GDPR and Cookie Consent: What Businesses Need to Know

The European Union’s General Data Protection Regulation (GDPR) went into effect in 2018, affecting businesses around the world. The GDPR requires any business website with customers in the EU to explain what data it collects and how that data is used. And while the GDPR doesn’t provide guidance on website cookies specifically, its language about consent does apply to cookies.

In this post, we’ll look at cookie consent and the GDPR and what businesses can do to make sure they’re compliant.

A website cookie is a small package of data that a website sends to a user’s browser; the browser then returns the data unaltered. Cookies may be essential to a website’s functionality — for example, websites that require a login use cookies to “remember” a user who is navigating through a website, so that the user doesn’t have to log in on every page.

Cookies may also collect information for marketing purposes, such as products a user views, or the types of websites a user visits. Websites must include language that explains how they use cookies and for what purpose.

Cookies are generally classified by:

Duration

Cookies may expire at the end of a website session or when a user closes their browser. Persistent cookies are those that remain on a user’s hard drive until their pre-set expiration date, or until a user deletes them.

Provenance

This includes first-party cookies, placed by the website a user is visiting, and third-party cookies, such as advertising cookies.

Purpose

• Strictly necessary cookies — These are first-party, session-based cookies essential to website functionality. Consent is not required for these, but the website must notify visitors that these cookies are in use and explain their function.

• Preference cookies — These cookies store information about user preferences, such as location and login credentials.

• Statistics cookies — These cookies collect information about how users interact with a website, then aggregate the data to offer a view of website performance, such as the most popular pages.
  
  
• Marketing cookies — These are persistent (and usually third-party) cookies that track users' online behavior for the purpose of delivering targeted ads. These cookies may share information with other entities.

As we mentioned earlier, the GDPR doesn’t include a section on cookies — in fact, if you search the text of the GDPR, you’ll find that “cookie” is mentioned only once (in the preamble). An earlier set of regulations — the ePrivacy Directive (ePD) — does require businesses to request cookie consent, which is why ePD came to be known as “The Cookie Law.”

GDPR language covers how data is collected and used, and affords consumers certain rights to protect their privacy. That’s why it’s applicable to cookie policies.

GDPR’s language has the following implications for cookie consent:

Users should be presented with an action (usually a clickable button) for accepting or rejecting cookies.

Users should have a clear choice about whether to allow cookies (an “Accept all” button is insufficient — a “Reject” option must be one of the available options).

For a user to make an informed decision about consent, a website must clearly explain its use of cookies and the information they collect, as well as the purposes for collecting that information.

The method of approving or rejecting cookies must be accessible for all users. For example, the clickable buttons would need to be accessible by mouse, and by keyboard-only.

Websites should store information about consent — when and how users provided consent, and how the cookie policy was worded at the time.

This means that users who previously consented to cookies can retract their consent at any time.

In 2020, a French regulatory body fined Google $118.82 million USD for illegally transferring cookies to user devices without their consent. This is one of the largest GDPR-related fines to date, and it could be an indication that enforcement is ramping up.

To avoid potential fines, businesses can implement the following best practices:

Many businesses don’t have a way to keep track of third-party cookies they previously allowed on their website. Use a tool that can scan your site for cookies, from a solution that specializes in website compliance.

To be compliant with data privacy laws, websites must use language that helps users understand what they’re agreeing to when they accept cookies. To that end, it’s important to explain what cookies are and how they work.

A good cookie policy offers users some introductory text, with a link that leads to an expanded explanation. While users might not read that explanation, providing it is a good way to shield yourself from complaints and fines.

Show users what types of cookies your site uses and allow them to change their cookie permissions for non-essential cookies.

A popup or GDPR cookie banner that introduces your privacy/cookie policy needs to be accessible for assistive reading technology.

Because data privacy regulations are always evolving, it’s good practice to review your cookie policy at least once per year.

Trying to determine which regulations apply to your site, which cookies are on your site, and whether your site is compliant can be time-consuming and stressful. Consult an expert that can evaluate your site and make recommendations that ensure compliance.

A compliant GDPR cookie consent policy covers all the key points: transparent language about the presence, purpose, and use of cookies; a clear menu of options; and accessible methods for consenting or rejecting cookies.

Any cookie that is not essential to a website’s functionality requires consent in the EU.

The GDPR applies to any website with users in the EU regardless of where the website originated, so it does apply to US websites.

Monsido helps companies maintain compliance with data privacy regulations. In 2021, we added a new feature — Monsido Consent Manager — that quickly evaluates site compliance with cookie consent requirements and provides recommendations for improvement.

The Monsido team has years of experience analyzing websites and providing guidance on how to improve the user experience. Whether you’re looking to fine-tune your cookie policy or ensure every page on your site is accessible for users with disabilities, we can help.