Greek DPA Cookie Consent Guidelines: 8 Compliance Tips

In this guide, we explore the Greek DPA Cookie Consent Guidelines published on Feb.25, 2020.

What is HDPA?

The Hellenic Data Protection Authority (HDPA) is an independent public authority in Greece and has its seat in Athens. The HDPA is responsible for supervising the implementation of the General Data Protection Regulation (GDPR), national data protection act and other regulations concerning the protection of the individual from the processing of personal data, as well as the exercise of the duties assigned to it each time.

What are the Greek DPA cookie guidelines?

The Greek DPA Cookie Consent Guidelines meant to help businesses meet GDPR compliance requirements were published on February 25, 2020. The Guidelines were adopted following the completion of an audit carried out by the HDPA for the use of cookies by the most famous Greek websites, in which the HDPA found that most of the audited websites were non-compliant with the GDPR.

The Hellenic DPA’s cookie consent guidelines seek to streamline how businesses operating in Greece comply with both the ePrivacy Directive and the GDPR’s user consent requirements concerning the use of cookies and other tracking technologies on websites.

In this guide, we explore; 

• What are website cookies? 
• What are the cookie consent requirements under the ePrivacy Directive? 
• What are the cookie consent requirements under the GDPR?
• What types of cookies and trackers require prior consent under the Greek DPA cookie consent guidelines?
• What are the Greek DPA’s requirements for a compliant cookie notice? 
• How do I obtain valid cookie consent under the Greek DPA cookie consent guidelines? 
• How do I comply with the Greek DPA cookie consent guidelines with Secure Privacy? 
  

What are Website Cookies? 

Cookies are small files containing data stored in your device via the browser when a user visits a website. 

Usually, cookies are used to store different kinds of user data, which is essential to achieving the desired functionality of your website. Some of the different types of personal data that cookies collect include; 

• How a visitor accessed your website
• The location of the user
• Users’ online activity for relevant ad targeting and better user experiences

Recently, especially after the European Union adopted its General Data Protection Regulation (GDPR) on May 25, 2018, website cookies have come under increased scrutiny due to the new law’s focus on giving EU residents increased control over how data controllers use them their personal information collected online. 

What are the Cookie Consent Requirements under the ePrivacy Directive? 

The ePrivacy Directive, commonly known as EU Cookie Law, directs that if you want to collect the personal information of your website users using cookies injected into their device, you need to obtain consent from them first. 

For the consent you collect from your users through your cookie banner to be considered compliant with the ePrivacy Directive’s cookie consent requirements, it must be; 

• Freely given
• Specific
• Offer a clear indication of your user’s wishes.

It is important to remember that the ePrivacy Directive reinforces the General Data Protection Regulation. 

However, in some cases, it overrides the GDPR and extends its scope to oversee the privacy of electronic communications and the tracking of internet users in a broader spectrum.

What are GDPR Cookie Consent Requirements? 

The  GDPR’s position on how website owners and data controllers, in general, should use cookies is made clear from its 6 principles of personal data processing.

To comply with the GDPR’s personal data processing requirements, you must;

• Process personal information in a legitimate, fair, and transparent way
• Collect and process personal data only for specific and legitimate purposes
• Minimize the collection of personal data to only what is necessary for your stated purposes
• Ensure that the personal information you collect is accurate and implement reliable measures to rectify inaccurate personal data
• Store user information for as long as it is necessary to satisfy your stated purpose only
• Employ relevant security measures to prevent data breaches when processing the information you collect from your users.

Under the GDPR, cookie consent refers to a situation where a user who accesses your website allows you to store cookies in their browser to collect specific categories of information about them. 

According to the EDPB cookie consent guidelines published in May 2020, cookie consent is considered valid under the GDPR only if it is; 

• Informed 
• Freely given
• Specific 
• Unambiguous 
• Easily withdrawn
  

What Types of Cookies and Trackers Require Prior Consent under the Greek DPA Cookie Consent Guidelines?

According to the Greek DPA cookie consent guidelines: 

1. Before you place cookies or similar tracking technology, you must receive prior consent from the user first, regardless of whether you process their personal data or not. 
2. You must receive prior consent from your website visitors before deploying cookies that collect user data for advertising purposes. 
3. You also need to obtain valid consent from users before deploying third-party cookies and trackers such as Google Analytics that are used for web analytics purposes. 
4. Only cookies and trackers deemed necessary for either the normal functioning of your website or for the delivery of service clearly requested by the user are exempt from the prior consent requirement. 

