The GDPR affects all websites located in the European Union, or websites that deals with users from the EU countries.
Cookie consent: What is the GDPR all about?
The main purpose of the General Data Protection Regulation is to bring the EU legislation up to date with the digital age, restoring the control over their own data to the users.
The latest law on protection of personal data dates from back in 1995.
1995. That’s almost ten years prior to Facebook!
… and long before cookies were used for everything from customizing websites to fencing in customers in a sophisticated web of targeted marketing.
The GDPR sets out strict requirements on data handling procedures, transparency, documentation and obtaining user consent.
What do the requirements mean for my website?
If you operate a website in the EU or have users from the EU countries, you must comply with the General Data Protection Regulation.
The GDPR covers both data that is directly personal, such as a name, a photo, an email address, bank details, IP-address etc., and data that can be combined in a way that can single out and identify individual users.
If your website or organization processes such data, then it must be revised to meet the new requirements.
What should I do to meet the requirements?
Map and evaluate the sensitive data in your organization, go through your security policies and make sure that the data is secure.
The two primary aspects to be aware of are:
- how you manage and store sensitive data in your organization in general, and
- the cookies on your website. This goes for both first-party and third-party cookies.
Why cookie consent?
All cookies that process personally identifiable data are subject to the new regulations.
In practice, this means most cookies, including cookies for analytics, advertising and functional services, such as survey and chat tools.
Example of a GDPR compliant cookie consent message on websites… and of one that is not
This is a compliant cookie message:
...while this is not:
At first sight, the two above examples may seem similar. But as always, the devil’s in the detail.
Implied consent, consent-by-use, and simple “accept cookies” buttons are not compliant methods for requiring consent according to the GDPR.
In other words, the user is not presented with any true choice, and there is no insight into the cookies that are installed, where they come from and what purposes they serve.
Whereas in the compliant cookie message (the white one), the user is informed of the purposes of the cookies up front.
She or he may hereafter swiftly allow all cookies, or choose to see a detailed overview.
The overview simply folds out of the consent banner, mapping all active cookies and presenting them in an accessible manner.
In a glance, the user can now scroll through the cookies, see where they come from, read a description of their function and check their duration.
The user can then easily accept and reject the different types of cookies.
Detailed overview in an GDPR compliant cookie consent message.
List of requirements for cookie consents
Your GDPR compliant cookie consent system should ensure that the consent is ...
- given on the basis of clear and specific information about data types and purpose
- given before any processing other than the strictly necessary takes place, also known as ‘prior consent’.
- given as an affirmative, positive action
- the result of a true choice. The user must have the option to reject superfluous cookies and still use the website
- recorded as evidence that consent has been given
- reversible. The users must be able to withdraw their consent whenever they want
The easiest way to comply is to find a reliable cookie consent software that is based upon a thorough study of the new regulations and therefore can guarantee compliance with it.
Check out Cookiebot, a competitive solution that represents one of the few fully GDPR compliant cookie services on the market.
Six lawful reasons to process data
It is worth knowing that consent is one of six lawful reasons to process personal data.
Therefore, before applying a setup for user consents, consider whether the processed personal data falls under one of the other categories for lawfulness.
My website doesn’t process personal data, but I use Google Analytics, Mailchimp, social media buttons, Salesforce etc. Do I need a cookie consent?
All of the services and features mentioned above are examples of third-parties on your website.
They deposit cookies on your user’s browsers as they visit your website.
You are responsible for protecting your website users and for giving them clear information and choice about how their data is being used.
How do I implement a cookie consent on my website?
The easiest way to become compliant is by finding a solution that takes care of your cookie consent for you.
-For example Cookiebot, which is one of the few fully compliant solutions on the market.
Cookiebot offers a smooth user experience - both for you as a website owner and for the users of your website.
Once you have found the cookie consent solution of your choice, there are two main ways of implementing it on your website:
If you have a Wordpress site, you can simply use a Wordpress plugin.
Otherwise, you can add a cookie consent script directly to your website.
Wordpress plugin for cookie consent
If you have a Wordpress website, the easiest way to implement cookie consent on your website is by making use of a Wordpress plugin.
You can find and install cookie consent plugins in the plugin menu point in the admin area of your Wordpress site.
Be sure to look for the Cookiebot plugin which is fully compliant with both GDPR and the EU ePrivacy Directive.
Cookie consent script
See the cookiebot script here.