Tomorrow’s choices: cookie solutions for compliance with GDPR and CCPA
The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are two landmark laws that regulate how websites, businesses and organizations are allowed to collect and process, sell and use the personal data of individuals inside their territories (EU and California, respectively).
EU’s GDPR demands that a website secure the clear and unambiguous prior consent from its users before using any cookies and other tracking technologies (apart from cookies strictly necessary for a website’s functioning).
California’s CCPA empower California residents with the right to be informed of the categories of personal information that a website collects, along with the right to have their data deleted and to opt out of future selling of their data to third parties.
In doubt whether your website is GDPR compliant? Test with the free Cookiebot CMP compliance test.
Try Cookiebot CMP free for 14 days… or forever if you have a small website.
GDPR compliance outside EU, CCPA compliance outside California
However, the GDPR is not only for Europeans.
On the contrary, the GDPR has extraterritorial jurisdiction that encompasses all websites globally, who have visitors from inside the EU. If you have a US-based website, and you have a user from any of the twenty-seven EU nations, you are required by law to be GDPR compliant toward that user as well.
Same goes for the CCPA stateside.
The CCPA also has extraterritorial scope and applies to all businesses (who fall under the law’s definition, that is) that handle the personal data of California residents.
All this leaves website owners in a pickle: how to manage user cookie consent in GDPR compliance, while at the same time managing their online businesses?
In other words: if you have a website, you probably don’t have much time to analyze your website’s cookies yourself, let alone manage each and every one so that users can be given proper insight and make an informed choice of consent.
This is where a cookie solution comes in.
Is privacy too big to understand?
Our internet is changing every day. Unpleasant truths about repeated online tracking of users, even on EU government sites and EU public health sites by big ad tech companies have shown the extent to which data privacy laws are needed to secure user cookie consent and their basic democratic rights to privacy.
These issues are big, we begin to understand. They touch all of us, whether we know it or not, and whether we’d like them to or not.
These issues might in fact be so big that the concept of digital privacy is comparable to the concept of climate change, both of which are what environmental philosopher Timothy Morton calls “hyperobjects”, i.e. that they are too big to describe and almost impossible to understand – and even worse, incredibly hard to react to.
Losing control of your life
If privacy is a catch-all, watered-down term already, another way to look at these issues, as civil liberty attorney Matt Cagle suggests, is to think about autonomy: “Privacy is really about being able to define for ourselves who we are for the world and on our own terms”.
The algorithms of ad tech companies and Facebook don’t give us more of what we want, as most people like to believe. Rather, their goal is to make us more predictable. To make us less autonomous. To push us toward the choices that the algorithms would like us to make, so that they prove their programming right.
To lose privacy is to lose autonomy is to become predictable.
Sensitive data can be used to take away that control of one’s own life and freedoms.
It can mean losing your autonomy in ways we are familiar with (and perhaps already more tolerant about), such as through targeted advertisements meant to sway our decisions, and even influence us at the algorithmically calculated time of day, where we are seemingly most susceptible.
But we can also lose our autonomy in ways that have much greater impact on the not only personal, but very private and intimate circles of our lives: in the aspects that range from physical and mental health, finance and security, to religious or sexual or political discrimination.
These issues are very big, but some of their solutions can actually be quite down-to-earth: controlling the cookies and trackers on your website, managing the cookie consent of your users.
A cookie solution, in other words, is a small, local, but vital step to approach this vast and scary issues.
A cookie solution that provides you with comprehensive protection is an important step in the right direction towards making these big issues smaller, more local, more understandable, and so solvable.
Cookiebot CMP is a comprehensive cookie solution for your website.
Cookie solutions – Cookiebot CMP and its core functions
Cookiebot CMP is a cookie solution that makes it possible to be compliant with the GDPR/ePR and CCPA without having to probe your own website and spend hundreds of hours mapping out cookie consent.
It’s a technology that provides a cookie scanner, consent management and cookie control for your entire domain.
Software as a service
Since it frees you from hours of technical rumination, which most of us don’t even know how to do, it’s literally a software as a service. A cookie consent manager and compliance solution like Cookiebot CMP makes it easier to be GDPR/ePR and CCPA compliant and to protect the privacy of your users.
Once applied to your website, the Cookiebot CMP cookie consent management technology works in the following ways:
Cookiebot CMP Core Function 1: the cookie scanner
Cookiebot CMP scans your website for cookies and maps out all the tracking present and operating on your website. It does so once a month (unless you set it to more frequent scans) to keep you updated on what goes on under the surface of your site.
After the scan, Cookiebot CMP then makes a detailed report on all cookies and tracking, enabling you – the website owner – to get a clear overview.
Cookiebot CMP Core Function 2: the cookie repository
Cookiebot CMP keeps a catalogue of all cookies that it finds on websites.
This is how it can identify their technical properties as well as defining their purpose. Together, this forms the cookie information that is given to the users, so they can make informed decisions about their cookie consent.
It is also from this bank of knowledge that Cookiebot CMP groups cookies into four categories; based on their properties and purposes.
These four categories are necessary, preference, analytics and marketing. Third-party tracking and profiling on account of personal information usually takes place in the latter two types of cookies.
It’s sort of like a library with ever increasing volumes of information that can be accessed by both a website owner and their users for the sake of transparency and GDPR consent.
Cookiebot CMP Core Function 3: the cookie banner
The infamous cookie consent banner, that you’ve undoubtedly stumbled upon many times on the internet, can take many shapes and forms. Many aren’t even compliant, offering no real choice of consent for the user.
A GDPR compliant banner is one that offers users real choice of consent, enabling them to opt in or out of each cookie category, as required by the EU cookie laws, simply by checking or unchecking the boxes of each cookie category.
According to the European Data Protection Board’s (EDPB) guidelines on valid consent from May 2020, scrolling and continued browsing on a website does not constitute valid consent, cookie consent banners are not allowed to have pre-ticked checkboxes on cookie categories (except for necessary cookies) and cookie walls (forced consent) are non-compliant.
Prior consent is not a legal basis in the CCPA as it is in the GDPR, but if you have users that are California residents under the age of 16, you are required to obtain their opt in consent before selling their personal information to third parties.
Cookiebot CMP Core Function 4: the cookie control
Based on a user’s choice of consent, Cookiebot CMP controls all cookies and other tracking technologies across your website and all its subpages automatically. The cookie manager remembers the specific user choices for a year and controls the cookies accordingly.
If the user wishes to change their mind and revoke consent, this is a simple and straight-forward procedure and the cookie consent manager will then accommodate.
The Cookiebot CMP geotargeting configuration enables websites to automatically detect where a user is located, so as to present them with the right solution, be it for CCPA or GDPR compliance.
Cookie solutions and CCPA/GDPR compliance
At the end of the day, what happens on a website is the responsibility of that website’s owner. This goes for cookies and trackers too, even if they are third-party trackers. If they are on your website, they are your responsibility.
But a cookie solution like Cookiebot CMP helps you lift this responsibility. It helps you gain a clear overview and makes the job of living up to that responsibility simpler.
Third-party trackers are everywhere in our everyday, both online and offline.
Data privacy laws like EU’s GDPR and California’s CCPA are important steps in the right direction, but small and local steps taken by the website owners themselves are equally important.
In fact, they are necessary.
Software as a service for transparency
Cookiebot CMP does all the hard work, so that you can focus on the more important things, such as to reflect on the level of transparency and right to privacy that you, as a website owner, are willing to engage your users in.
The users are often consent fatigued, i.e. they are fed up with endless banners without proper information, and they are often driven to unconsciously click those banners away out of frustration before realizing what this means for their privacy and autonomy.
Cookiebot CMP is a helpful tool for websites to counter this unfortunate trend, and so foster a safer internet that is more privacy-oriented, with a greater level of transparency.
It’s a cookie solution for protecting privacy.
We have already come a long way in just the past couple of years on this front, but there is a long way to go and it goes nowhere without the will of the website owners to change their small, local corner of the internet.
These are big issues, but some of the solutions can be small, local and start with you.
What is a CMP?
A consent management platform (CMP) is a technology that websites use to obtain consent from visitors for processing their personal data. When landing on a website that uses a consent management platform, visitors will be presented with a consent banner that enables them to give their consent to which cookies will be activated and what personal data will be processed.
What is GDPR?
The General Data Protection Regulation (GDPR) is an EU law that governs the processing of personal data of individuals inside the European Union. The GDPR requires that websites ask and obtain for the clear and affirmative consent from users prior to any processing of their personal data. Learn more about GDPR and cookies.
What are the EDPB guidelines on valid consent?
The European Data Protection Board (EDPB) is the leading authority on GDPR enforcement in the EU, and their main job consists of adopting guidelines and decisions for how the GDPR is to be interpreted and enforced in each EU country by national data protection authorities. EDPB guidelines on valid consent from May 2020 clarify that scrolling and continued browsing on a website is not considered a valid consent, a cookie banner is not allowed to have pre-ticked checkboxes and cookie walls (forced consent) are illegal.
What is CCPA?
The California Consumer Privacy Act (CCPA) is a state-wide law that governs how businesses are allowed to collect, process and share the personal information of California residents. The CCPA requires companies (who fall under the law’s definition of business) to enable consumers to opt out of having their personal information shared and sold to third parties, as well as gaining access to already collected data and have that deleted.