The game has changed since the cookie law was first introduced, and your cookie practices might need to change, as well.
Last year, the European commission released its proposal to make changes to the existing regulation on the ePrivacy Directive and to replace it with a new regulation.
The GDPR has changed a number of things when it comes to your use of cookies and how you can get consent to do so.
A couple of years ago, EU legislators changed how website owners use device identification techniques. The law was meant to inform users of how data about them is collected and used online. The EU Cookies Directive also gave users the privilege to decline the use of cookies that interfere with their online privacy.
The directive now known as the Cookies Law requires you to have a Cookie Policy. Your website visitors need to know that your site uses cookies and the types of cookies being used.
The law required you to provide the users with a chance to limit the placement of these cookies on their devices.
A compliant Cookie Policy needs to inform users of:
The ePrivacy Directive required all websites operating in the EU to display cookie notifications on all pages of a site using cookies that need informed consent.
Some banners require active interaction by asking the user to choose between accepting and refusing the site's cookies, while others are in form of notice only.
The latter presumes that continued use of the site signifies user consent.
But, the ePrivacy Directive didn't meet its objectives.
Lawmakers didn't predict the rise of social media and the use of smartphone apps. A rise in behavioral advertising and online tracking all impact privacy and confidentiality of web users.
Does this mean that your current Cookie Notice is not going to work under the GDPR?
The General Data Protection Regulation, also known as GDPR is a legislation that regulates how websites handle personal data. This applies to all European Union states.
The GDPR impacts internal processes, workflows, and business systems.
This law gives consumers more rights over the information that is collected, used, and stored about them. Furthermore, the regulation stipulates strict requirements on user consent, documentation, transparency, and handling procedures.
The Cookies Law applied to websites with their servers in the EU and exempted those that had their servers outside but had access to EU website traffic. But, with the GDPR, any business with EU users needs to comply.
Consent is a key consideration under the GDPR.
Cookies are not banned under the GDPR, but failure to prove you've obtained appropriate consent on an individual basis puts you at risk of non-compliance.
Most businesses used to rely on implied or opt-out consent. However, the GDPR no longer allows this.
Here's what changing with Cookie Consent in relation to the GDPR.
Under the GDPR, your users need to make an affirmative action to signal their consent. Implied consent no longer works. Implied consent is when you include a statement that says something like "by doing this general action, you are consenting to these unrelated things."
All a user had to do before was simply browse your website and that was implied consent enough that the user was ok to have your cookies placed on his device. This is not ok anymore.
Today, the user needs to do something like click an opt-in box or clearly-labeled "accept" button to provide consent.
Your site needs to have an option where the user can either accept or reject cookies.
Here's an example of an acceptable method of getting consent to place cookies:
According to GDPR, your site needs to make it easy for users to withdraw consent as it is to give it. For example, if you have an opt-in box that a user needs to tick to provide consent, you must also include an opt-out box that users can access to withdraw consent.
It's essential to note that telling people that they can block cookies if they do not accept the cookies you use won't meet this regulation.
If your site uses different types of cookies for various data processing purposes, you'll need to provide valid consent mechanisms for each purpose.
Here's a way to do that by offering individual consent and control methods for each type of cookie you use:
Under the GDPR, compliant cookie consent has to:
If you don't make your consent notice itself very detailed with information, include a link to your Cookie Policy if you have one or your Privacy Policy that has further information about your use of cookies.
Here's an example of a cookie notice that has a clearly labeled button for both accepting and declining cookies. A link to the Privacy Policy is included, as well as a brief basic description of what the cookies are used for and what they'll do.
While the GDPR does not explicitly require a Cookies Policy, it does require you to:
You can use your Privacy Policy to inform your users about cookies.
Here's an example of a good yet simple cookies clause in that breaks down what type of cookie is used, for what purpose, how long it lasts and how users can opt out of them:
The more transparent you are with your users, the more compliant you'll be with cookies and privacy laws.