Updated August 24, 2021.
Your website is required under the EU’s General Data Protection Regulation (GDPR) to let users from inside Europe control the activation of cookies and trackers that collect their personal data.
This is the crux of GDPR cookie compliance – and the future of our digital infrastructures.
In this blogpost, we explain the most important things for you to know when dealing with EU's GDPR, cookies and data privacy compliance on your website – and show how Cookiebot consent management platform (CMP) solves them all for you.
The General Data Protection Regulation (GDPR) is an EU legislation that governs all collection and processing of personal data from individuals inside the EU.
Under the EU's GDPR, it is the legal responsibility of website owners and operators to make sure that personal data is collected and processed lawfully.
A website outside of the EU is required to comply with the GDPR if it collects data from users inside the EU.
Even though cookies are mentioned only once in the GDPR, cookie consent is nonetheless a cornerstone of compliance for websites with EU-located users.
The GDPR requires a website to only collect personal data from users after they have given their explicit consent to the specific purposes of its use.
Websites must comply with the following GDPR cookie requirements:
Typically, GDPR cookie compliance is achieved on websites through cookie banners that allow users to select and accept certain cookies for activation rather than others, when visiting a site.
GDPR compliant cookie banner by Cookiebot CMP.
The European Data Protection Board’s (EDPB) guidelines from May 2020 clarify what constitutes valid consent on websites in compliance with the GDPR.
EDPB guidelines state that your website’s cookie banner is not allowed to have pre-ticked checkboxes and continued scrolling or browsing by users cannot be considered as valid consent for processing of personal data.
Users must freely give a clear and affirmative action to indicate their consent in order for your website to activate cookies and process personal data.
Test if your website is in compliance with the GDPR’s cookie consent requirements by using the free Cookiebot CMP compliance test.
Simply enter the URL of your domain and let Cookiebot CMP conduct a free scan of your website to detect all cookies and trackers on the up to five subpages that are included in the free scan, and whether or not you live up to the GDPR’s cookie consent requirements.
Don’t be alarmed to find that your website has a lot more unknown cookies, trackers and trojan horses that you thought – they are notoriously difficult to know of, considering that –
72% of cookies on websites are loaded in secret by other third-party cookies, making them difficult to know of as a website owner.
18% of cookies on websites are trojan horses, i.e. cookies that are hidden as deep as within eight other cookies, making them practically impossible to detect without deep-scanning technology.
50% of trojan horses will have changed between visits, meaning that they can be different cookies altogether, collecting different data for different agents, and making the legal responsibility of the website owner to always inform users of the purpose and duration of cookies a headache from the get-go.
Source: Beyond the Front Page, a 2020 research paper on website cookies.
The Internet's changing landscapes are shaped by your website's cookies and GDPR.
Cookiebot CMP is a plug-and-play consent management platform – a technology developed to help balance data privacy and data-driven business on your website.
Cookiebot CMP is made up of an unmatched scanner that detects all cookies and trackers on your domain, and a consent management solution that automatically controls them all and empowers your end-users with granular consent or opt-out solutions, depending on where in the world they are located.
When a user from EU visits your website, Cookiebot CMP automatically geotargets their location and presents them with the correct solution for GDPR cookie compliance:
Cookiebot CMP GDPR cookie consent solution that lets users control their own data privacy on your website in full compliance with the GDPR.
Create your Cookiebot CMP account to get started and let our world-leading consent solution take the hard part out of privacy protection and compliance with GDPR’s cookie consent requirements.
Try Cookiebot CMP free for 30 days… or forever if you have a small website.
The Internet is a changing landscape.
It was built as a flat sandbox but has become an uneven land full of user exploitation and privacy invasion that has remained largely unregulated until now.
In the changing landscapes of the Internet, websites are important ecosystems that Cookiebot CMP help foster balance and protection on.
Your website is a dynamic system that is also constantly changing, and interacting with the personal, private and sometimes intimate data of real, living people. In the whole Internet, your website might seem small and insignificant, just another domain among the billions.
But in fact, your website – whatever its size – can host hundreds of trackers and trojan horses that feed on your users’ private data without their knowledge or consent.
As the Internet has become a fundamental infrastructure in our societies – directing our finances, health industries and our private, social spheres – laws to protect personal data from unconsented collection and use are emerging all around the world.
One of the biggest and most influential data protection laws today is the EU’s General Data Protection Regulation (GDPR).
Learn more about how GDPR cookie compliance works, and how Cookiebot CMP provides the solution to meet all of the GDPR’s cookie consent requirements below.
With Google Consent Mode and Cookiebot CMP, you can make all your website’s Google-services run based on the consent state of your end-users – full GDPR compliance with optimized analytics data and ads revenue through in one simple solution.
Cookiebot CMP manages the consent of your website’s users, then communicate the consent states to the API running Google Consent Mode who then governs all your favorite services (like Google Analytics and Google Ads) based on the consent state of each individual user on your website.
Did a user not consent to statistics or marketing cookies? Cookiebot CMP tells Google Consent Mode which then makes sure that you still get aggregate and non-identifying insights into your website’s performance and the possibility of showing contextual ads instead of targeted ads – respecting user privacy while optimizing your website.
Try Cookiebot CMP free for 30 days – or forever if you have a small website.
By now, you probably got the whole point about how cookies and GDPR are linked: personal data is protected by the EU's GDPR, and cookies most often collect information that under the GDPR is considered personal data, and so you’re website is required to comply to the GDPR when using cookies.
Personal data is any information that relates or can in any way be related to an identified or identifiable living person (known in the law as a “data subject”).
The EU's GDPR actually considers the last five points on the checklist above as a special category of personal data called sensitive personal data.
In the rare case that your website processes any of this kind of data, the GDPR requires you to comply with specific processing conditions.
GDPR and cookies: how balanced are these in your website's dynamic system?
Cookies are small text files that are stored on your end-users’ browsers, as you probably know.
What you might not know is that cookies most often contain an identifier (known as a “Cookie ID”) that is in itself considered personal data under the GDPR.
Yes – under GDPR, cookie IDs are considered personal data.
A cookie ID is the identifier that is included within most cookies when set on a user’s browser. It is a unique ID that allows your website to remember the individual user and their preferences and settings, when they return to your website.
But cookie IDs often follow users around on the Internet and can be used to generate comprehensive profiles on individual people that are then sold to digital advertising agencies and used for behavioral marketing.
Third-party cookies from Google detected and controlled by Cookiebot CMP.
GDPR requires that your website only collects personal data from your users for specified, explicit and legitimate purposes, and that you obtain their clear and affirmative consent before doing so.
In your everyday work with your website, this GDPR cookie requirement means that you not only need to know what cookies and trackers are in operation on your domain, but also why they are there.
Your website uses a plugin from a tech company like Google or Facebook. This could be Google Tag Manager or a comment/like section on one of your subpages from Facebook.
You will now have cookies on your website.
They are third-party cookies because they do not come from your own website but are set on a user’s browser from Google or Facebook.
These cookies will not be necessary cookies, i.e. not white-listed and exempt from the GDPR, but rather will need the explicit consent of users before your website is allowed to activate them.
Even though these third-party cookies come from companies like Google or Facebook, the legal responsibility for GDPR cookie compliance is still yours as the website owner.
By know you probably have no doubt – yes, your website has cookies, GDPR requires you to control them and you’re looking to become compliant.
But very likely your website has more than one type of cookie. This is important, as the GDPR cookie requirements are different for the different types of cookies and tracking technologies in use on the Internet.
The EU’s data protection legal regime has the General Data Protection Regulation (GDPR) as its basis, but is also made up of legal precedents like the case of Planet49, the ePrivacy directive on electronic communications (EU cookie law), and guidelines from both national data protection agencies and the European Board of Data Protection (EDPB).
Altogether, they form the specific requirements that websites who have users from inside Europe must comply with today.
The sum of this legal regime is that in the EU, consent must be given by users in an explicit, unambiguous way; their consent must be granular; their consent must be given freely and their consent must not be nudged or given in return of services.
Full GDPR cookie compliance means that your website must –
For your website, this means that you need to enable your end-users to choose between the different types of cookies your website has.
In compliance with the GDPR, cookies fall into four categories on Cookiebot CMP –
Under the EU's GDPR, cookies that are not strictly necessary for the basic function of your website must only be activated after your end-users have given their explicit consent to the specific purpose of their operation and collection of personal data.
With the Cookiebot CMP deep-scanning technology, all your website’s cookies will be detected, and their technical details explained to you and your users in a simple cookie declaration that provides all the required information for full GDPR cookie compliance.
And with Cookiebot CMP, your website will always be informing its users with accurate and updated information on how it collects and shares their personal data.
Try Cookiebot CMP free for 30 days… or forever if you have a small website.
Cookiebot CMP automatically generates a cookie declaration for your website once it has scanned your domain.
All right, you made it to the end of a long article on GDPR and cookie consent. Way to go!
Cookiebot CMP has been in operation since 2014 and is a matured technology that ensures compliance with the EU’s GDPR and similar data protection laws around the world through our unmatched scanning technology and consent management solution.
The Cookiebot CMP technology takes the hard part out of compliance and privacy protection, and works every day to make privacy protection a simple and smooth solution today to guarantee a human future on our digital infrastructures tomorrow.
Sign up to Cookiebot CMP today and try free for 30 days… or forever if your website has less than 100 subpages.
Protect user privacy on the ever-changing digital landscapes with Cookiebot CMP for a compliant balance between GDPR and cookies.
Under the EU’s GDPR, cookies on your website that process personal data from individuals inside the EU are only allowed to be activated after the end-user has given their consent to do so. That means, any cookie on your website, that is not strictly necessary, and process personal data must be deactivated until the end-user accepts its activation.
Under the EU’s GDPR, cookies are only mentioned once, however the EU-wide legislation sets clear rules for how personal data is allowed to be processed by websites, chief among the rules are the necessity of obtaining explicit consent from end-users before collecting their data – and so, any cookie on your website that processes personal data must remain inactive until the user consents.
A GDPR compliant cookie banner is an interactive module that informs your users of all cookies and trackers in operation on your website, their purpose, duration and provider, and enables users to give their explicit consent to some, none or all cookies by ticking boxes or sliding controls and pressing a button. It is vital for GDPR compliance that cookie banners do not have pre-ticked checkboxes or forces users into a choice of accepting all or none in return for services.