Requirements for a GDPR and ePrivacy-compliant cookie notice
In short, a legitimate, compliant cookie notification must:
- Obtain clear and unequivocal user consent,
- before processing personal data,
- after specifying all types of cookies and other tracking technologies that are available and operated on their pages,
- in an easily understandable way that enables users to grant and withdraw consent for each individual category of cookies,
- in order to be able to document every consent of the user securely and confidentially,
- and ask for renewed consent every twelve months.
The bad, the good and the very good: a tour of the cookie information
A bad – and non-compliant – cookie notice is a notice that does not specify the various tracking cookies and their functions that they serve, and does not allow the user to make a real choice of consent, but forces them to simply click “OK” or click “accept”. Such a cookie notice is not GDPR-compliant.
This is a bad, non-compliant cookie notice that does not allow real user consent.
This is not an actual and genuine cookie consent, since the user has no way of knowing who or what he agrees with, nor is it able to withdraw this consent if he changes his mind.
A good cookie notice is a notice that includes the user option to disable the different types of trackers and cookies with which you do not want to share your information.
A very good cookie notice is one that, through extensive details, in clear and understandable language, passes on as much information to the end user as the website operator has about third-party tracking devices and cookies that are operated on his website.
Through transparency, a cookie notice enables us to understand which decisions we want to make online and gives us the opportunity to protect our right to privacy online.