisements or other personalized services based on your behaviors. All this collected data is a gold mine and is subject to different legislation.
However, some cookies are exempt from consent because they are considered as “essential” or “technical” and are necessary for the proper functioning of the website. For example, an “Analytics” type of cookie cannot legally be considered as essential.
Who is responsible?
It is mandatory to collect consent and inform users about the purpose of the data collected via a GDPR-compliant cookie banner. The following actors are responsible:
- Publishers of websites and mobile applications
- Advertising agencies
- Social networks
What does the law say?
When users visit a website, they must be informed and give their consent prior to the deposit or reading of cookies or other trackers (unless these are exempt from consent). This act is carried out by using a cookie banner and this one must comply with the GDPR and CNIL’s recommendations.
Users must be clearly and fully informed about the purpose of the information stored in their equipment. These visitors must also be able to oppose it in a simple way. In practice, this translates into a “refuse all” option in the same way as the “accept all” option on its banner. An error often observed is the absence of this button, which is mandatory and therefore makes the banner useless and not GDPR compliant.
Collecting valid consent on your cookie banner requires following a number of requirements:
- First of all the end user must be clearly informed. This option must be clearly presented at the time of the user's choice.
- Simple and understandable wording must be used.
- You should also be able to give the visitor the opportunity to consent by a “clear positive act”. The CNIL also specifies and recommends not to use “misleading design practices”. This could be defined as an example in an ultra-visible “Accept All” button and a hidden “Decline All” button at the top right, definitely not recommended and not GDPR compliant!
- Allow choice by purpose. It is recommended to obtain specific consent for each purpose, as offered for example by the SP cookie banner and its preference center.
- The exercise of these choices must be carried out with the same degree of simplicity. The visitor's choice must “in principle” be recorded so they are not requested to fill this information again. The SP solution with its consent management tool allows you to record each consent independently and in compliance with the GDPR.
- The user must also be able to reverse their decision at any time. The CNIL recommends here a link at the bottom of the page, for example, or a cookie management button available at any time on the page, as SP offers with its Trust Badge.
All these recommendations are governed by a clearly defined legal framework:
- Article 5(3) of Directive 2002/58/EC amended in 2009 lays down the principle
- Article 82 of the Data Protection Act transposes these provisions into French law.
- Article 29 of Ordinance No. 2018-1125 of December 12, 2018
- GDPR Articles 4(11) and 7
- The guidelines of September 17, 2020
In 2021, the CNIL more than ever checked the proper execution and compliance with the points mentioned but also sanctioned unscrupulous companies. More than 14,000 complaints have been filed and this number is only increasing.
It is essential to act with parsimony and caution when processing personal data. Some companies are showing initiative by adopting “Privacy by Design” approaches. All these elements help to improve the feeling of trust as well as transparency with its visitors. In addition to the legal aspect, it is a civic act of respect.
For more details on how your cookie banner must comply with the GDPR
Easy Steps to Achieve CCPA and CPRA Compliance for Your Shopify Store
As an e-commerce business owner, it is crucial to understand the significance of data privacy and the impact of privacy laws on your Shopify store. Your online store likely collects personal information for processing, making data protection laws applicable to you. In this article, you'll learn what Shopify store owners need to do for CCPA and CPRA compliance.
Understanding PIPEDA Requirements: A Comprehensive Guide to Privacy Laws in Canada
The purpose of this article is to provide an overview of PIPEDA, including its scope, requirements, exceptions, enforcement, and penalties. This article is intended to be a helpful resource for organizations seeking to comply with PIPEDA and protect the privacy of individuals whose personal information they collect, use, or disclose.
- Canada PIPEDA
What Is PIPEDA and How Does It Affect Your Business?
In this blog post, we will explore what PIPEDA is, who it applies to, and what personal data it protects. We will also examine the fair information principles of PIPEDA, the role of the Office of the Privacy Commissioner of Canada, and how PIPEDA compares with other privacy laws around the world, such as the EU's General Data Protection Regulation (GDPR).
- Canada PIPEDA