Are you compliant with the GDPR or your local data protection legislation?
Are you fully aware of the GDPR Cookie consent?
Do you know your responsibilities for cookie usage on your website?
So what are cookies?
They are Small files that get dropped automatically onto a user’s device, whenever they land on your website. Cookies are harmless bits of texts that are locally stored and can be viewed and deleted quickly. However, they give a great deal of insight into a user’s activity, preferences, search history and can assist with direct marketing. Have you ever searched for, say a tent, then for the next few days all the advert banners that appear on your browser are for tents, that is because of the cookie that was placed on your device without explicit content.
You may have clicked on an annoying banner that mentioned something about cookies and only provided an ‘accept’ button, or were told that by using the site you accepted all the cookies and hit the ‘OK’ button. These are known as cookie walls and are being deemed illegal by the new ePrivacy Regulation that is due to come into effect soon. But this article is about GDPR and the required consent.
GDPR cookie compliance
Not every cookie is used to identify users, but the majority of them are, similarly they are subject to GDPR. Cookies for statistics, marketing and preferential services, are the cookies that identify users.
The issue with cookies and user privacy is, you don’t know what data is being collected? Who is tracking you? What is their purpose is? Where the data is stored or used? And how long they keep the data for?
These are all questions we should have answers to, Principle one of GDPR talks about the Lawfulness, Fairness and Transparency of data usage. This principle links in with your right to be informed.
Privacy notices on websites normally supply you with enough information to answer these questions. The majority of Cookie Banners or Pop-ups don’t.
What is GDPR Cookie Consent?
It is vital that you know what proper GDPR cookie consent is. The consent must be:
• Informed: This means how and why personal data is collected and used? Website owners must make this clear to the users. Users must have the ability to opt-in and opt-out of the category of cookies used by the website owner.
• The consent must be given through affirmative action, which cannot be interpreted.
• The consent must be given before the cookie is placed on the users device and starts processing the personal data of the user.
• It should be as easy for the user to withdraw their consent if they change their mind.
• Consent should be recorded and documented.
The ePrivacy Directive and the GDPR want you to obtain informed consent from your site users before any cookie or tracking method is loaded. In addition, the GDPR also requires you to record consent and document it.
Below are the requirements of the ePrivacy Directive for a compliant cookie notice:
1) Transparent cookie notice:
Make sure your Cookie Notice gives a clear picture to the user about how cookies are used on your website. It is essential that a notice is written in an understandable and plain language.
CookieScan creates a simple, easy to understand and read cookie notice, a link is available to your site visitors on the cookie pop-up, along with a link to your privacy notice, so you are being totally transparent for your use of the users data.
2) Accountability for cookies on your website:
You should list all the cookies that are used on your site in order to be totally accountable as a Data Controller. It is easy for people to scan your site and find out for themselves what you are using, so update your notice on a regular basis. We see all too often on cookie notices, ‘updated May 2018’, this is when GDPR came into force, so the cookie notice has not been looked at since? I bet it is not accurate!
CookieScan automatically creates your cookie notice and updates it every time your site is scanned with the latest cookies used. Your cookie notice will never be inaccurate to your cookie usage.
3) Consent requested through an affirmative action:
The definition for consent in the GDPR is:
“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
So an affirmative action must be a clear indication of the users wishes, like a slider saying on/off.
CookieScan use this on/off slider which is also colour coded so it is absolutely clear what has or has not been consented to. No confusion about does a tick in the box mean I have consented or I have not consented?
4) It must be as easy to withdraw consent as it is to give it:
Using the legal basis of consent in the GDPR, gives total control to the user or giver of that consent, so the user must be able to withdraw this consent at any time and as easily as it was to give it. At point 3, we mentioned a slider saying on/off, it must be easy for the user to get back to the ‘Preference Centre’ and change this setting, whenever and as often as they like.
Your CookieScan account places a small grey box at the bottom left corner of every page on your website. When this box is selected it will open the cookie pop-up, allowing the user to change their consent.
5) Renewal of consent:
The renewal of consent for cookies is not a definitive period of time, the guidance indicates that:
The duration of consent should be reasonable, it is also impacted by any changes to the cookies or a similar technology that is added to track user behaviour.
So, CookieScan asks for a renewal of consent every 6 months or when significant changes have been made to the cookies used by the site owner.
6) Consents must be recorded and documented:
Every time you obtain consent, or indeed consent is not given to a certain category of cookies, this information should be recorded and available to you as a data controller, whenever you need it.
Imagine a data subject making a complaint about your website, sending them unwanted marketing material and saying they did not consent to you placing cookies on their device. If you do not have this accurate record, you have no evidence to defend yourself against these claims.
CookieScan records all the actions taken by users of your site and records them against the users IP address. This complete and accurate record of cookie usage is available to you at your request, at any time and without any additional fee. You are safe with CookieScan .