GDPR Cookie Consent Compliance with Secure Privacy


Cookie consent on websites has gained increased focus since the adoption of the General Data Protection Regulation (GDPR) in the EU. 

It is important to note that the ePrivacy Directive, also referred to as the EU Cookie Law, which was introduced in 2002, and is likely to be replaced by the ePrivacy Regulation in the near future,  set the precedent for the obligation of websites to display cookie banners that alert users about the use of cookies. 

Primarily, the ePrivacy Directive mandated that websites that have users from the European Union should seek prior consent from users before storing cookies in their devices.

Types of Cookies

Overall, the classification of cookies falls is based on three crucial principles; 

  • Purpose
  • Duration 
  • Provenance

Purpose

Strictly necessary cookies – also known as essential cookies, this category of cookies is important since it facilitates your browsing of a website and making use of its features such as accessing the safe sections of the page.

 For example, the cookies that make it possible for e-commerce stores to keep items in your cart while shopping online fall under this subcategory.

Although both the GDPR and the ePrivacy Directive do not require websites to seek consent for strictly necessary cookies, what they do and their importance should be made clear to users.  

Preference Cookies – The cookies under this subcategory make it possible for a website to recall the choices you have made previously, such as language preference, the region for which you would like to receive reports from, or your login details to allow you to sign in automatically. Preference cookies are also referred to as functionality cookies.

Statistics cookies – These cookies gather information about your activities on a website such as the kind of pages you accessed and the kind of links you clicked on. 

A key aspect to take into consideration in this context is the fact that this data cannot be used to identify you. This is because the information is aggregated, which simply means it is anonymized. 

For this reason, statistics cookies are focused on enhancing website functions. In the event that these cookies are from third-party analytics service providers, the objective of their use remains the same so long as the information they collect is used exclusively by the website owner. 

Marketing Cookies – Lastly, promotional cookies capture your online activity to assist advertisers in delivering more relevant advertising or to limit the number of times you see an ad. 

Marketing cookies can share personal data with third-parties or adtech agencies for the purpose of digital marketing.

 It is essential to know that this type of cookies are persistent and are predominantly of third-party provenance.  

Duration 

Session Cookies –  temporary cookies that expire the moment you close the browser. 

Persistent cookies – refers to the cookies that are stored in your device until you either delete them or your browser erases them depending on their date of expiration. 

Essentially, all persistent cookies have an expiry date written into their code, although this duration may vary. 

Provenance 

First-party cookies – Primarily, these cookies are stored on your device or computer directly by the website you access. 

Third-party cookies – refer to cookies placed in your gadget by a third-party such as an advertiser or an analytic system. In most cases, they are not stored in your devices by the website you are visiting. 

Nonetheless, it is essential to note that some cookies may not fit neatly into these categories while others may qualify for multiple categories.

The ePrivacy Directive and Cookie Consent 

The EU ePrivacy Directive was adopted in 2002 and amended in 2009. 

This data privacy directive is referred to as the EU Cookie Law since its most notable impact was the introduction of cookie consent banners after its implementation. 

On the one hand, the ePrivacy Directive reinforces the General Data Protection Regulation. 

However, in some cases, it overrides the GDPR and focuses on crucial aspects of the privacy of electronic communications and the tracking of internet users in a broader scope. 

The GDPR and Cookie Consent

This EU data privacy law was adopted in May 2018 with the objective of overseeing the collection and processing of personal information from residents of the region. 

For this reason, the GDPR requires website owners and businesses in general, to take the legal responsibility of ensuring the personal data of EU users is both collected and processed in a manner that does not infringe on the privacy rights of consumers.

This requirement applies to businesses that are located outside the European Union, but collect or process personal data from the region’s residents. 

While this data protection regulation mentions cookies once, cookie consent still remains important for compliance with this cookie law for businesses that process data from EU residents. 

The focus on cookie consent comes from the fact that cookies are one of the widely used ways of collecting consumer information online. 

Elements of GDPR Compliant Cookie Consent 

There are specific requirements for how to obtain valid consent when it comes to GDPR and cookies. Primarily,  valid cookie consent under the GDPR must be; 

  •  Informed
  • unambiguous
  • freely given
  • Specific 
  • Easily withdrawn 

How to Obtain Valid Cookie Consent under the GDPR

 The EU’s data protection regulation explicitly states that some cookies involve the processing of personal information. 

This point applies to all marketing, targeting, and analytics cookies that collect a consumer’s identifiers. 

To obtain GDPR compliant cookie consent, website owners must;

  • Block all cookies except the necessary ones until the user has given consent 
  • Provide visitors with the option to decline cookies and tracking
  • Inform your users of cookies and tracking on your website in the webpage’s cookies policy
  • Respect and remember your user’s privacy choices
  • Offer a simple way for consumers to withdraw or change the consent
  • Log and store all your visitor’s consents

EDPB Guidelines on the Use of ‘Cookie Walls’ and Scrolling to Obtain Cookie Consent 

On 5th May 2020, the European Data Protection Board (EDPB) published new guidelines that classified the use of `cookie walls` as a GDPR violation. 

According to the EDPB, the presence of a built-in cookie walls does not offer users genuine choice according to GDPR compliance requirements. 

Essentially,  a ‘cookie wall’ refers to when a website denies users access to content unless they agree to the storage of all cookies and trackers without giving them the option to reject the storage of all or specific types of cookies. 

The difference between a ‘cookie wall’ and a ‘cookie consent banner’ is that a cookie banner allows users to check or uncheck specific types of cookies such as marketing cookies that have several private data trackers that collect personal information for use by businesses in the adtech industry. 

Another important difference is that cookie walls do not allow access to content on websites while a cookie banner allows it.

Apart from the invalidation of cookie walls, the fresh guidelines published by the EDPB also direct that scrolling or interacting with a website can no longer be considered as an indicator of valid GDPR cookie consent.

Since websites do not have a way of differentiating between these intentions, using scrolling or swiping as an indicator of valid user consent does not meet the GDPR’s requirement of an unambiguous indication of the data subject’s wishes.

How To Comply with GDPR Cookie Consent Requirements with Secure Privacy’s ‘Prior Consent’

 GDPR compliance as well as meeting the European ePrivacy Directive requirements calls for obtaining explicit consent before using cookies other than those necessary for the website to work properly. 

That means when a visitor comes to your website, you have to hold all your cookies until they agree to get them. You’ll show them the cookie banner and if they opt-in, you send the cookies. If they remain passive or if they don’t agree, you have to keep blocking the cookies from getting into their computers.

There are many websites with a cookie banner, but without prior consent installed. They are not ePrivacy and GDPR compliant, and thus risk fines. These banners will send tracking cookies as soon as the visitor lands on the website. They ask for consent, but since there is no blocking mechanism in place, they insert cookies even when visitors are passive or decline the consent request. Law-wise, these banners serve no purpose.

Our GDPR cookie consent plugin referred to as the ‘Prior consent’ tool allows you to meet GDPR compliance requirements by making it possible to block all the cookies other than those that must be injected straight into your visitor’s computer until they agree on that. With Secure Privacy, you can easily set it up and manage it through the admin dashboard.

For a personalized demo of our solution, schedule a call with us today and speak with a data privacy expert.

Alternatively, you can activate your free trial of our complete GDPR compliance solution.

Additional Resources;

Learn more about how you can meet GDPR cookie consent requirements with our comprehensive GDPR compliance guide.