
GDPR Data Mapping: A How-To Guide
If you don’t know where your business collects, stores, and processes...
Read NowThe simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline the DSAR workflow
Ensure your customers’ data is in good hands
Gain insights with privacy assessment templates and workflow management
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
February 13, 2023
When it comes to data privacy, what is at once the greatest source of risk, the most common method of user data collection, and one of the most crucial elements for compliance?
Cookies.
When investigating a business, regulators will often look for cookie compliance first, as cookies are one of the most common ways to collect, process, and transmit user data. They’re small text files stored on the user’s browser to track and collect their data. This includes the user’s name, geo-location, IP address, website preferences, and more.
Fortunately, becoming cookie compliant is straightforward—but not necessarily easy.
Cookie compliance means ensuring your use of cookies is in accordance with data privacy laws. Each law comes with its own particularities. But in most cases, cookie compliance starts with informing users you use cookies, explaining how and why you use them, and gathering and recording users’ consent.
Failing to become cookie compliant is a violation of the data subjects’ rights. After all, you’re collecting and using their data without their consent.
The fines for this type of violation are huge. The exact amount varies from law to law, but as an example, under the GDPR fines can reach $20 million or 4% of annual turnover (whichever is greater).
Privacy laws have varying requirements for cookie compliance. The EU General Daata Protection Regulation (GDPR) is one of the strictest, but the newly enacted California Privacy Rights Act (CPRA) isn’t too far behind. Let’s review the three types of consent before looking at the specifics of cookie compliance under different laws.
First, there was the EU Cookie Law. While its provisions respected privacy rights in principle, it wasn’t a very strict law, and websites still had great freedom with cookie usage. The arrival of the GDPR—the strictest data privacy law to date—changed that.
GDPR cookie compliance is all about opt-in consent, which should be:
Users must also be able to withdraw consent.
How do you prove you obtained consent from a person? By keeping records of the user’s consent preferences and proof that you acted on their consent. There are many consent management platforms that can help you do this, so don’t worry; you won’t need to do it all manually!
CCPA/CPRA cookie compliance requires opt-out consent.
However, there are a few exceptions that require opt-in consent, such as for the sale or sharing of personal information belonging to minors under 16 or for using data collected via cookies for a secondary purpose beyond what you initially disclose to the user. Plus, if you think there’s a risk someone from the EU will stumble on your site, opt-in consent is the safer option.
More and more laws are coming into effect, like Brazil’s LGDP or the Connecticut Data Privacy Act. Most are similar to the GDPR in their approach towards cookies and require opt-in consent.
In some places, opt-out or implicit consent is still used, especially in the U.S. But to be on the safe side, businesses may want to consider securing opt-in consent just in case their local law changes, or if they expand and become subject to a stricter law.
To check for cookie compliance, you must do a thorough review of your website, your policies, and the consent records you have (if any). Here are some things to consider.
Cookie compliance is not a complicated process. But that doesn’t mean it’s easy. It comes with various challenges, some of which are easier to overcome, and some harder.
While sometimes challenging, the compliance journey is straightforward.
If you want a consent management platform to tackle all your cookie compliance needs, Osano CMP might be just what you’re looking for. It’s easy to set up, comes with a customizable banner, and helps you with the much-needed proof of consent. To see it in action, sign up for a free account or request a demo.
Are you in the process of refreshing your current privacy policy or building a whole new one? are you scratching your head over what to include? Use this interactive checklist to guide you.
Download NowWriter at Osano
Writer at Osano
The Osano staff is a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet. Occasionally, the team writes under the pen name of our mascot, “Penny, the Privacy Pro.”
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
Osano makes it easy. Ready to get serious about data privacy? Choose your plan and get started. All plans come with a 30-day FREE trial!