Logo Logo
Cookiebot

 

The General Data Protection Regulation (GDPR) and ePrivacy Directive (ePR) affect how you as a website owner must obtain and store cookie consents from your visitors from the EU.

 

Try our free compliance test to check if your website’s use of cookies and online tracking is GDPR/ePR compliant.

Cookie disclaimers and cookie banners are two different things, and they don't always offer real GDPR compliance and consent

Cookie disclaimers and cookie banners are not the same thing.

Sure, you could use the words interchangeably, but there’s a big difference between the two when it comes to compliancy with the existing European data protection law – the General Data Protection Regulation – and the various national interpretations of the ePrivacy Directive 2009.

The GDPR lays out the rules uniformly for all 28 EU member states of how to handle cookies and trackers on your website – i.e. rules for processing personal information.

In this blogpost, we will take a look at –

What is a cookie disclaimer? What is cookie consent?


A cookie disclaimer is a thing of the past. Or it should be, but in reality, the Internet is littered with archaic cookie disclaimers that not only leaves the users confused and fatigued but are also not compliant with the existing data protection law of the EU – the General Data Protection Regulation.

A cookie banner or cookie consent banner, on the other hand, can be a sustainable approach to protecting the privacy of your website’s users, if it is done right, if it is implemented correctly.

It is the technology that enables your users to decide for themselves which categories of cookies and tracking they wish to consent to on your domain, and it is the technology that enables you, the website owner, to be fully compliant with the GDPR.

Examples of cookie disclaimers for websites


Cookie disclaimers are by definition bad, if we take cookie disclaimers to be the pop-ups on websites that leave no real consent for the user.

Archaic and bad cookie disclaimer found somwhere on the web.

This cookie disclaimer is exactly that – a disclaimer and nothing more. It leaves no choice of consent for the user, it doesn’t expose the cookies and tracking present on the site, their purpose and properties.

A critical user meeting this cookie disclaimer on a website has no choice but to hit the previous page button, or blindly go forward onto the site.

A critical user might also already have noticed that this cookie disclaimer gives no guarantee that non-essential cookies, such as third party marketing cookies, haven’t already been set and activated upon arrival on the landing page.

They most likely have on a website with this cookie disclaimer.

A cookie message without any choice of prior and informed consent is not a cookie message that really protects the privacy of your users, nor does it live up to the requirements of the General Data Protection Regulation (GDPR).

GDPR & cookies - what does the law say?


The General Data Protection Regulation is a regulation (i.e. a uniformly binding legislation for all EU countries) that controls how companies, websites and other entities handle personal data.

The GDPR rules that no processing of user data is allowed without prior consent. This means that your website is not legally allowed to automatically activate any cookies but the ones strictly necessary for the function of your website before users consent.

If your website does not process sensitive data (such as health data), the GDPR stipulates that active consent (also known as implied consent or soft opt in) will suffice. An example of this active consent is the cookie banner that informs the visitor about the use of cookies and equals continued browsing on the website as given consent.

You can get an overview of what constitutes sensitive data on the European Commission’s website.

Active consent or implied consent or soft opt in looks like this cookie disclaimer

If your website does process sensitive data, you are legally obligated to obtain explicit or affirmative consent.

In summary, for your website to be compliant with the GDPR, you must –

  1. obtain clear and unambiguous consent from its users,
  2. prior to any processing of personal data,
  3. after specifying all types of cookies and other tracking technology present and operating on its pages,
  4. in easy-to-understand ways that enable users to consent and to revoke consent on each specific category of cookies,
  5. to then be able to safely and confidentially document each user consent,
  6. and to ask for renewed consent every twelve months.

Staying compliant with the GDPR is important, since it means protecting the privacy of your website’s users.

Being non-compliant with the GDPR can also be a costly affair, with maximum fines being €20 million or 4% of a company’s global annual turnover, whichever is higher.

Examples of GDPR compliant cookie disclaimers


The following cookie disclaimers are compliant with the active consent (or implied consent or soft opt in) as described in the GDPR.

A GDPR compliant cookie disclaimer, when implied consent is valid.

This cookie disclaimer is compliant with the GDPR, as long as the domain using these cookie disclaimers do not process sensitive data (e.g. health data), in which case they are required to use explicit consent.

Examples of cookie consent banners, done wrong


Cookie consent banners – that enable prior and informed consent – are by definition good, but they can be implemented wrongfully.

You can implement Cookiebot consent banner and still not be GDPR compliant. The following examples are non-compliant cookie consent banner implementations:

A Cookiebot cookie banner alternative to cookie disclaimers, implemented in a non-compliant way though.

The cookie banner above is one of ours. However, it has been implemented in such a way that it is not possible for the users to un-tick the boxes of third party marketing cookies, such as those of DoubleClick (a Google company).

According to the GDPR, websites must have marketing cookies un-ticked as a default so that users have to opt in themselves.

In this banner, marketing cookies are locked in activation, leaving the user without a choice of revoking their assumed consent, as well activating third party cookies automatically upon the arrival of a user on the landing page: both of which are non-compliant with the GDPR.

Cookiebot consent banner alternative to cookie disclaimers implemented in a non-compliant way

Here is another non-compliant cookie banner. Marketing cookies are pre-ticked, which is non-compliant with the GDPR.

Cookiebot cookie banners

Cookiebot offers a high level of customization and autonomy for our customers when it comes to layout and make-up of the cookie banners. It is designed to be used in many different contexts, as well as live up to different national privacy laws and regulations.

This level of customization also, however, enable our customers to actually not be compliant with the GDPR, when it comes to prior consent and not activating any cookies before the prior consent has been obtained.

It is, for instance, possible to have pre-ticked marketing boxes (as shown above), which is non-compliant with the GDPR.

To make sure that your website is GDPR compliant, you must leave marketing cookies un-checked for users to opt in themselves, i.e. give their prior consent.

Cookie consent banners, done right


We here at Cookiebot obviously care a lot about things being done in the right way. Every day we fight to protect privacy, and so the correct and compliant implementation of our technology is something we care about.

This cookie banner is compliantly implemented on the given website. Un-ticked marketing cookies make this cookie banner compliant with the GDPR.

This cookie banner is a compliant alternative to the cookie disclaimer and correct according to the GDPR

This cookie banner is in turn compliant with the new guidelines from ICO and CNIL, forcing affirmative and explicit consent for all non-essential cookies regardless of what type of data the website processes.

This cookie banner is compliant with ICO's and CNIL's new guidelines.

Read more about the new guidelines for cookie control from ICO and CNIL here.

The good thing about being compliant with the European data protection law is that it means that you protect the privacy of your users in a sustainable way.

Resources


ICO’s updated guidelines

ICO’s homepage

CNIL’s updated guidelines

CNIL’s homepage

GDPR (official law text)

ePrivacy Directive 2009 (official law text)

GDPR & ePrivacy Directive 2009, summarized by Cookiebot

Make your website’s use of cookies and online tracking GDPR/ePR compliant today

Try for free