EU Cookies Directive and GDPR

The game has changed since the cookie law was first introduced, and your cookie practices might need to change, as well.

Last year, the European commission released its proposal to make changes to the existing regulation on the ePrivacy Directive and to replace it with a new regulation.

The GDPR has changed a number of things when it comes to your use of cookies and how you can get consent to do so.

What is the EU Cookies Directive?

A couple of years ago, EU legislators changed how website owners use device identification techniques. The law was meant to inform users of how data about them is collected and used online. The EU Cookies Directive also gave users the privilege to decline the use of cookies that interfere with their online privacy.

The directive now known as the Cookies Law requires you to have a Cookie Policy. Your website visitors need to know that your site uses cookies and the types of cookies being used.

The law required you to provide the users with a chance to limit the placement of these cookies on their devices.

A compliant Cookie Policy needs to inform users of:

  • Which type of cookies your site uses and if there are any third party cookies
  • Ways through which a user can opt out of having cookies on their devices
  • What cookies are and why they are in place
  • How you plan to use the cookies

What is the GDPR?

The ePrivacy Directive required all websites operating in the EU to display cookie notifications on all pages of a site using cookies that need informed consent.

Some banners require active interaction by asking the user to choose between accepting and refusing the site's cookies, while others are in form of notice only.

The latter presumes that continued use of the site signifies user consent.

But, the ePrivacy Directive didn't meet its objectives.

Lawmakers didn't predict the rise of social media and the use of smartphone apps. A rise in behavioral advertising and online tracking all impact privacy and confidentiality of web users.

Does this mean that your current Cookie Notice is not going to work under the GDPR?

The General Data Protection Regulation, also known as GDPR is a legislation that regulates how websites handle personal data. This applies to all European Union states.

The GDPR impacts internal processes, workflows, and business systems.

This law gives consumers more rights over the information that is collected, used, and stored about them. Furthermore, the regulation stipulates strict requirements on user consent, documentation, transparency, and handling procedures.

The Cookies Law applied to websites with their servers in the EU and exempted those that had their servers outside but had access to EU website traffic. But, with the GDPR, any business with EU users needs to comply.

What Does the GDPR Mean For Cookie Consent?

Consent is a key consideration under the GDPR.

Cookies are not banned under the GDPR, but failure to prove you've obtained appropriate consent on an individual basis puts you at risk of non-compliance.

Most businesses used to rely on implied or opt-out consent. However, the GDPR no longer allows this.

Here's what changing with Cookie Consent in relation to the GDPR.

Implied Consent No Longer Works

Under the GDPR, your users need to make an affirmative action to signal their consent. Implied consent no longer works. Implied consent is when you include a statement that says something like "by doing this general action, you are consenting to these unrelated things."

All a user had to do before was simply browse your website and that was implied consent enough that the user was ok to have your cookies placed on his device. This is not ok anymore.

Today, the user needs to do something like click an opt-in box or clearly-labeled "accept" button to provide consent.

Your site needs to have an option where the user can either accept or reject cookies.

Here's an example of an acceptable method of getting consent to place cookies:

Cookies notice example of good consent

Adjust Browser Settings No Longer Works

According to GDPR, your site needs to make it easy for users to withdraw consent as it is to give it. For example, if you have an opt-in box that a user needs to tick to provide consent, you must also include an opt-out box that users can access to withdraw consent.

It's essential to note that telling people that they can block cookies if they do not accept the cookies you use won't meet this regulation.

Specific Consent For Different Cookie Purposes

If your site uses different types of cookies for various data processing purposes, you'll need to provide valid consent mechanisms for each purpose.

Here's a way to do that by offering individual consent and control methods for each type of cookie you use:

UsabilityGeek Cookies Notice with settings for consent

What Constitutes Compliant Cookie Consent?

Under the GDPR, compliant cookie consent has to:

  • Be ontained through an affirmative action that shows consent (checkbox or clearly labeled button)
  • Be withdrawable in the sense that the user can opt-out if he changes his mind
  • Be informed in that the user must know why, how, and where the personal data collected by cookies will be used. The user needs to have a choice to opt-in and opt-out of the different types of cookies and know what each cookie is used for.

If you don't make your consent notice itself very detailed with information, include a link to your Cookie Policy if you have one or your Privacy Policy that has further information about your use of cookies.

Here's an example of a cookie notice that has a clearly labeled button for both accepting and declining cookies. A link to the Privacy Policy is included, as well as a brief basic description of what the cookies are used for and what they'll do.

Phorest Cookie Notice with accept and decline buttons

Does the GDPR Require a Cookies Policy?

While the GDPR does not explicitly require a Cookies Policy, it does require you to:

  • Obtain consent before placing most cookies
  • Inform your users about your use of cookies such as what types you use, for what purposes, and how a user can revoke consent that's been given.

You can use your Privacy Policy to inform your users about cookies.

Here's an example of a good yet simple cookies clause in that breaks down what type of cookie is used, for what purpose, how long it lasts and how users can opt out of them:

Gov UK Google Analytics cookies clause

The more transparent you are with your users, the more compliant you'll be with cookies and privacy laws.

This website uses cookies, and also collects some information using Google Analytics. By continuing to use this website, you agree to our Privacy Policy, Terms of Use, and Disclaimer.