All Blog Posts

GDPR Compliance Checklist

The General Data Protection Regulation (GDPR) and the ePrivacy Directive (ePR) affect how you as a website owner may use cookies and online tracking of visitors from the EU.

Updated November 9, 2020.

In May 2018, a uniform data law took effect across all 27 EU member states that protects the privacy of its citizens on the world’s digital infrastructures.

It’s called the General Data Protection Regulation (GDPR).

In this article, we’ll map out the topic of GDPR compliance, provide you with several GDPR checklists and discuss the requirements for GDPR cookie compliance.

European Flag with how to achieve GDPR in the middle - Cookiebot

1. GDPR compliance – what is the GDPR?

The General Data Protection Regulation, or GDPR, is the now well-known EU law that came into effect in May 2018 with the purpose to create a uniform standard of data protection law in the European Union – and beyond.

It lays down the rules for the protection of natural persons and their right to privacy with regard to the processing and free movement of personal data.

In other words, it rules how companies and organizations are allowed to process the personal data of European citizens.

In a sense, the GDPR is the first uniform, legal step towards shaping an understanding of what data really is – and how we should think about it. Data is not just exhaust that giant ad tech companies can suck up for free, as has been the dominant practice for a decade on the Internet.

Long exposure of traffic on a road at night - Cookiebot
GDPR compliance regulates the flow of EU data on the Internet.

On the contrary, the GDPR lays the foundation for a new way of thinking about the data we generate with our online behavior: it ultimately belongs to the user and it is therefore the user who must consent to any collection and processing of it.

GDPR compliance entails respecting user privacy and anonymity.

Even though it is a European law, its purpose is data protection and the protection of the right to privacy for all EU citizens, and so any website in the world who services Europeans and process their personal data is required to achieve GDPR compliance.

In total, the GDPR empowers EU citizens with eight individual rights, including the right not to have one’s personal data collected and processed without prior consent.

In doubt whether your website is GDPR-compliant? Test with the free compliance test from Cookiebot consent management platform (CMP).

On May 4, 2020, the European Data Protection Board (EDPB) adopted guidelines that clarify what constitutes valid consent for processing of personal data in the EU.

The EDPB guidelines make it clear that scrolling or continued browsing on a website (“implied consent”) is not valid consent, and that cookie banners are not allowed to have pre-ticked checkboxes.

Cookie walls (forced consent) are also being ruled a non-compliant way of obtaining user consent for processing of personal data.

The EDPB is the highest supervisory body with the responsibility of ensuring the coherent interpretation, application and enforcement of the GDPR across the European Union.

EDPB is made up of representatives from the data protection authorities of each EU country, and their guidelines and decisions form the basis of GDPR enforcement across Europe.

Learn more about the EDPB guidelines on valid consent.

Cookieboot Pop Up Banner - Cookiebot
A GDPR-compliant consent banner from Cookiebot CMP.

If your website uses any Google-services (such as Google Analytics or Google Ads), becoming GDPR-compliant while not losing valuable analytics and marketing has become a lot easier with Google Consent Mode.

Google Consent Mode lets you run all your website’s Google-services based on the consent state of your end-users.

Get valuable aggregate and non-identifying analytics about your website and conversion measurement, if users opt out of statistics cookies.

Display contextual ads rather than targeted, personalized ads to users who opt out of marketing cookies.

Cookiebot CMP and Google Consent Mode integrate seamlessly.

Using our CMP to ask for and obtain the prior consent for processing personal data from users, your website can use this consent state to let the Google Consent Mode run all your website’s preferred Google-services in a simple, streamlined way.

Get started with Google Consent Mode

GDPR checklists

We realize that you can get drowned in information as a website owner looking for a consent solution, and that some simple GDPR checklists are a much easier way to get ahead on your GDPR compliance.

In the following part, we will present you with some GDPR checklists for cookie compliance on your website.

In this GDPR compliance checklist, we give an overview of what constitutes valid consent according to the GDPR:

  • Prior to processing 
    The consent must be given before the initial data processing takes place. In the case of cookies, this means that they have to already be paused when a user lands on your website and stay that way until proper consent has been obtained.
  • Transparent and legible
    Users must give their consent in response to accurate and specific information about how, why and where the data processing is taking place. This information must be intelligible and accessible using plain language.
  • Freely given
    Users must give their consent freely. True consent can never be as a condition for the use of a service or the fulfilment of a contract (for which the processed data is not necessary for the performance of that specific service or contract).
  • Documented
    Every given consent shall be kept and securely stored as proof that the consent was received in the case of a control.
  • Reversible
    Users must be able to withdraw their consent at any time and as easily as it was given.
  • Renewed
    Consent must be renewed annually. However, some national data protection guidelines recommend more frequent renewal, e.g. 6 months. Check your local data protection guidelines for compliance.

You find more about consent in Article 7 of the GDPR.

Spiral of books - Cookiebot
GDPR compliance also means storing securely the consent of all users to a website.

In this checklist, we look at what you need to have on your website in order to achieve GDPR compliance when it comes to cookies and tracking:

  • A compliant cookie consent banner.
  • An updated and specific cookie declaration.
  • Secure storage of all given consents.
  • Enabled withdrawal of consent.

GDPR cookie compliance is best secured through a ready-at-hand consent and compliance solution like Cookiebot CMP. We empower your website with all of the above requirements for GDPR compliance.

GDPR checklist on how to handle personal data

In this GDPR checklist, we list the requirements for handling of personal data.

The data must be:

  1. processed lawfully, fairly and in a transparent manner in relation to the data subject
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (also known as data minimization)
  4. accurate and, where necessary, kept up to date
  5. kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which the personal data are collected
  6. processed in a manner that ensures appropriate security of the personal data

You can find more on how to handle personal data in Article 5 of the GDPR.

Another useful GDPR requirements’ checklist is one that presents you with the legal bases for data processing.

For most websites, it is the legal basis of consent that is relevant, but it might be useful for you to know what other bases exist for data processing in the European Union.

In this GDPR checklist, you find the legal bases for processing of data as required by the GDPR:

  • Consent: the data subject gives their unambiguous and free consent to process their data.
  • Contractual: data processing is necessary to execute or to prepare to enter into a contract that the data subject is a part of.
  • Legal obligation: data processing is necessary in order to comply with a legal obligation.
  • To save somebody’s life: when the processing of data is necessary to prevent death.
  • Legitimate interest: arguably the most flexible of the bases, learn more here.

When processing personal data of EU citizens, one of the above legal bases must be presented. If this is not possible, you are not allowed to process personal data.

You find more on the legal bases for data processing in Article 6 of the GDPR.

Try a free GDPR compliance check.

2. GDPR compliance – what are the rules for cookies?

If your website processes any information of EU citizens, you must obtain the consent of your users prior to the activation and setting of such cookies, the GDPR rules.

This is the very crux of what the GDPR dictates on the use of cookies for companies, organizations and websites in general.

Reminder – what are “cookies”?

Cookies are text files that are set on a user’s browser by websites with the intention to track and monitor their behavior.

That’s why the use of cookies and similar tracking technologies are subject to the rules and regulations protecting personal data and privacy stipulated by the GDPR.

Keyboard with finger print on the enter key - Cookiebot
GDPR compliance for websites means obtaining consent before any cookie activation.

Many website owners themselves don’t have the complete picture of what cookies are in operation on their website. This is due to the nature of cookies – they can be of first- or third-party provenance, be temporary or permanent, and serve a vast number of different purposes.

In other words, website cookies are numerous and inconsistent, and getting an insight once and for all won’t do, as they tend to change often.

So, what are “compliant cookies”?

Well, in reality, cookies in and of themselves cannot be compliant. It’s what you do with the cookie that matters. Cookie compliance according to the GDPR really has nothing to do the technology of the cookies themselves. Cookies are not illegal by their own nature.

No, GDPR cookie compliance has all to do with what you do with cookies – how you use them and for what purpose.

For your website to achieve GDPR cookie compliance, it must abide by the specific rules that the regulation has set down for the use of cookies and similar tracking technology. Even though the word cookie is only mentioned once in the official GDPR law text, it does specify very clearly how a website has to handle user data and the personal information of their visitors.

The core of GDPR cookie compliance for websites can be summed up in this mantra:

You must obtain and store securely the freely given consent of your users before any processing of their data can take place on your website.

Website tracking, such as analytics programs and marketing schemes, need to abide by the GDPR requirements – such as not having pre-ticked marketing cookies as a default.

Check your GDPR compliance for free.

So, if you have a website, by now you’re probably convinced that you need to achieve GDPR compliance.

Cookiebot CMP is the leading GDPR-compliant consent management solution in the world. Our scanning technology finds all cookies and similar tracking on your website, then it automatically blocks it until your users have given their consent.

Cookiebot CMP features the following functions:

  1. Monthly website scan with complete cookie and tracking detection.
  2. Cookie report with full disclosure of all cookies and tracking that can be used as a GDPR-compliant cookie policy.
  3. Automatically updated cookie declaration for your website’s privacy policy.
  4. Customizable cookie consent banner displaying all cookies grouped in four comprehensive categories that the user can opt in and out of directly in the banner.
  5. Secure storage of all given consents.
  6. Annual renewal of consent upon the user’s first revisit to the website.
  7. Enabled withdrawal (or change of consent state) for users directly in the cookie declaration.

Our solution is simple and fast to use, implemented from the cloud into your website’s source code. We enable one hundred percent GDPR compliance when it comes to cookies and tracking. Try our consent and compliance bot for free today.

Is your website GDPR-compliant?

A GDPR-compliant cookie message gives full transparency and disclosure about the cookies in operation on the website, without overwhelming the user (an actual requirement in the GDPR).

A compliant consent banner informs the user about what cookies are in operation, for what purpose, their duration and their provenance, along with the possibility to prevent them from being launched.​

A compliant consent banner also has no pre-ticked checkboxes on any categories of cookies except for those strictly necessary for the basic function of the website. Users must also be able to easily revoke their consent if they change their minds.

Find out what to write in your cookie consent banner.

The cookie compliance message displays on the website upon the user’s first visit to the site, and then again, if the user has consented to cookies, upon the user’s first renewed visit once every 12 months.

Cookieboot Pop Up Banner - Cookiebot
A GDPR-compliant Cookiebot CMP consent banner seen on the web.

Your users can opt in and out of the different categories of cookies directly in the banner. Detailed information about all of the cookies folds out directly from the banner.

Screenshot of the Cookiebot GDPR cookie consent solution - Cookiebot
A GDPR-compliant Cookiebot CMP consent banner with unfolded details.

Cookiebot CMP empowers your users with real consent and enables total GDPR compliance for you and your domains.

4. GDPR compliance – what are the consequences of non-compliance?

The consequences of not being GDPR-compliant… well, they can be grave. And not only for your users and their privacy, which might well be infringed and violated by third parties and their data harvesters, but for you and your website or company as well.

GDPR fines

The GDPR has a pretty hefty enforcement power – with fines of up to 4% of a company’s annual global turnover or €20 million – whichever is highest.

“Whichever is highest” is a crucial provision in the GDPR, because this can in fact turn out to be quite a lot!

The largest GDPR fines to have been handed out since the GDPR’s enforcement date in May 2018 are €50.000.000 against Google in France, €35.258.708 against H&M in Germany, €27.800.000 against TIM in Italy and €22.046.000 against British Airways in the UK.

But these largest GDPR fines might end up giving smaller businesses and websites a false sense of security, thinking that the data protection authorities are only looking to catch the biggest fish in the data ocean.

In fact, GDPR fines are levied across the EU on an almost daily basis, and the majority of GDPR fines are not large sums against large companies, but sums between €4.000 and €50.000 against smaller businesses, city municipals, web shops and more.