Examples of necessary cookies exempt from the prior consent obligation under the Greek DPA cookie consent guidelines include; 

• The cookies you use to connect your user to services that need verification
• The cookies you deploy to help pinpoint, save the entire browsing session, or keep the content uploaded by the user during a specific session on your website, such as items added to a shopping cart
• Those used to guarantee the safety of the user during their session on your website 
• Those you employ to store your visitor’s preferences, such as their language choices or storing their search history.

Non-Compliant Practices;

1. Deploying necessary cookies for the normal functioning of your website without giving the required information to your users about their use in your cookie notice
2. Using third-party cookies and trackers such as Google Analytics for web analytics reasons without either; giving users an easy way to opt-out of their use or providing sufficient information about such use. 
   

What are the Greek DPA’s Requirements for a Compliant Cookie Notice?

The Hellenic DPA’s cookie consent guidelines require you to give users information about cookies and why it is important for them to provide prior consent through relevant mechanisms such as cookie banners or pop-up windows. 

The good news is the fact that you can make this information available in a variety of layers so long as you receive prior consent from your users after you have clearly informed them about, at least, the types of cookies you have on your website. 

To ensure your cookie notice is compliant with the Greek DPA cookie consent guidelines, you need to ensure that; 

• The cookie policy in your cookie banner gives users clear, specific information about the purposes of each cookie category. 
• For every type of cookie you have on your website, you indicate the expiry date of every tracker that gathers personal information, the identity of the data controller, and the parties with whom your visitors’ personal data. 
• The information you provide in your cookie notice is easy to read on any device on which it is displayed.

Non-compliant Practices;

1. Having a generic privacy policy with generic information about the use of cookies on your website 
2. Having a generic first layer notice in your cookie banner with general references to the use of cookies and other similar technologies using terms such as ‘‘cookie use for better experience’’ etc.
3. Providing difficult to read text in your cookie notice because it cannot be properly shown across different devices. 
   

How do I Obtain Valid Cookie Consent under the Greek DPA Cookie Consent Guidelines? 

As a data controller, to comply with the Greek DPA cookie consent guidelines, you must ensure that; 

1. The prior consent you receive is given through affirmative action from the user. Using pre-checked consent boxes or relying on a user's scrolling action is not considered a valid way to obtain valid consent. 
2. Your users have an easy way to withdraw their consent the same way it was easy to give it.
3. Your users can still access the content on your website even if they deny you to deploy cookies or other similar tracking technologies on their devices.
4. You allow users to accept or reject the use of non-essential trackers through the same number of actions (e.g., clicks)
5. Your cookie banner design does not have an influence on the user’s cookie consent choice, e.g., through having a design that emphasizes the ‘ACCEPT’ button over the ‘REJECT’ one.  The Hellenic DPA recommends that the design of your cookie banner has the same font size and color emphasis for all buttons and is easy to read.
6. You re-obtain your user’s cookie consent preferences periodically by showing them the cookie banner again after the specified duration of the cookies expires, regardless of whether consent was given or denied initially. 
7. You do not deploy cookies and trackers because the user’s browser settings allow for automatic use of cookies, as this is not considered a valid way of obtaining GDPR cookie consent.
8. If you do not give users a choice to accept or reject cookies, you do not place cookies or similar tracking technologies in their devices. 

Non-Compliant Practices;

1. Using ‘cookie walls’ that deny users free choice over whether to accept or reject cookies, and give them options such as ‘ACCEPT ALL COOKIES’ or ‘OK, I AGREE’ only.
2. Denying users an easy way to withdraw their consent by requiring extra actions such as clicking on a ‘more information’ or ‘settings’ hyperlink
3. Assuming a user’s inaction, scrolling, or closing the cookie banner as an indication of their consent to the deployment of non-essential cookies. 
4. Emphasizing the ‘ACCEPT COOKIES’ button by either having a different font size, color, or italics. 
5. Denying users an easy way to change their preference settings 
6. Constantly imploring the user to make a new choice with periodic pop up of the cookie banner in case cookie consent was denied at the first point of asking, whereas the same does not apply when the user consents to the deployment of cookies
   

Cookie Banner examples that are compliant with the Greek DPA Cookie Consent Guidelines

(source: www.nbg.gr)

The cookie banner is likely compliant with the Greek DPA Cookie Consent Guidelines as:

- The first layer notice provides relevant information about the use of cookies (i.e. analytics, advertisement), and not just generic information;

- It allows to accept and reject options for the use of cookies;

- The two buttons are of the same size, color and emphasis.

