Updated October 27, 2020.
Efforts to regulate online surveillance and protect digital privacy has crystalized in the EU as the General Data Protection Regulation (GDPR), and in the US as the California Consumer Privacy Act (CCPA).
In this blogpost, we look at cookie control in the EU and US, including the EDPB guidelines for valid consent in the EU, privacy-friendly web browsers and consent management platforms.
The GDPR governs the processing of personal data of individuals inside the EU and most cookies today collect personal data from users, when they visit websites.
The GDPR requires websites to obtain user consent before activating cookies that will process personal data.
Websites are not allowed to activate cookies and trackers that process personal data unless the user has first consented to it, unless the cookies can be deemed strictly necessary for the basic functions of the website.
Cookie control in EU through the General Data Protection Regulation (GDPR)
Personal data is any kind of information that can be directly or indirectly related to a living individual and therefore identify the user.
This includes anything from names, e-mail addresses, social security numbers, but also IP addresses, browser specifications, search history and Unique IDs that most cookies set on user browsers after a website visit.
Is your website GDPR compliant? Test for free with Cookiebot’s compliance test.
The European Data Protection Board (EDPB) is the leading supervisor of the GDPR in the EU that regularly adopts guidelines and issues decisions on how the GDPR is to be enforced by the national data protection authorities in each EU member country.
On May 4, 2020, the EDPB adopted guidelines on valid consent that make it very clear what constitutes GDPR compliant consent for the processing of personal data on websites… and what does not.
EDPB guidelines clarify that –
In doubt whether your website is GDPR compliant? Test with Cookiebot's free compliance test.
Try Cookiebot free for 30 days... or forever if you have a small website.
Cookiebot is a consent management platform that makes your website compliant with the GDPR, the CCPA and other data protection laws across the world.
Cookiebot works by detecting all cookies and trackers in operation on your domain using our unmatched scanning technology that finds even the hidden third-party trojan horses.
Granular cookie control with Cookiebot's consent management platform (CMP).
Cookiebot auto-blocks all cookies and personal data processing on your domain until users have given their granular consent to which trackers, they will allow activated – ensuring that your website fully lives up to the GDPR requirements for prior consent.
Cookiebot also offers full CCPA compliance for websites.
Try Cookiebot free for 30 days… or forever if you have a small website.
Instead, some states have their own set of laws governing personal information collection and digital privacy, while other states have no real protection for users.
The biggest data protection in the US that covers cookie control is the California Consumer Privacy Act (CCPA) that took effect in January 2020.
Cookie control in the US through the California Consumer Privacy Act (CCPA).
The CCPA grants consumers the right to request disclosure of the categories and specific pieces of personal information that a business has collected on them. It also grants consumers the right to request deletion, as well as the right to opt out of having their data sold to third parties.
The CCPA requires that users are informed of what cookies are in operation on a website, what kind of personal information they collect and for what purposes.
CCPA also requires websites to inform users of what third parties they share their personal information with.
The UK left the EU in January 2020 and by the end of this year will no longer be governed by the EU’s General Data Protection Regulation.
However, the UK has adopted new data protection laws that mirror the GDPR and that will ensure a continued equivalent data protection regime.
Learn more about Brexit and cookie control in the UK
The Information Commissioner’s Office (ICO) is the leading data protection authority in the UK, responsible for enforcement and supervision of the country’s data protection laws.
When it comes to a website’s cookie management, implied consent as we know it today – the soft opt-in that allows websites to interpret as consent the continued browsing of its users – do not meet the requirements for valid consent, ICO has ruled.
Cookie control in the UK through the UK-GDPR and Data Protection Act 2018.
Instead, users must give their affirmative consent to anything that is not necessary cookies (or non-essential, as ICO calls them) and it is the legal responsibility of websites to have a cookie manager in place that enables this for their users.
Pre-ticked boxes (or any equivalent) are not lawful to use on anything but necessary cookies, according to the new ICO guidelines.
This means that preference, statistics and marketing cookies must abide by the same rules: they all need to be un-ticked and now require affirmative opt-in to be viewed as valid consent.
In other words, users must now choose to tick the boxes of preference, statistics and marketing cookies alike, in order for these categories of cookies to be activated.
The ICO guidelines clarify that –
Digital self-defense is also an option a lot of people are choosing in exasperation when learning about the ugly truth of the dismal state of privacy on the Internet today.
This type of digital self-defense is essentially a version of privacy protection, where everyone has to fend for themselves, by downloading the right browser that then block cookies automatically.
The downside is that they often break websites, because they block cookies that support the basic functions of a domain. This full cookie stop is the default mode of both Epic and Brave, whereas Firefox utilizes a tracker list from Disconnect to determine which cookies they block.
This digital self-defense is not a viable final solution to the privacy problems of surveillance capitalism, since most people don’t have the time or the technical skills to navigate the abundant market of privacy tools, browsers, VPNs or adblockers.
There is also another way to protect privacy in our digital infrastructures…
Cookie control through a cookie manager like Cookiebot is a technology that we – obviously – have put our weight behind and think of as a vital part of a sustainable solution for protecting privacy.
Using a consent solution that is specific to each website (implemented through the cloud and integrated seamlessly onto a domain) not only prevents websites from breaking by allowing them to discriminate between different categories of cookies, it also holds the potential to be fully GDPR and CCPA compliant.
A website owner looking for cookie control can use Cookiebot to –
Try Cookiebot free for 30 days... or forever if you have a small website.
A consent management platform (CMP) scans a website, detects and controls the cookies that process personal data and then asks users for their consent to which of the cookies and trackers they will allow to collect their personal data. A consent management platform is a technology that helps websites become compliant with data protection laws like the GDPR, the CCPA, the UK-GDPR and more by controlling the website’s cookies and managing user consent for the activation of those cookies.