Getting your personal data processing in order for full GDPR compliance is important, no matter the size of your website or company.

Your use of cookies and trackers must be with the consent of your users – for their privacy and for your compliance.

Check all latest GDPR fines on GDPR Enforcement Tracker

Person with their hood up holding an ace of hearts card up to the camera - Cookiebot
The GDPR protects the anonymity of EU citizens – violations are being heavily fined.

All of the biggest GDPR fines that have been issued from the various data protection authorities in the respective countries center on the parties’ insufficient legal bases for data processing or, as was the case with British Airways, insufficient technical or organizational measures to ensure information security.

GDPR fines, in other words, can be caused by everything from gross negligence to general lack of oversight of how your website or company is processing data, particularly personal data, on its users and customers.

Avoid GDPR fines, check if your website is GDPR-compliant with our free compliance test.

Summary

With the GDPR, the EU and the world reached a new threshold for privacy protection.

GDPR compliance for a website means rethinking what data is – respecting users and their private lives, asking for their consent to use any details of them and their lives before collection and processing takes place.

Using a consent solution like Cookiebot CMP is the balanced way of respecting your users’ private, anonymous lives, while not breaking your statistics and online marketing revenue.

If you’re in doubt as to whether your website complies with EU’s data protection requirements, you can check your GDPR compliance for free.

GDPR compliance does not mean the end of your online business model – try Cookiebot CMP and see for yourself.

FAQ

What is GDPR?

The General Data Protection Regulation (GDPR) is a data privacy law that governs the processing on personal data of individuals inside the EU. Websites that have users from inside the EU must comply with the GDPR. The GDPR requires websites to secure the consent of users before activating cookies and trackers on their domain that process personal data.

Learn more about GDPR and cookies

What is GDPR compliance for websites?

If your website uses cookies and third-party trackers that process personal data (such as IP addresses, unique IDs, search and browser history), you are legally obligated under the GDPR to ask for and obtain the prior and explicit consent from users to do so. Cookies (except strictly necessary ones) must be deactivated by default and only activated for personal data processing upon a user’s given consent.

Learn more about GDPR and cookie consent

What is valid consent under GDPR?

Under the GDPR, it is the responsibility of the website owner or operator to make sure that valid user consent has been obtained. A valid consent is a clear and affirmative action from the user that unambiguously accepts processing and thus activated your website’s cookies and trackers. User must be able to revoke their consent as easily as they gave it.

Learn more about EDPB guidelines on valid consent in EU

What is a compliant consent banner under GDPR?

A consent banner on your website must have easy-to-understand information on your website’s cookie setup and personal data processing practices. A valid cookie banner is not allowed to have any pre-ticked checkboxes (default activated cookies), is not allowed to nudge or force consent from users (cookie walls) and is not allowed to interpret user activity such as scrolling or continued browsing on the domain as consent.

Try Cookiebot CMP free for full GDPR compliance

Resources

Try the free Cookiebot CMP GDPR compliance test

The GDPR (official law text)

The ePrivacy Directive (official law text)

CJEU and the Planet49 ruling on valid consent in the EU

ICO has updated their guidelines on what constitutes valid consent in the UK

CNIL has updated their guidelines on what constitutes valid consent in France

GDPR

World map of data protection laws by DLA Piper

Lawfulness of processing (Article 6 GDPR)

Conditions for consent (Article 7 GDPR)

    Stay informed

    Join our growing community of data privacy enthusiasts now. Subscribe to the Cookiebot™ newsletter and get all the latest updates right in your inbox.

    By clicking on “Subscribe” I confirm that I want to subscribe to the Cookiebot™ newsletter. I can easily cancel my Cookiebot™ newsletter subscription and revoke consent to use my data by clicking the unsubscribe link or I can write to [email protected] to make the request. Privacy policy.

    Make your website’s use of cookies and online tracking compliant today

    TRY FOR FREE