(source: www.pirauesbank.gr)

The cookie banner is likely compliant with the Greek DPA Cookie Consent Guidelines. Because:

- The first layer notice provides relevant information about the use of cookies, and not just generic information;

- It allows to accept and reject options for the use of cookies;

- The two buttons are of the same size and emphasis (even though the Guidelines recommend using the two buttons of the same color, it is not a requirement, and the two buttons are of the same prominence).

(Hypothetical example)

This cookie banner is likely not compliant with the Greek DPA Cookie Consent Guidelines as it does not:

- Allow accept and reject options

- Continued browsing of the website is considered as consent

(Hypothetical example)

This cookie banner is likely not compliant with the Greek DPA Cookie Consent Guidelines as:

the first layer notice only provides generic information such as “cookies for better experience, better presentation”

Checklist for Compliance with the Greek DPA Cookie Consent Guidelines

In order to be compliant with the Greek DPA cookie consent guidelines, make sure you comply with the following checklist:

▢  Before setting any cookies, ensure that you provide information about cookies (i.e., for each cookie of a category of cookies, the purpose, duration, controller, and recipient or category of the recipient must be indicated) on your website through appropriate mechanisms, such as pop-up windows and cookie banners.

▢  Obtain users’ consent before placing cookies and other trackers on their devices, irrespective of whether or not personal data processing occurs.

▢  Do not place any cookies, including advertising and analytics cookies on users’ devices before obtaining prior user consent, except for strictly necessary cookies.

▢   Do not rely on pre-ticked boxes.

▢  Users must be able to accept or reject the placement of cookies with the same number of actions (i.e., clicks).

▢  Make sure the accept and reject options (buttons) are demonstrated at the same level. For example, Accept and Reject buttons must be of the same size, emphasis, and color. 

▢  Do not provide generic information on the first layer such as “cookies for better experience, better presentation”

▢  Do not use cookie walls.

▢  Do not rely on continued browsing or scrolling as an indication of affirmative consent.

▢  Do not rely on browser settings allowing the use of cookies as an indication of consent.

How do I Comply with the Greek DPA Cookie Consent Guidelines with Secure Privacy?

Secure Privacy offers powerful, highly customizable, and GDPR compliant cookie banners that help you meet the Greek DPA cookie consent requirements by enabling you to; 

• Give users a choice to accept or reject the placement of non-essential cookies with a unique preference center.
• Generate compliant cookie notices with clear information about the cookies you have on your website, including information about the necessary cookies and their purpose in an easy, customizable, and automated way with our powerful privacy policy generator.
  Adding a privacy policy to your website with Secure Privacy is a breeze (adding a WordPress Privacy Policy). And if you use Magento and need Magento cookie compliance with a privacy policy, or you use Hubspot, we’ve got you covered.
• Have a link for your users’ access to your cookie notice 
• Inform your users about third-party services installed on your website that collect user data for web analytics purposes with the help of cookies  such as Google Analytics, WordPress, and Hubspot  
• Obtain user consent in a single step if you have multiple domains with our industry-leading cross-domain consent feature. 
• Show your cookie banner to specific users, e.g., EU residents with the geolocation capability.
• Customize your cookie banners in the language of your users since Secure Privacy’s cookie banners support 70+ languages, including English, French, Spanish, Portuguese, German, Russian, Danish, Swedish, Turkish, Irish, e.t.c
• Secure Privacy’s GDPR compliance tool also integrates seamlessly with WordPress, Squarespace, Shopify, Magento, Google Consent Mode, Google Tag Manager, and Hubspot.

Get a free assessment of your website and have all your questions or concerns answered by a data privacy expert by booking a 30-min call here.

Here are the GDPR Cookie Consent Guidelines from the other EU Data Protection Authorities that you also need to comply with: 

• French CNIL Cookie Consent Guidelines
• Irish Data Protection Commission Cookie Consent Guidance
• Belgian DPA’s Cookie Consent Guidance 
• German DSK’s Cookie Consent Guidelines
• The Spanish AEPD Cookie Consent Guidelines
• The Swedish Datainpsektionen’s Cookie Consent Guidelines
• UK ICO’s Cookie Consent Guidance 
• Dutch DPA Cookie Consent Guidelines
• Czech Cookie Law