The GDPR has consequences for the use of cookies on your website. Does your website have a message or settings menu that the visitor automatically accepts cookies when using your website? Then that will no longer be sufficient from 25 May 2018 – Cookie Consent GDPR
Cookie Consent GDPR
How do you comply with the GDPR if you want to (continue to) use (marketing) cookies?
The GDPR is all about better protecting the privacy of individuals. Websites contribute more than 50% to the sharing of privacy-sensitive information. This is partly due to the use of cookies and other tracking technologies, which make it possible, directly or indirectly, to identify a person. And therefore cookies have to do with the GDPR.
Unfortunately, we read in many (marketing) blogs that the ePrivacy regulation will soon apply to the use of cookies, nothing could be further from the truth. This regulation is still pending, as can be read below, but cookies do fall under the GDPR.
Privacy and cookies and the GDPR
In order to better protect the privacy of website visitors, obtaining permission changes. The way your website visitor is informed changes with the arrival of the GDPR.
The changes that have the greatest influence, for website owners and marketeers, is in “being able to provide a correct opt-in and opt-out mechanism and to record the consent of the website visitor”.
Your website visitor has given permission for the use of cookies, but changes his or her mind. Then you will have to enable the visitor to change the choice in the same way. Users must be able to revoke or change permissions as easily as they have given them.
But the GDPR goes one step further. In this table you can see an overview of GDPR requirements regarding Cookie Consent and what your website needs to comply with, if you use cookies. This applies to all cookies, except for functional cookies that allow a website to function.
Cookie Consent GDPR | Consent manager
GDPR regulations | CookieFirst | Cookie Wall | Cookie pop-up |
---|---|---|---|
Full insight into tracking technologies on your website. | |||
Details cookie info in accessible form. | |||
Explicit permission to place different types of cookies (opt-in). | |||
Users should be able to modify or delete permission to use cookies as easily as they have given permission. | |||
Registration of the given, modified or deleted consent. | |||
Cookies may only be placed after choice (except for necessary cookies) types of cookies by the user. | |||
Provide insight into information that your website shares with third parties and where that data is shared in the world. | |||
GDPR Solution | CookieFirst | Cookie Wall | Cookie pop-up |
Scan all known tracking technologies. | |||
Consent registration and Log. | |||
Automatic up-to-date cookie statement. Can be integrated with privacy statement. | |||
Monthly reporting of cookies, cookie changes and consents log. |
Why is this different from “cookie walls” or “cookie pop-ups”?
The differences compared to cookie walls and cookie pop-ups do not seem to be big at first sight. If you hold them against the GDPR, you will see that the difference lies in the way you inform and obtain permission. Clicking on an “opt-in” box or “OK” button, or choosing “settings” in a menu is no longer sufficient.
Use our consent management platform (or consent manager) to make your online presence compliant to international data privacy laws.
Cookie Consent GDPR | Take a 2 week free trial
Take a 2 week free trial for our paid plans or create a free account …
A website should remain accessible and should not place cookies until the user has indicated his preferences and consent.
The above solutions are therefore not satisfactory, either because they prevent you from visiting the website or because they do not provide full information about the details of the cookies and other tracking technologies used. A frequently heard reaction is: “But we do refer to this in our privacy policy or cookie statement. What they are and how to remove them?”
This is how, in combination with the above type of cookie walls and pop-ups, it has indeed been set up by many websites. In the light of the GDPR, you will have to be more transparent in providing information, simplicity and registering consent and withdrawing it.
“You will have to inform in advance in a concise, transparent, understandable, easily accessible way and tell in a simple form about the cookies and their details that you use on your website. In addition, consent must be as easily modified or removed as you have given it (opt-in/opt-out).” It is no longer sufficient to indicate in your privacy statement or cookie statement what types of trackers you use and how a user deletes cookies in the browser. This has everything to do with the previously mentioned opt-out requirements of the GDPR. If you need to be able to remove or modify your permission as easily as you have given it, then the same cookie banner will need to provide this. A cookie wall does not provide for this, according to the opinion of the Authority for Personal Data.
Cookie Consent GDPR | Registration of consent
The obtained permission/change/deletion must be registered according to the GDPR. In a log you anonymously register the given permission or changes. The log file allows you to find out how you got the permission. This is also a requirement of the GDPR. More about opt-out in the permission section below.
The upcoming e-Privacy regulations will deal with this later, won’t they?
Yes and no. The ePrivacy regulations are not yet in place. The idea was to have it enter into force together with the GDPR on 25 May 2018. There is a proposal, but it has yet to be approved by all countries in the EU. It seems that the ePrivacy regulation is not yet in place. The ePrivacy regulations also refer to article 7 (“Conditions for consent”) of the GDPR. It is therefore an addition to the GDPR legislation.
In the upcoming ePrivacy legislation there are proposals to regulate privacy by means of browser settings. But that will be difficult to achieve since there is no incentive for browser manufacturers and the current browser technology cannot provide this.
Are your an agency, webdesigner or another reseller?
Earn 30% commission, take a look at our reseller model or contact us for numbers larger than 500 clients
Permission to use cookies
Under the GDPR, therefore, consent will have to be given explicitly by means of a clear active act. (Article 7.1 of the GDPR). This must show that the data subject freely, specifically, informally and unambiguously consents to the processing of his (personal) data.
This means that an “opt-out” option (e.g. an already filled in check box) will not be a valid way to obtain consent. An “opt-in” is therefore necessary, also for cookies. As long as the visitor to the website has not explicitly given permission by means of an active action, cookies may not be placed. If different cookies or cookies are used for different purposes, separate permission must be given for each cookie/intended use.
Opt-in and opt-out
In simple language this means that pre-filled “check-boxes” do not suffice. The website user will have to tick the checkboxes: opt-in.
In addition, it must also be possible to amend or withdraw the consent at any time (opt-out).
Referring to the browser settings, as mentioned above, is not enough. Withdrawing permission must be as easy as giving it. This means that an “opt-out” button must be added to the pages of your website. (Or simple language a “delete/adjust my cookies” button.)
Website must remain accessible – Cookie consent GDPR
In order to ensure that the consent can be given freely, the failure to give consent should not affect the data subject. This means that website visitors should still be able to use the website (albeit with restrictions), even if they have not given permission for the use of cookies.
Marketing opportunities – better quality of opt-ins
With the new rules, online marketers have a big challenge when it comes to the use of marketing cookies. There will have to be a mechanism that meets all the requirements of the GDPR as described in this blog. However, it also creates opportunities. Cookies may also be used under the GDPR as long as you comply with the game rules.
It seems to be a bigger challenge than it is, provided you have the right technology. By being completely transparent in the use of cookies to your website visitor, you also create trust. This will allow the website visitor to accept the marketing cookies (opt-in). In addition, I think that you will get better qualified website visitors by explicitly obtaining permission to place cookies. You know that you are dealing with website visitors who are interested in your product or services, which improves the quality of retargeting. With the help of videos on your landing page, you can also improve the opt-in on marketing cookies.
Cookies change monthly
33% of all cookies and tracking technologies change every month. This gives you as a website owner a lot of work to inform your website visitors about the cookies on your website. And you have to check this every month and adjust it if necessary, also on the page with a privacy statement. Since the Cookie Consent GDPR requires you to be transparent in providing information, you want to be able to rely on an automated solution that scans your cookies on a monthly basis. On our CookieFirst website, the number of cookies in use is not that high, see our cookie declaration. Use our cookie policy generator to create your own.
But we also see websites with 50, 100 and sometimes more than 250 cookies. Mapping and tracking all types of cookies, trackers, beacons, etc. and the associated cookie statement is very time-consuming. It is also something you can overcome with a good technical solution. In addition, you can also automatically create a cookie statement.
If you would like to know more about the different types of cookies read our article: What are cookies ?
Cookie consent GDPR – Conclusion
The impact of the GDPR on the use of cookies on your website is greater than you might initially think. You need to provide visitors to your website with detailed information about the types of cookies, the details of the cookies, the correct opt-in and opt-out functionality and the registration of the given consent (consent). In addition, 33% of the cookies change monthly and you will need to identify and modify them in your cookie statement. When you offer cookies in a transparent way on your website, website visitors will be more inclined to opt-in. And the opt-ins you get are therefore of better quality.
Do you want to know how your website complies with the GDPR and how you can improve the quality of your opt-ins? Then try CookieFirst for free.