In line with other EU Data Protection Authorities (DPAs), the Greek (Hellenic) DPA released its cookie consent guidelines for businesses on Feb.25, 2020.
In this guide, we explore;
- What are website cookies?
- What are the cookie consent requirements under the ePrivacy Directive?
- What are the cookie consent requirements under the GDPR?
- What types of cookies and trackers require prior consent under the Greek DPA’s cookie consent guidelines?
- What are the Greek DPA’s requirements for a compliant cookie notice?
- How do I obtain valid cookie consent under the Greek DPA’s cookie consent guidelines?
- How do I comply with the Greek DPA’s cookie consent guidelines with Secure Privacy?
What are Website Cookies?
Cookies are small files containing data that are stored in your device via the browser when a user visits a website.
Usually, cookies are used to store different kinds of user data, which is essential to achieving the desired functionality of your website. Some of the different types of personal data that cookies collect include;
- How a visitor accessed your website
- The location of the user
- Users’ online activity for relevant ad targeting and better user experiences
In recent times, especially after the European Union adopted its General Data Protection Regulation (GDPR) on May 25, 2018, website cookies have come under increased scrutiny due to the new law’s focus on giving EU residents increased control over how data controllers use their personal information collected online.
What are the Cookie Consent Requirements under the ePrivacy Directive?
The ePrivacy Directive, commonly known as EU Cookie Law, directs that if you want to collect the personal information of your website users using cookies injected into his/her device, you need to obtain consent from him/her first.
For the consent you collect from your users through your cookie banner to be considered compliant with the ePrivacy Directive’s cookie consent requirements, it must be;
- Freely given
- Offer a clear indication of your user’s wishes.
It is important to remember that the ePrivacy Directive reinforces the General Data Protection Regulation.
However, in some cases, it overrides the GDPR and extends its scope to oversee the privacy of electronic communications and the tracking of internet users in a broader spectrum.
What are GDPR Cookie Consent Requirements?
To comply with the GDPR’s personal data processing requirements, you must;
- Process personal information in a legitimate, fair, and transparent way
- Collect and process personal data only for specific and legitimate purposes
- Minimize the collection of personal data to only what is necessary for your stated purposes
- Ensure that the personal information you collect is accurate and implement reliable measures to rectify inaccurate personal data
- Store user information for as long as it is necessary to satisfy your stated purpose only
- Employ relevant security measures to prevent data breaches when processing the information you collect from your users.
Under the GDPR, cookie consent refers to a situation where a user who accesses your website allows you to store cookies in their browser to collect specific categories of information about them.
According to the EDPB cookie consent guidelines published in May 2020, cookie consent is considered valid under the GDPR only if it is;
- Freely given
- Easily withdrawn
What Types of Cookies and Trackers Require Prior Consent under the Greek DPA’s Cookie Consent Guidelines?
According to the Greek DPA cookie consent guidelines:
- Before you place cookies or similar tracking technology, you must receive prior consent from the user first, regardless of whether you process their personal data or not.
- You must receive prior consent from your website visitors before you deploy cookies that collect user data for advertising purposes.
- You also need to obtain valid consent from users before deploying third-party cookies and trackers such as Google Analytics that are used for web analytics purposes.
- Only cookies and trackers deemed necessary for either the normal functioning of your website or for the delivery of a service clearly requested by the user are exempt from the prior consent requirement.
Examples of necessary cookies exempt from the prior consent obligation under the Greek DPA’s cookie consent guidelines include;
- The cookies you use to connect your user to services that need verification
- The cookies you deploy to help pinpoint, save the entire browsing session, or keep the content uploaded by the user during a specific session on your website such as items added to a shopping cart
- Those used to guarantee the safety of the user during their session on your website
- Those you employ to store your visitor’s preferences such as their language choices or storing their search history.
- Deploying necessary cookies for the normal functioning of your website without giving the required information to your users about their use in your cookie notice
- Using third-party cookies and trackers such as Google Analytics for web analytics reasons without either; giving users an easy way to opt-out of their use or providing sufficient information about such use.
What are the Greek DPA’s Requirements for a Compliant Cookie Notice?
The Hellenic DPA’s cookie consent guidelines require you to give users information about cookies and why it is important for them to provide prior consent through relevant mechanisms such as cookie banners or pop up windows.
