Is your website GDPR compliant?
What are the risks of non-compliance?
And what's the deal with cookies?
In this article, we'll circle the topic of GDPR compliance, and enlighten you on your legal and ethical responsibilities as a website owner and/or operator under the new law of the digital lands.
Stay with us.
Cookies are set on a user's browsers by websites to track and monitor their behavior.
What laws your website must obey depends on a variety of factors, such as the type and purpose of your website, what sector it belongs to, your location, and where your users come from.
The General Data Protection Regulation (GDPR) was enforced in May 2018 and affects all types of websites and blogs that have users from the EU.
This means that even if your website is based in e.g. the US or Asia, the regulation applies to you, if you have EU citizens amongst your users.
See the world map of data protection laws by the law firm DLA Piper for a visual overview of protection laws defined by geography.
As a website owner it is your responsibility to bring your website up to GDPR cookie compliance. You are legally responsible to handle your users' data as required by the GDPR.
Personal data in the GDPR is any information relating to a person, directly or indirectly, including data regarding their “physical, physiological, genetic, mental, economic, cultural or social identity” (Article 4 in the law text).
Within this broad definition, cookies that track users’ location or IP address, hold contact information or invoicing details, or that process data about their habits, interests and online behavior, are all subject to the GDPR.
If you have any such cookies in operation on your website, you need your users’ consent prior to the setting of the cookies.
Here is a nifty GDPR checklist to move you toward GDPR cookie compliance --
See Article 7 (conditions for consent) for the original phrasing in the GDPR.
In reality, cookies in and of themselves cannot be compliant.
It’s what you do with the cookies that matter, e.g. that they are paused until proper consent has been obtained for their operation, and that the data they track is sent to adequate countries, etc.
Cookie compliance according to the GDPR is therefor not about the cookies themselves, but how you use them, how they operate on your website - and most importantly, whether you obtain prior consent from your users before activating them.
To meet the requirements and obtain full cookie compliance on your website, you need to implement the following on your website:
You can develop and maintain these elements yourself, or you can subscribe to a consent management tool that takes care of these processes for you.
Cookiebot is a fully compliant consent management solution for your website featuring the following functions:
Many website owners themselves don’t have the complete picture of what cookies are in operation on their own website.
This is due to the nature of cookies: they can be of first or third party provenance, be temporary or permanent, and serve a vast number of different purposes.
In other words, website cookies are numerous and inconsistent, and getting an insight once and for all won’t do, as they tend to change often.
Try our website scan, if you are in doubt about the cookies on your website.
The free version audits up to five pages of your website and sends you a complete report about the cookies and known tracking technologies in use on these pages, including information about their provenance, duration and purpose.
Sign up to Cookiebot if you want a complete and regular scan of all of the pages on your site. With Cookiebot, you can easily take care of all of the aspects of your website cookies, so that their use is compliant with data protection regulations and privacy laws.
A compliant cookie message gives full transparency and disclosure about the cookies in operation on the website, without overwhelming the user (this is an actual requirement in the GDPR).
The compliant cookie message informs the user about what cookies are in operation, for what purpose, their duration and their provenance, along with the possibility to prevent them from being launched.
The compliant cookie message displays on the website upon the user’s first visit to the site, and then again, if the user has consented to cookies, upon the user’s first renewed visit once 12 months have elapsed (the GDPR only requires the consent be “regularly renewed”, the ePrivacy Directive suggests once a year).
Here is one of Cookiebot’s cookie message templates:
The user can opt in and out of the different categories of cookies directly in the banner. Detailed information about all of the cookies folds out directly from the banner: