Logo Logo
Cookiebot

 The General Data Protection Regulation (GDPR) and ePrivacy Directive (ePR) affect how you as a website owner must obtain and store cookie consents from your visitors from the EU.

 

Try our free compliance test to check if your website’s use of cookies and online tracking is GDPR/ePR compliant.

Cookie disclaimers and cookie banners are two different things, and they don't always offer real GDPR compliance and consent

Updated March 30, 2020.


Cookie disclaimers and cookie banners are not the same thing.

Sure, you could use the words interchangeably, but there’s a big difference between the two when it comes to compliancy with the existing European data protection law – the General Data Protection Regulation – and the various national interpretations of the ePrivacy Directive.

In this blogpost, we will take a look at –


What is a cookie disclaimer? What is cookie consent?


A cookie disclaimer is a thing of the past. Or it should be, but in reality, the Internet is littered with archaic cookie disclaimers that not only leaves the users confused and fatigued but are also not compliant with the existing data protection law of the EU – the General Data Protection Regulation (GDPR).

A cookie banner or cookie consent banner, on the other hand, is be a sustainable and GDPR/ePR compliant approach to protecting the privacy of your website’s users – if it is done right, if it is implemented correctly.

A consent banner is the technology that enables your users to decide for themselves which categories of cookies and tracking they wish to consent to on your domain, and it is the technology that enables you, the website owner, to be fully compliant with the GDPR.


CJEU ruling on valid consent in EU


In October 2019, the highest legal body in the EU, the Court of Justice of the European Union (CJEU), ruled in the case of the German website Planet49 that the only valid form of consent in the EU is explicit consent.

This means that regardless of what type of personal data you process (whether it’s personal or sensitive according to the GDPR), no matter if it’s done through statistics cookies or analytics cookies, your end-users must explicitly and affirmatively opt in before any collection and processing is allowed to take place.



GDPR compliant cookie banner from Cookiebot

GDPR/ePR compliant cookie consent banner from Cookiebot.



In practice, this means that cookie consent banners in the EU are not allowed to have pre-ticked checkboxes on any categories of cookies except for those strictly necessary for the basic function of your website.

Read more about the CJEU ruling on valid consent in EU.


GDPR and cookies - what does the law say?


The General Data Protection Regulation is a regulation (i.e. a uniformly binding legislation for all EU countries) that controls how companies, websites and other entities handle personal data.

The GDPR rules that no processing of user data is allowed without prior consent. This means that your website is not legally allowed to automatically activate any cookies but the ones strictly necessary for the function of your website before users consent.

Before the CJEU Planet49 ruling, different types of consent were valid in the EU. If your website processed personal data that was not sensitive data (such as health data or data about sexual or religious orientation), then implied consent was enough. This meant that if users kept scrolling on that website, this behavior would constitute consent in the eyes of the law.

After the CJEU Planet49 ruling, there is no distinction between what type of data is collected and processed when it comes to consent. The only valid form of consent is explicit, i.e. empty checkboxes on the consent banner that users must actively click on to opt in to the activation of any cookies category apart from necessary.



Non-compliant cookie disclaimer found somewhere on the Internet.

Before CJEU Planet49 ruling, implied consent or soft opt in was valid.



In summary, for your website to be compliant with the GDPR, you must –

  1. obtain clear and unambiguous consent from its users,
  2. prior to any processing of personal data,
  3. after specifying all types of cookies and other tracking technology present and operating on its pages,
  4. with no pre-ticked checkboxes on any cookie categories except necessary,
  5. in easy-to-understand ways that enable users to consent and to revoke consent on each specific category of cookies,
  6. to then be able to safely and confidentially document each user consent,
  7. and to ask for renewed consent every twelve months.

Staying compliant with the GDPR is important, since it means protecting the privacy of your website’s users.

Being non-compliant with the GDPR can also be a costly affair, with maximum fines being €20 million or 4% of a company’s global annual turnover, whichever is higher.


Examples of non-compliant cookie disclaimers for websites


Cookie disclaimers are by definition bad, if we take cookie disclaimers to be the pop-ups on websites that leave no real consent for the user.



A bad and illegal cookie disclaimer found on the Internet.

Archaic, bad and illegal cookie disclaimer found somewhere on the web.



This cookie disclaimer is exactly that – a disclaimer and nothing more. It leaves no choice of consent for the user, it doesn’t expose the cookies and tracking present on the site, their purpose and properties.

A critical user meeting this cookie disclaimer on a website has no choice but to hit the previous page button, or blindly go forward onto the site.

A critical user might also already have noticed that this cookie disclaimer gives no guarantee that non-essential cookies, such as third party marketing cookies, haven’t already been set and activated upon arrival on the landing page.

They most likely have on a website with this cookie disclaimer.

A cookie message without any choice of prior and informed consent is not a cookie message that really protects the privacy of your users, nor does it live up to the requirements of the General Data Protection Regulation (GDPR).

The following cookie disclaimers are non-compliant because they rely on the now-illegal implied consent or soft opt in, as ruled unlawful by the CJEU.



An illegal cookie disclaimer using the unlawful implied consent.

A non-compliant cookie disclaimer using the unlawful implied consent.



This cookie disclaimer used to be compliant with the GDPR but is unlawful after the CJEU ruling banning implied consent.


Examples of cookie consent banners, done wrong

Cookie consent banners – that enable prior and informed consent – are by definition good, but they can be implemented wrongfully.

You can implement Cookiebot consent banner and still not be GDPR compliant. The following examples are non-compliant cookie consent banner implementations:



A Cookiebot cookie banner alternative to cookie disclaimers, implemented in a non-compliant way though.



The cookie banner above is one of ours. However, it has been implemented in such a way that it is not possible for the users to un-tick the boxes of third-party marketing cookies, such as those of DoubleClick (a Google company).

According to the GDPR and the CJEU Planet49 ruling, websites must have preference cookies, statistics cookies and marketing cookies un-ticked as a default so that users have to opt in themselves. Only necessary cookies are allowed to be pre-ticked.

In this consent banner though, all three cookie categoies are locked in activation, leaving the user without a choice of revoking their assumed consent, as well activating third-party cookies automatically upon the arrival of a user on the landing page: both of which are non-compliant with the GDPR.



Another cookie banner from Cookiebot, implemented non-compliantly.

Another cookie banner from Cookiebot, implemented non-compliant.



Here is another non-compliant cookie banner. Same issue as above. All three cookies categories are pre-ticked, which is non-compliant with CJEU’s ruling on valid consent in the EU.

Cookiebot offers a high level of customization and autonomy for our customers when it comes to layout and make-up of the cookie banners. It is designed to be used in many different contexts, as well as live up to different national privacy laws and regulations.

This level of customization also, however, enable our customers to actually not be compliant with the GDPR, when it comes to prior consent and not activating any cookies before the prior consent has been obtained.

To make sure that your website is GDPR/ePR compliant, you must leave all cookie categories un-checked (except necessay) for users to opt in themselves, i.e. give their prior consent.


Cookiebot cookie banners, done right


We here at Cookiebot obviously care a lot about things being done in the right way.

Every day we fight to protect privacy, and so the correct and compliant implementation of our technology is something we care about.



Cookie disclaimers are non-compliant - this cookie banner is GDPR compliant.

A Cookiebot consent banner that is compliant with the GDPR/ePR and the CJEU ruling.



This cookie banner is compliantly implemented on the given website. Un-ticked cookie categories make this cookie banner compliant with the GDPR/ePR and the ruling by the Court of Justice of the European Union in October 2019.

The good thing about being compliant with the European data protection law is that it means that you protect the privacy of your users in a sustainable way.


Resources


General Data Protection Regulation (GDPR)

CJEU ruling on valid consent in the EU

ICO’s updated guidelines

ICO’s homepage

CNIL’s updated guidelines

CNIL’s homepage

GDPR (official law text)

ePrivacy Directive 2009 (official law text)

GDPR & ePrivacy Directive 2009, summarized by Cookiebot

New CCPA configuration 

Cookiebot offers CCPA compliance!

 

 

Make your website’s use of cookies and online tracking compliant today

Try for free