Since the introduction of GDPR and the revision of the Privacy and Electronic Communications Regulations there are some pretty strict steps to follow in order to ensure cookie compliance.
The PECR is a piece of privacy legislation that requires website owners to get consent from visitors to store their data. It basically protects their privacy online by making people aware of how information about them is used and gives them a choice to allow it or not. This is also now supported by the introduction of the GDPR.
Here are some of the top issues for cookie consent that GDPR raises.
Cookies can be personal data.
So GDPR explicitly states that anything that identifies an individual is personal data, this includes online pseudonyms. Any cookie that is unique to the device and which can be used to identify someone (whether directly or indirectly) is therefore personal data.
Implied consent is no longer compliant
There are several reasons for this. Mainly because the GDPR requires users to make an “affirmative action” to give consent. So just hoping that people will not opt out won’t do!
Advice to adjust browser settings isn’t enough
The GDPR dictates it must be as easy to withdraw consent as it is to give it. So just telling people to block cookies if they don’t consent would not meet these criteria.
‘By using this site, you accept cookies’ – will not be compliant
If there is no free choice, then there is no valid consent. Additionally, people that don’t consent can’t suffer because of it, so you have to provide some services to those who do not accept your terms.
Sites will need an always available opt-out
Even after giving consent, there must be the opportunity to withdraw it at any time. Again, this comes down to the requirement that withdrawing must be as easy as giving consent.
Cookie specific consent
Sites that use different types of cookies with different processing purposes will need consent for each purpose. This means cookie controls or ‘preferences’ must be granular.
So how do you stay compliant?
In order to meet all of these criteria there is several steps you must take. Here’s the basics.
- You must have a cookie notice, that is visible throughout your website and has an option to withdraw consent.
- The cookie notice must include an explicit ‘opt-in’ and an option for ‘settings’ or ‘preferences’ – where users can select which cookies, they give consent for.
- You should provide a cookie policy–a policy detailing what, why and when you use cookies.
If you require further information or guidance on cookie compliance please contact us.