Website cookies can present a big challenge for online businesses. Marketing teams want to capture and track as much visitor information as they can, but many privacy regulations require them to obtain consent for any cookies they want to place on visitor devices.
When building a cookie compliance program, it’s important to have a strong understanding of the global regulatory landscape—not only to avoid potential fines but to avoid compromising user trust. One regulation that gives you a solid starting point in taking on this challenge is the EU’s General Data Protection Regulation (GDPR). The GDPR contains some of the strictest cookie requirements in the world. If you can comply with GDPR, you’ll likely meet the requirements of other privacy regulations.
Why Regulate Tracking? Cookies as Personal Data
When the GDPR first came into effect in 2018, it set a new standard as the world’s strictest regulation on cookies and other technologies that track user behavior online. That’s because the GDPR considers this information personal data, no different from a home address, social security number, or phone number.
To paraphrase Recital 30 of the GDPR, people may be associated with cookie identifiers provided by devices, applications, tools, and protocols. Those identifiers may leave traces, which when combined with unique identifiers and other information received by website servers, could be used to create profiles of the people and to identify them.
That means is cookies used to identify users qualify as personal data and are therefore subject to the GDPR. So, as with other personal data, companies must secure valid consent to process tracking data, unless they can prove a legitimate interest—which pertains to processing personal data that’s necessary to carry out tasks related to business activities.
Valid Consent is Not Optional
When gaining permission from website visitors to opt-in for cookies, the GDPR differentiates between valid consent, which is necessary for data processing, and implicit consent, which is considered illegitimate. Valid consent must be informed, unambiguous, and given freely. Website visitors must know exactly what they are consenting to, and you need to present a clear choice to opt-in or opt-out of cookie tracking.
Implicit consent, which uses coercion or assumption to gain consent, is illegal. An example of implicit consent is forcing website visitors to accept cookies to access content. Another is applying cookies to visitors who navigate away from a consent banner without accepting or denying cookies. And as emphasized by CNIL, France’s data protection authority, organizations must also provide proof of the valid collection of visitors giving consent to accept cookies.
How to Make Cookie Consent GDPR Compliant
Give Users a Clear Choice
When creating a GDPR-compliant cookie banner, it is paramount to give users a clear-cut choice between opting-in or out of tracking. Users can only give valid consent to tracking through a clear positive act (such as clicking on "I accept" in a cookie banner), and refusing all cookies (except those strictly necessary to the function of a website) must be as easy as accepting them. The best practice is to provide an <Accept All> alongside a <Refuse All> button in a prominently displayed cookie banner that the user will see when they first encounter the website.
Make Your Consent Banner Stand Out
Your consent banner must be clearly distinguishable on your website. That means it needs to stand out! The best practice is to use bright colors, or plant it firmly in the middle of the page so that users must interact before moving on.
Inform Users of Cookies’ Use and Purpose
Make Opt-Out the Default
Do not, I repeat, do not, set opt-in as the default for any cookies that are not essential to the operation of your website or service. According to the letter of the law, and multiple recommendations and enforcement actions, tracking cookies must be opted out upon loading the page and may only be fired with the express consent of the user. If your website fires tracking cookies before a user consent to tracking, you are in direct violation of the GDPR. Opt-out must be the default setting for all cookies that are not strictly necessary, i.e. cookies necessary to browse the website and use its features. If you cannot control which cookies fire on your website and when, then a consent banner is merely window dressing, not a measure of compliance.
Give Users an Easy Option to Withdraw Consent
Under the GDPR, visitors who previously consented must be allowed to withdraw their consent at any time—with no consequences. To facilitate this, websites must make a link readily available for visitors to access their cookie settings so they can change the settings or withdraw consent at any time.
Don’t assume all visitors will either accept or decline all of your cookies. In some cases, you might find visitors who reject cookies for targeted advertising but accept them for website analytics.
Do Not Repeatedly Seek an Opt-in
A user’s decision to opt-out must be duly-recorded and enforced, and an opt-in may not be repeatedly solicited. Site owners may not resubmit a consent banner to users who denied it at each new access to the website.
Be Ready to Provide Proof of Consent
The GDPR mandates that businesses must be able to demonstrate proof of consent if the need arises. That means you need to record evidence of consent and prove that users made an informed, affirmative choice in providing valid consent. Businesses should be able to provide regulators with information on when and how they obtained consent, who gave consent, and what, specifically, they consented to.
Compliance Doesn’t Stop at Consent: Preference Enforcement is Necessary
Consent is a crucial piece of global privacy laws like the GDPR, but compliance doesn’t end with consent. In order to maintain compliance, user preferences must be upheld and enforced. That means if a user opts out of tracking, no tracking cookies may be fired, whether first or third-party. Nor can tracking occur prior to opt-in. Essentially, if you don’t control which cookies fire on your website and when, a consent banner is just window dressing, not a measure of compliance.
To address this, most commercial Consent Management Platforms employ a series of APIs that rely on the orchestrated cooperation of third parties to ensure that a user’s privacy selections are respected. Unfortunately, this solution falls short of true GDPR compliance. The nature of relying on third parties for preference enforcement means that real-time enforcement is not possible, and the timeline for enforcement is murky at best. But, per article 18 of the GDPR, any data processing related to marketing must cease immediately when a user objects or opts out. Any lag between opt-out and the cessation of tracking is non-compliant with the law.
Enable GDPR Compliance with Ensighten CMP+
A truly compliant Consent Management solution should work autonomously, with no dependencies on other systems, to enforce the privacy choices of users.
Ensighten’s CMP+ takes control of a website, app, or digital asset and fundamentally changes how the page is rendered based on the user's preferences—so you don’t have to rely on third-party analytics platforms to uphold your GDPR compliance.
With CMP+ you can set up customizable banners and give your visitors a clear-cut choice on if and how their data is collected and used. You can quickly add Ensighten CMP+ to every iteration of your website with a simple line of code, audit your website to understand which cookies are in use and where, and identify potential security or compliance issues.
To see how and learn more about GDPR cookie compliance, contact us to request a demo.