While most businesses know they need banners to comply with the GDPR’s rules on cookies, too many are still making key mistakes. In many cases that’s because they haven’t kept up with regulator and court rulings that have clarified and strengthened how the rules work in practice. Making these mistakes runs the risk of penalties including hefty fines and restrictions on data processing, not to mention public embarrassment.
1. Not Understanding the Basics
Businesses often get the details of the rules wrong because they don’t appreciate the basic broad principles. Put simply:
- The GDPR applies if the data subject (the person the data is about), the data processor, or the processing itself is in the EU.
- Cookies come under the GDPR whenever they contain information that, either by itself or combined with other data, can identify an individual.
- Consent is the most common way to make tracking and data processing such as cookies lawful. This consent must be active, informed, and meaningful.
- The “legitimate interests” option only covers essential cookies. Ones that are merely useful, for example, to analyze user activity, don’t qualify because these interests do not outweigh the user’s GDPR rights.
2. Using Cookie Walls
A “cookie wall”, where you simply offer users a straight choice between accepting cookies or not accessing the site, is no longer acceptable. Any dispute over that point ended in 2020 when the European Data Protection Board revised its guidance following a decision by regulators in the Netherlands.
The legal logic behind this guidance is that the all-or-nothing approach means users don’t have a meaningful choice about accepting the cookies. In turn, the consent is not valid. The key point to remember is that you can only make a service conditional on consent to data processing where that processing is genuinely necessary to provide the service.
3. Using Opt-Out Consent (Prechecked Boxes)
You cannot rely on consent gathered through pre-checked boxes. This also applies to similar measures such as toggles set to “Consent” or “Accept” by default. This issue went all the way to the Court of Justice of the European Union, which issued a clear decision.
In this scenario, the problem is that such measures don’t meet the GDPR’s demand that consent be unambiguous. There’s too high a risk that the user either doesn’t see the box is ticked or the toggle set to accept or that they click an “Accept” button by mistake before having a chance to change the settings.
4. Using Implied Consent
Implied consent covers any method of gathering consent other than the GDPR’s required active, informed, unambiguous signal. The easiest way to understand whether something counts as implied consent is to ask yourself how you know the user has consented to cookies. If the answer is anything along the lines of:
- “They’ve chosen to use the site.”
- “They carried on using the site after we told them about the cookies.”
- “They accepted cookies on a similar site.”
then it’s implied consent. The only acceptable answer is:
“They took a positive action that they clearly understood was a signal of consent, having been given the necessary information to make a meaningful choice.”
5. Using Notice Only Consent
This covers cases such as sites showing a banner reading “by continuing to use this site you consent to cookies.” This isn’t acceptable because:
- The user might not see the banner or could click away from it by accident.
- The user might only be prepared to accept some kinds of cookies but not others.
Most importantly, however, the fact the user continues to browse your website is not specific and unambiguous enough to count as valid consent. The GDPR requires positive action and “continued using the site” isn’t enough.
Another problem is that such an approach creates a similar effect to a cookie wall: the user doesn’t have a meaningful choice because you are forcing them to “accept” cookies to continue using the site.
6. Tracking Prior to Consent
The GDPR is clear that consent is required before any data processing. This includes collecting the data in the first place. Article 6 of the GDPR specifically says processing based on consent is only lawful where the person “has given consent” – note the past tense.
Note also that consent does not apply retrospectively. You cannot carry out data processing, then ask for consent and consider that data processing to now be lawful because you got the consent. “It’s better to ask forgiveness than permission” is not a motto that works with the GDPR.
7. No Ability to Withdraw or Change Consent
Article 7 of the GDPR states that “The data subject shall have the right to withdraw his or her consent at any time.” This doesn’t stop previous processing being lawful. However, it does immediately mean any further processing is unlawful.
The way the GDPR works means you can’t fall back on an alternative lawful basis such as legitimate interests or legal obligation. You must stop the processing immediately. With cookies, this will usually mean immediately blocking the cookie from operating.
The GDPR’s consent rules also say any consent must cover data processing for a specific purpose. The best way to comply with this is to ask for specific consent for different types of cookies, for example, “analytics”, “marketing” and “social media tracking.” That way a user can withdraw consent for one type of cookie and you can still lawfully process data and use other types of cookie to which they consented.
8. No Consent Logs
There’s no benefit of the doubt with the GDPR. It’s your responsibility to prove you have consent. To quote Article 7: “Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.”
You might be forgiven for thinking you can treat this as a logical exercise and simply argue that your site is set up so that it’s impossible to issue cookies without the user giving consent. That’s a risky proposition, particularly as you aren’t giving any context on how the user made the choice to give consent, what information they had, and whether there’s any risk they accidentally or intentionally bypassed your consent collection process.
Instead, the safest option is to log all cookie consent requests and acceptances so that you can prove when and how somebody consented and that they did so based on valid and accurate information.
9. Poor Consent Preference Enforcement
Unlike with some data protection laws around the world, there’s no waiting period or deadline when users give or withdraw consent under the GDPR. One reason for this principle is the law’s insistence that “It shall be as easy to withdraw as to give consent.”
If you rely on consent as a lawful basis and then process data before somebody has given the relevant consent or after they have withdrawn it, that processing is immediately unlawful and breaches the GDPR.
Enable GDPR Compliance with Ensighten CMP+
A truly compliant Consent Management solution should work autonomously, with no dependencies on other systems, to enforce the privacy choices of users.
Ensighten’s CMP+ takes control of a website, app, or digital asset and fundamentally changes how the page is rendered based on the user's preferences—so you don’t have to rely on third-party analytics platforms to uphold your GDPR compliance.
With CMP+ you can set up customizable banners and give your visitors a clear-cut choice on if and how their data is collected and used. You can quickly add Ensighten CMP+ to every iteration of your website with a simple line of code, audit your website to understand which cookies are in use and where, and identify potential security or compliance issues.
To see how and learn more about GDPR cookie compliance, contact us to request a demo.
Jeff Edwards is a tech writer and analyst with six years of experience covering compliance, information security, and IT. Jeff previously worked as a reporter covering Boston City Hall.