Cookie Consent Requirements: Are You Doing Enough?

Cookie Consent Requirements: Are You Doing Enough?

GDPR Changes Everything

The General Data Protection Regulation, more often referred to as GDPR, is a relatively new mandate that is causing all kinds of confusion, at least in the U.S. Its roots come from the EU and are intended to protect EU citizens' right to data privacy. These mandates are nothing new. In fact, the EU has had a similar, albeit more concentrated, data protection directive in place since as far back as 1980 and implemented the ePrivacy Directive in 2009. 

While residents of the EU may be comfortable with the evolution of data protection regulations, many organizations in the U.S. are scratching their heads as to what they need to be doing to be in compliance with the GDPR. Specifically, there are questions about cookie consent requirements and cookie consent record keeping. Make no mistake, even if an organization operates outside of the EU, it must comply with GDPR or face hefty penalties, including fines and data processing bans, if it offers goods or services to EU data subjects.

What are Cookies?

A “cookie” is a technology to remember something about you. It's gotten a bad rap over the years. Cookies aren’t all bad. They can be good and helpful in some cases because they are like a short-term memory component that helps websites create an easier user experience (remembering items you put into your cart, for instance). On the other hand, some cookies track you for marketing and advertising purposes - and then sell the information they’ve collected about you to other companies.

The EU ePrivacy Directive requires that users provide consent before cookies or trackers are placed (except for those strictly necessary for the functioning of the website). Furthermore, when cookies can identify an individual, it is considered personal data under the GDPR. Therein lies the problem as it relates to cookie consent and the GDPR: consent under the GDPR must be freely given, specific, informed, and unambiguous. Few organizations are transparent about how they use the personal data of their data subjects when they use cookies. Even if they do provide this information, it’s typically buried in complicated privacy policies few people read. When organizations use cookies, many people are either completely unaware that their personal data is being collected or don’t know if there’s anything they can do to prevent it.

The World Wide Web makes separating U.S. citizens from EU citizens impossible, so cookie consent is not just an issue for the EU. People who visit American websites can originate from anywhere on the planet. If cookies are present on the site and collecting personal data from EU residents, the organization behind the website is now on the hook to comply with the GDPR. Even more, California has enacted its own GDPR-like mandate (California Consumer Privacy Act, or CCPA) that goes into effect on January 1, 2020.  The CCPA also treats cookies as "personal information" in most cases, and so organizations that need to be compliant with the CCPA will need to disclose the use of cookies and obtain consent in most cases. Combined, the GDPR and the CCPA mean that unless a business is willing to eliminate residents of the EU and California from its customer base (and block them from visiting its website), the organization must comply with both the GDPR and the CCPA and obtain cookie consent.

Cookie Consent Pop-Up Boxes Are Not The Last Step

The ePrivacy Directive cookie consent requirements force organizations to provide users with a cookie notice before information is collected via cookies and similar technologies. To give proper consent under the GDPR, users need to be able to accept or decline the terms. Unfortunately, many U.S.-based websites still fail to provide such notice in advance and so, consent for GDPR purposes is not often obtained. Some organizations, however, are taking the cookie consent requirements seriously, building cookie consent pop-up boxes onto their websites. We’ve all seen them, but besides informing visitors that the website uses cookies, are they really giving people a true opportunity to opt-out, which is required under the GDPR? Unfortunately, in many cases, the answer is no.

Cookie consent pop-up boxes may make it look like the organization is giving website visitors control of their personal data, but many are nothing more than an inoperative placeholder. Even if the user clicks “decline” on the consent, the website runs javascript and tracking with cookies and their information is processed regardless.

Links to company privacy policies are also ineffective ways to obtain consent. Even if a user were to read through the organization’s privacy policy, most policies fail to address the kind of data that is collected by cookies. Instead, they focus more on the personal information that users submit, like the user's name, address, phone number and geographical location. Although the GDPR doesn’t go into much detail about cookies specifically, it does cover personal data gathered about EU residents, which can include cookies, and it does give clear direction on what constitutes consent..

The GDPR also requires that organizations be able to demonstrate that a data subject has given consent for his or her personal data to be processed by that organization. This means that organizations must be able to prove an audit trail of how and when consent was given. When organizations use cookies and obtain consent from users, they must be able to demonstrate to regulators that they have obtained the necessary consent.  

A Quick Guide to Complying with Data Protection and Cookie Laws

The GDPR, CCPA, and many laws yet to come all have specific requirements. As data and technology continue to evolve, those requirements will inevitably change. Without a single set of requirements with which to comply, designing a compliant cookie notice and method of consent may seem impossible.

Here are a few options when it comes to ensuring your organization is cookie compliant:

1. Disclose that you use cookies

The first step is to let your website visitors know that you use cookies. A pop-up box is the best way to get their attention and it should be on the first page they visit.

2. Choose how you want your users to provide consent

You can allow users to opt-in, opt-out, or provide consent by continuing to use the site. The latter is likely the simplest way to obtain consent and requires minimal coding to your page, but does not meet consent requirements in many jurisdictions. Your users can also turn off cookies in their browser settings if they choose to control cookies.

If you decide on the opt-out method, provide a button where they can decline the use of cookies. This option requires more work on your side, but it does give users direct control over cookies specific to your website.

If the opt-in option is preferred, you will give your users the ability to proactively accept the use of cookies. You cannot use cookies if they do not accept the request. As with the opt-out method, you will have to modify your site to disable cookies if the user requests it.

3. Choose your cookie consent build tool

Fortunately, there are free, open-source resources to help organizations customize and build compliant cookie notices - even specific to each country’s cookie law, as well as paid resources that go a step further to help you modify your site if the user opts out or declines cookies.

While a paid version is similar to the free open source version of the cookie consent pop-up, paid versions provide more features than the free open source versions.  The paid version by Osano, for example, automatically handles geolocation and language detection so visitors see the appropriate type of consent dialog and in the appropriate language. The paid version also tracks the consents, helping companies with their cookie consent record keeping.

While the GDPR and other privacy laws will ultimately benefit us all by promoting transparency, organizations must leverage the available tools available now to help them comply with these complex and sometimes confusing regulations. The genie is out of the bottle, so to speak. With the massive amounts of personal data already circulating, we can only play catch-up and try to provide meaningful protection going forward.