Logo Logo
Cookiebot

The General Data Protection Regulation (GDPR) and ePrivacy Directive (ePR) affect how you as a website owner must obtain and store cookie consents from your visitors from the EU.

 

Try our free compliance test to check if your website’s use of cookies and online tracking is GDPR/ePR compliant.

Cookie control is tightened in UK and US

Updated June 3, 2020.


Efforts to regulate online surveillance and protect digital privacy has crystalized in the EU as the General Data Protection Regulation (GDPR), and in the US as the California Consumer Privacy Act (CCPA).

In this blogpost, we look at cookie control in the EU and US, including the EDPB guidelines for valid consent in the EU, privacy-friendly web browsers and consent management platforms.


Cookie control in the EU


In the EU, the use of cookies and trackers on websites is regulated by the General Data Protection Regulation (GDPR) that is law in all EU member states.

The GDPR governs the processing of personal data of individuals inside the EU and most cookies today collect personal data from users, when they visit websites.

The GDPR requires websites to obtain user consent before activating cookies that will process personal data.

Websites are not allowed to activate cookies and trackers that process personal data unless the user has first consented to it, unless the cookies can be deemed strictly necessary for the basic functions of the website.



Cookie control in EU through the GDPR and Cookiebot.

Cookie control in EU through the General Data Protection Regulation (GDPR)



Personal data is any kind of information that can be directly or indirectly related to a living individual and therefore identify the user.

This includes anything from names, e-mail addresses, social security numbers, but also IP addresses, browser specifications, search history and Unique IDs that most cookies set on user browsers after a website visit.

If your website has visitors from inside the EU and you use cookies that process personal data, you must –

Is your website GDPR compliant? Test for free with Cookiebot’s compliance test.

Learn more about the GDPR and cookie consent


EDPB guidelines on valid consent

The European Data Protection Board (EDPB) is the leading supervisor of the GDPR in the EU that regularly adopts guidelines and issues decisions on how the GDPR is to be enforced by the national data protection authorities in each EU member country.

On May 4, 2020, the EDPB adopted guidelines on valid consent that make it very clear what constitutes GDPR compliant consent for the processing of personal data on websites… and what does not.

EDPB guidelines clarify that –

Learn more about the EDPB guidelines on valid consent

In doubt whether your website is GDPR compliant? Test with Cookiebot's free compliance test.

Try Cookiebot free for 30 days... or forever if you have a small website.


Cookie control with Cookiebot


Cookiebot is a consent management platform that makes your website compliant with the GDPR, the CCPA and other data protection laws across the world.

Cookiebot works by detecting all cookies and trackers in operation on your domain using our unmatched scanning technology that finds even the hidden third-party trojan horses.



Cookie control with Cookiebot CMP for GDPR compliance.

Granular cookie control with Cookiebot's consent management platform (CMP).



Cookiebot auto-blocks all cookies and personal data processing on your domain until users have given their granular consent to which trackers, they will allow activated – ensuring that your website fully lives up to the GDPR requirements for prior consent.

Cookiebot also offers full CCPA compliance for websites.

Try Cookiebot free for 30 days… or forever if you have a small website.

Learn more about GDPR and cookie consent

Learn more about CCPA compliance



Cookie control with Cookiebot CMP



Cookie control in the US


In the US, the use of cookies and the processing of personal information is not regulated on a federal level as it is in the EU by the GDPR.

Instead, some states have their own set of laws governing personal information collection and digital privacy, while other states have no real protection for users.

The biggest data protection in the US that covers cookie control is the California Consumer Privacy Act (CCPA) that took effect in January 2020.



Cookie control in the US with CCPA.

Cookie control in the US through the California Consumer Privacy Act (CCPA).



The CCPA grants consumers the right to request disclosure of the categories and specific pieces of personal information that a business has collected on them. It also grants consumers the right to request deletion, as well as the right to opt out of having their data sold to third parties.

The CCPA requires that users are informed of what cookies are in operation on a website, what kind of personal information they collect and for what purposes.

CCPA also requires websites to inform users of what third parties they share their personal information with.

Learn more about the California Consumer Privacy Act (CCPA)

Learn more about CCPA compliance with Cookiebot


Cookie control in the UK after Brexit


The UK left the EU in January 2020 and by the end of this year will no longer be governed by the EU’s General Data Protection Regulation.

However, the UK has adopted new data protection laws that mirror the GDPR and that will ensure a continued equivalent data protection regime.

Learn more about Brexit and cookie control in the UK

The Information Commissioner’s Office (ICO) is the leading data protection authority in the UK, responsible for enforcement and supervision of the country’s data protection laws.

The UK’s data protection laws after Brexit is the UK-GDPR and the Data Protection Act 2018.

In the summer of 2019, the ICO has updated its guidelines for the use of cookies and trackers and put a significantly tighter cookie control in place in the UK.

When it comes to a website’s cookie management, implied consent as we know it today – the soft opt-in that allows websites to interpret as consent the continued browsing of its users – do not meet the requirements for valid consent, ICO has ruled.



Cookie control in the UK with UK-GDPR and Data Protection Act

Cookie control in the UK through the UK-GDPR and Data Protection Act 2018.



Instead, users must give their affirmative consent to anything that is not necessary cookies (or non-essential, as ICO calls them) and it is the legal responsibility of websites to have a cookie manager in place that enables this for their users.

Pre-ticked boxes (or any equivalent) are not lawful to use on anything but necessary cookies, according to the new ICO guidelines.

This means that preference, statistics and marketing cookies must abide by the same rules: they all need to be un-ticked and now require affirmative opt-in to be viewed as valid consent.

In other words, users must now choose to tick the boxes of preference, statistics and marketing cookies alike, in order for these categories of cookies to be activated.

The ICO guidelines clarify that –

Inform yourself on ICO’s updated guidelines on cookies or read their summarized blogpost on “good” cookie use.


Cookie control in web browsers


Digital self-defense is also an option a lot of people are choosing in exasperation when learning about the ugly truth of the dismal state of privacy on the Internet today.

This type of digital self-defense is essentially a version of privacy protection, where everyone has to fend for themselves, by downloading the right browser that then block cookies automatically.

Privacy-friendly browsers such as Epic, Brave or Firefox offer cookie control through non-discriminatory, across-the-board cookie blockers that stop all cookies, even necessary and benign ones.

The downside is that they often break websites, because they block cookies that support the basic functions of a domain. This full cookie stop is the default mode of both Epic and Brave, whereas Firefox utilizes a tracker list from Disconnect to determine which cookies they block.



Cookie control via privacy-friendly web browser are a good tool for digital self-defense

This digital self-defense is not a viable final solution to the privacy problems of surveillance capitalism, since most people don’t have the time or the technical skills to navigate the abundant market of privacy tools, browsers, VPNs or adblockers.

There is also another way to protect privacy in our digital infrastructures…


Consent management platform and cookie control 


Cookie control through a cookie manager like Cookiebot is a technology that we – obviously – have put our weight behind and think of as a vital part of a sustainable solution for protecting privacy.

Using a consent solution that is specific to each website (implemented through the cloud and integrated seamlessly onto a domain) not only prevents websites from breaking by allowing them to discriminate between different categories of cookies, it also holds the potential to be fully GDPR and CCPA compliant.

Cookiebot’s consent management platform makes your website fully compliant with the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

A website owner looking for cookie control can use Cookiebot to –

Try Cookiebot free for 30 days... or forever if you have a small website.


FAQ


What is cookie control in EU?

The use of cookies on websites in the EU is governed by the General Data Protection Regulation (GDPR) that controls how websites, companies and organizations are allowed to process personal data of users inside the EU. The GDPR requires that websites obtain the clear and affirmative consent from users before activating any cookies that process personal data. The GDPR also gives users the right to access collected data, right to have it rectified or deleted.

Learn more about GDPR and cookie consent


What is cookie control in US?

The use of cookies on websites in the US is not regulated on a federal level. However, the California Consumer Privacy Act (CCPA) is a state-wide law that governs the collection, processing and sharing of the personal information of California residents. The CCPA requires businesses to inform users of what type of personal information they collect, how, for what purposes and who they share it with. Businesses must also enable users to opt out of having their data sold to third parties.

Learn more about CCPA and cookies


What is cookie control in UK?

The use of cookies on websites in the UK have been regulated by the EU’s GDPR, when the UK was still a member of the European Union. However, after the UK has left the EU, its own domestic data protection laws govern the processing of personal data in the country. The UK-GDPR and Data Protection Act 2018 require websites to ask for and obtain user consent before the activation of cookies that process personal data.

Learn more about UK-GDPR and Data Protection Act 2018


What is a consent management platform?

A consent management platform (CMP) scans a website, detects and controls the cookies that process personal data and then asks users for their consent to which of the cookies and trackers they will allow to collect their personal data. A consent management platform is a technology that helps websites become compliant with data protection laws like the GDPR, the CCPA, the UK-GDPR and more by controlling the website’s cookies and managing user consent for the activation of those cookies.

Learn more about consent management platforms


Resources


General Data Protection Regulation (GDPR)

EDPB guidelines on valid consent in EU

GDPR and cookie consent

California Consumer Privacy Act (CCPA)

CCPA and cookies

ICO’s new and updated guidelines on cookies and tracking in the UK.

Take a look at ICO’s guide to what good cookie use for website owners and operators look like.

UK PECR (Privacy Electronic Communications Regulations)

UK Data Protection Act 2018

US California Consumer Privacy Act (CCPA)

Will the EU and UK find an adequacy decision post Brexit?

Record fine against Facebook in FTC privacy settlement

Google settles fine for child data collection

US Federal Trade Commission (FTC)

Prospects of a US Data Protection Authority

Epic, a privacy-friendly web browser

Brave, a privacy-friendly web browser

Firefox, a privacy-friendly web browser

New Google Consent Mode 

Cookiebot integrates perfectly with the new Google Consent Mode.

Make your website’s use of cookies and online tracking compliant today

Try for free