The good news is the fact that you can make this information available in a variety of layers so long as you receive prior consent from your users after you have clearly informed them about, at least, the types of cookies you have on your website.
To ensure your cookie notice is compliant with the Greek DPA cookie consent guidelines, you need to ensure that;
- For every type of cookie you have on your website, you indicate the expiry date of every tracker that gathers personal information, the identity of the data controller, and the parties with whom your visitors’ personal data.
- The information you provide in your cookie notice is easy to read in any device in which it is displayed.
- Providing difficult to read text in your cookie notice because it cannot be properly shown across different devices.
How do I Obtain Valid Cookie Consent under the Greek DPA’s Cookie Consent Guidelines?
As a data controller, to comply with the Greek DPA’s cookie consent guidelines, you must ensure that;
- The prior consent you receive is given through affirmative action from the user. Using pre-checked consent boxes or relying on a user’s scrolling action is not considered a valid way to obtain valid consent.
- Your users have an easy way to withdraw their consent the same way it was easy to give it
- Your users can still access the content on your website even if they deny you consent to deploy cookies or other similar tracking technologies
- You allow users to accept or reject the use of non-essential trackers through the same number of actions e.g clicks
- Your cookie banner design does not have an influence on the user’s cookie consent choice e.g through having a design that emphasizes the ‘ACCEPT’ button over the ‘REJECT’ ONE. The Hellenic DPA recommends that the design of your cookie banner has the same font size and color emphasis for all buttons, and is easy to read.
- You re-obtain your user’s cookie consent preferences periodically by showing them the cookie banner again after the specified duration of the cookies expires, regardless of whether consent was given or denied initially.
- If you do not give users a choice to accept or reject cookies, you do not place cookies or similar tracking technologies in their devices.
- Using ‘cookie walls’ that deny users free choice over whether to accept or reject cookies, and give them options such as ‘ACCEPT ALL COOKIES’ or ‘OK, I AGREE’ only.
- Denying users an easy way to withdraw their consent by requiring extra actions such as clicking on a ‘more information’ or ‘settings’ hyperlink
- Assuming a user’s inaction, scrolling, or closing the cookie banner as an indication of their consent to the deployment of non-essential cookies.
- Emphasizing the ‘ACCEPT COOKIES’ button by either having a different font size, color, or italics.
- Denying users an easy way to change their preference settings
- Constantly imploring the user to make a new choice with periodic pop up of the cookie banner in case cookie consent was denied at the first point of asking, whereas the same does not apply when the user consents to the deployment of cookies
How do I Comply with the Greek DPA’s Cookie Consent Guidelines with Secure Privacy?
Secure Privacy offers powerful, highly customizable, and GDPR compliant cookie banners that help you meet the Greek DPA’s cookie consent requirements by enabling you to;
- Give users a choice to accept or reject the placement of non-essential cookies with a unique preference center
- Have a link for your users’ access to your cookie notice
- Inform your users about third-party services installed on your website that collect user data for web analytics purposes with the help of cookies such as Google Analytics, WordPress, and Hubspot
- Obtain user consent in a single step if you have multiple domains with our industry-leading cross-domain consent feature.
- Show your cookie banner to specific users e.g EU residents with the geolocation capability
- Customize your cookie banners in the language of your users since Secure Privacy’s cookie banners support 70+ languages including English, French, Spanish, Portuguese, German, Russian, Danish, Swedish, Turkish, Irish, e.t.c
- Secure Privacy’s GDPR compliance tool also integrates seamlessly with WordPress, Squarespace, Shopify, Magento, Google Consent Mode, Google Tag Manager, and Hubspot.
Get a free assessment of your website and have all your questions or concerns answered by a data privacy expert by booking a 30-min call here.
Alternatively, sign up for your 7-day free trial of our complete GDPR compliance solution
Here are the GDPR Cookie Consent Guidelines from the other EU Data Protection Authorities that you also need to comply with:
- French CNIL Cookie Consent Guidelines
- Irish Data Protection Commission Cookie Consent Guidance
- Belgian DPA’s Cookie Consent Guidance
- German DSK’s Cookie Consent Guidelines
- The Spanish AEPD Cookie Consent Guidelines
- The Swedish Datainpsektionen’s Cookie Consent Guidelines
- UK ICO’s Cookie Consent Guidance
- Dutch DPA Cookie Consent Guidelines