GDPR Cookie Compliance 101: How to Manage EU Users’ Consent

November 2, 2021 - Jeff Edwards

Website cookies can present a big challenge for online businesses. Marketing teams want to capture and track as much visitor information as they can, but many privacy regulations require them to obtain consent for any cookies they want to place on visitor devices.

When building a cookie compliance program, it’s important to have a strong understanding of the global regulatory landscape—not only to avoid potential fines but to avoid compromising user trust. One regulation that gives you a solid starting point in taking on this challenge is the EU’s General Data Protection Regulation (GDPR). The GDPR contains some of the strictest cookie requirements in the world. If you can comply with GDPR, you’ll likely meet the requirements of other privacy regulations.

But first, you need to understand how the GDPR views cookies and consent, and the steps organizations must take to comply with the law.

Why Regulate Tracking? Cookies as Personal Data

When the GDPR first came into effect in 2018, it set a new standard as the world’s strictest regulation on cookies and other technologies that track user behavior online. That’s because the GDPR considers this information personal data, no different from a home address, social security number, or phone number.

To paraphrase Recital 30 of the GDPR, people may be associated with cookie identifiers provided by devices, applications, tools, and protocols. Those identifiers may leave traces, which when combined with unique identifiers and other information received by website servers, could be used to create profiles of the people and to identify them.

That means is cookies used to identify users qualify as personal data and are therefore subject to the GDPR. So, as with other personal data, companies must secure valid consent to process tracking data, unless they can prove a legitimate interest—which pertains to processing personal data that’s necessary to carry out tasks related to business activities.

Valid Consent is Not Optional

When gaining permission from website visitors to opt-in for cookies, the GDPR differentiates between valid consent, which is necessary for data processing, and implicit consent, which is considered illegitimate. Valid consent must be informed, unambiguous, and given freely. Website visitors must know exactly what they are consenting to, and you need to present a clear choice to opt-in or opt-out of cookie tracking.

Implicit consent, which uses coercion or assumption to gain consent, is illegal. An example of implicit consent is forcing website visitors to accept cookies to access content. Another is applying cookies to visitors who navigate away from a consent banner without accepting or denying cookies. And as emphasized by CNIL, France’s data protection authority, organizations must also provide proof of the valid collection of visitors giving consent to accept cookies.

[Everything You Need to Know About Cookie Banners and Consent Compliance]

How to Make Cookie Consent GDPR Compliant

Give Users a Clear Choice

When creating a GDPR-compliant cookie banner, it is paramount to give users a clear-cut choice between opting-in or out of tracking. Users can only give valid consent to tracking through a clear positive act (such as clicking on "I accept" in a cookie banner), and refusing all cookies (except those strictly necessary to the function of a website) must be as easy as accepting them. The best practice is to provide an <Accept All> alongside a <Refuse All> button in a prominently displayed cookie banner that the user will see when they first encounter the website.

Make Your Consent Banner Stand Out

Your consent banner must be clearly distinguishable on your website. That means it needs to stand out! The best practice is to use bright colors, or plant it firmly in the middle of the page so that users must interact before moving on.

But that doesn’t mean you can use the consent banner to gate your site and tie access to an “opt-in.” The GDPR explicitly forbids cookie walls, i.e., Consent banners that deny users access to a webpage if they don’t consent to cookies and trackers. Exceptions to this rule are few-and-far-between and are decided on a case-by-case basis, primarily in cases in which the owner of the site allows access to equivalent content or services without requesting consent for the use of cookies or other trackers.

Inform Users of Cookies’ Use and Purpose

Under the GDPR, users have the right to know the information that is collected about them, how it is processed, and who is collecting and/or processing it. That means, to give informed consent, the user must have access to this information before opting into tracking. Your consent banner should give the user access to a cookie policy, that clearly states which cookies you use and why (analytics, advertising, functional, social media, etc.) before visitors consent and informs them of the consequences for accepting or declining cookies. You should also communicate the identity of anyone who will use cookie tracking, such as third-party advertising or analytics partners, and any vendors you share cookie data with.

Make Opt-Out the Default

Do not, I repeat, do not, set opt-n as the default for any cookies that are not essential to the operation of your website or service. According to the letter of the law, and multiple recommendations and enforcement actions, tracking cookies must be opted out upon loading the page and may only be fired with the express consent of the user. If your website fires tracking cookies before a user consent to tracking, you are in direct violation of the GDPR. Opt-out must be the default setting for all cookies that are not strictly necessary, i.e. cookies necessary to browse the website and use its features. If you cannot control which cookies fire on your website and when, then a consent banner is merely window dressing, not a measure of compliance.

Give Users an Easy Option to Withdraw Consent

Under the GDPR, visitors who previously consented must be allowed to withdraw their consent at any time—with no consequences. To facilitate this, websites must make a link readily available for visitors to access their cookie settings so they can change the settings or withdraw consent at any time.

Don’t assume all visitors will either accept or decline all of your cookies. In some cases, you might find visitors who reject cookies for targeted advertising but accept them for website analytics.

Do Not Repeatedly Seek an Opt-in

A user’s decision to opt-out must be duly-recorded and enforced, and an opt-in may not be repeatedly solicited. Site owners may not resubmit a consent banner to users who denied it at each new access to the website.

Be Ready to Provide Proof of Consent

The GDPR mandates that businesses must be able to demonstrate proof of consent if the need arises. That means you need to record evidence of consent and prove that users made an informed, affirmative choice in providing valid consent. Businesses should be able to provide regulators with information on when and how they obtained consent, who gave consent, and what, specifically, they consented to.

Compliance Doesn’t Stop at Consent: Preference Enforcement is Necessary

Consent is a crucial piece of global privacy laws like the GDPR, but compliance doesn’t end with consent. In order to maintain compliance, user preferences must be upheld and enforced. That means if a user opts out of tracking, no tracking cookies may be fired, whether first or third-party. Nor can tracking occur prior to opt-in. Essentially, if you don’t control which cookies fire on your website and when, a consent banner is just window dressing, not a measure of compliance.

To address this, most commercial Consent Management Platforms employ a series of APIs that rely on the orchestrated cooperation of third parties to ensure that a user’s privacy selections are respected. Unfortunately, this solution falls short of true GDPR compliance. The nature of relying on third parties for preference enforcement means that real-time enforcement is not possible, and the timeline for enforcement is murky at best. But, per article 18 of the GDPR, any data processing related to marketing must cease immediately when a user objects or opts out. Any lag between opt-out and the cessation of tracking is non-compliant with the law.

Enable GDPR Compliance with Ensighten CMP+

A truly compliant Consent Management solution should work autonomously, with no dependencies on other systems, to enforce the privacy choices of users.

Ensighten’s CMP+ takes control of a website, app, or digital asset and fundamentally changes how the page is rendered based on the user's preferences—so you don’t have to rely on third-party analytics platforms to uphold your GDPR compliance.

With CMP+ you can set up customizable banners and give your visitors a clear-cut choice on if and how their data is collected and used. You can quickly add Ensighten CMP+ to every iteration of your website with a simple line of code, audit your website to understand which cookies are in use and where, and identify potential security or compliance issues.

To see how and learn more about GDPR cookie compliance, contact us to request a demo.

Jeff Edwards

Jeff Edwards

Jeff Edwards is a tech writer and analyst with six years of experience covering compliance, information security, and IT. Jeff previously worked as a reporter covering Boston City Hall.

Learn more about Ensighten and our solution

Online skimming blog

Learn why third-party components on your website could be leaving you vulnerable to online skimming attacks

Read Now

Web skimming webinar

Learn more about how online skimming attacks happen and how you can protect against them

Watch Now

Online demo

See the Ensighten solution in action to learn how we can help protect your website against online skimming

Book Now