Is your website compliant with the laws concerning personal data and privacy? What about the cookies? How can you check your website, and how can you meet the requirements? What are the risks if you don’t comply?
What are the rules and regulations for the use of internet cookies?
Internet cookies are set on users’ browsers by websites, and from there, they can track and monitor the users.
What laws your website must obey depends on a variety of factors, such as the type and purpose of your website, what sector it belongs to, your location, and where your users come from.
On 25 May 2018, the EU enforced the most strict and encompassing regulation for data protection ever formulated. The General Data Protection Regulation (GDPR) affects all types of websites and blogs, that have users from the EU.
This means that even if your website is based in e.g. the US or Asia, the regulation applies to you, if you have EU citizens amongst your users.
Next in line from the EU is the ePrivacy Directive, which is in the process of becoming an actual regulation.
See the world map of data protection laws by the law firm DLA Piper for a visual overview of protection laws defined by geography.
Checklist for compliant cookie consent (GDPR and ePrivacy)
Personal data in the GDPR is any information relating to a person, directly or indirectly, including data regarding their “physical, physiological, genetic, mental, economic, cultural or social identity” (Article 4 in the law text).
Within this broad definition, cookies that track users’ location or IP address, hold contact information or invoicing details, or that process data about their habits, interests and online behaviour, are all subject to the GDPR.
If you have any such cookies in operation on your website, you need your users’ consent prior to the setting of the cookies.
For the cookie consent to be compliant, it has to meet the following GDPR and ePrivacy requirements:
- Be prior to the processing
The consent must be given prior to the initial data processing. In the case of the cookies, this means that they have to be paused until proper consent is obtained.
- Transparent and legible
The consent must be given in response to accurate and specific information about the how, why and whereto of the data processing, in intelligible and accessible form, using plain language.
- Freely given The consent must be freely given, and never, e.g. as a condition for the use of a service or the fulfilment of a contract processing data that is not necessary for the performance of that specific service or contract.
Every given consent shall be kept and securely stored as proof that the consent was received in the case of a control.
The user must have access to withdraw their consent at any time and as easily as it was given.
The consent must be regularly renewed, e.g. every 12 months.
See Article 7, Conditions for consent, for the original phrasing in the GDPR.
How do I get compliant cookies?
In reality, cookies in and of themselves cannot be compliant. It’s what you do with the cookies that matter, e.g. that they are paused until proper consent has been obtained for their operation, and that the data they track is sent to adequate countries, etc.
To meet the requirements and obtain full cookie compliance on your website, you need to implement the following on your website:
- A compliant cookie consent banner
- An updated and specific cookie declaration
- Secure storage of all given consents
- Enabled withdrawal of consent
You can develop and maintain these elements yourself, or you can subscribe to a consent management tool that takes care of these processes for you.
Cookiebot is a fully compliant consent management solution for your website featuring the following functions:
- monthly website scan and complete cookie detection
- email cookie report with full disclosure of cookies and tracking on your website
- customizable cookie consent banner displaying all cookies grouped in four comprehensive categories that the user can opt in and out of directly in the banner
- secure storage of all given consents
- annual renewal of consent upon the user’s first revisit to the website
- enabled withdrawal (or change of consent state) for users directly in the cookie declaration
Read more about the functions on Cookiebot’s functions page.
Cookie checker: Does my website set cookies? Test my website
Many website owners themselves don’t have the complete picture of what cookies are in operation on their own website.
This is due to the nature of cookies: They can be of first or third party provenance, be temporary or permanent, and serve a vast number of different purposes.
In other words, website cookies are numerous and inconsistent, and getting an insight once and for all won’t do, as they tend to change often.
Try our website scan, if you are in doubt about the cookies on your website.
The free version audits up to five pages of your website and sends you a complete report about the cookies and known tracking technologies in use on these pages, including information about their provenance, duration and purpose.
Sign up to Cookiebot if you want a complete and regular scan of all of the pages on your site. With Cookiebot, you can easily take care of all of the aspects of your website cookies, so that their use is compliant with data protection regulations and privacy laws.
What is a compliant cookie message?
A compliant cookie message gives full transparency and disclosure about the cookies in operation on the website, without overwhelming the user (this is an actual requirement in the GDPR).
The compliant cookie message informs the user about what cookies are in operation, for what purpose, their duration and their provenance, along with the possibility to prevent them from being launched.
The compliant cookie message displays on the website upon the user’s first visit to the site, and then again, if the user has consented to cookies, upon the user’s first renewed visit once 12 months have elapsed (the GDPR only requires the consent be “regularly renewed”, the ePrivacy Directive suggests once a year).
Here is one of Cookiebot’s cookie message templates:
The user can opt in and out of the different categories of cookies directly in the banner. Detailed information about all of the cookies folds out directly from the banner: