It’s Time for Privacy Pros to Make a Strategic Shift
The importance of effective data privacy can no longer be ignored.
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Updated: March 21, 2023
Published: September 13, 2022
When the European Union established the General Data Protection Regulation (GDPR) in 2018, for them, it was just an added layer of protection within the territory’s already well-established data protection directive. But for the US, many leaders were left scratching their heads: “If the latest iteration of data privacy in the EU is meant to protect them, what does that have to do with us?”
A lot, as it turned out. Any American organization with users, data subjects, or clients residing in the EU became subject to the GDPR’s stricter data privacy laws. Especially as it pertained to cookie consent requirements and cookie consent record-keeping.
Today, the laws are still steadfast and ever-evolving. Make no mistake: Companies must comply with GDPR or face hefty penalties — including fines and data-processing bans — if they offer goods or services to EU data subjects.
A cookie is a text file, sent by a website you visit, to your computer through a browser. It’s a type of technology that “remembers” something about you in order to improve a website’s functionality and/or overall user experience. It saves data like login information, shopping carts, wish lists, user inputs, and more. It’s also used for analytics and advertising purposes.
The downside to that last part? The information cookies collect about you can be sold to other companies.
The EU ePrivacy directive — the precursor to GDPR, established in 2002 and amended in 2009 — requires users to provide consent before cookies or trackers are placed (except for those strictly necessary for a website’s function).
Additionally, when cookies can identify an individual, it’s considered personal data under the GDPR. Therein lies the problem concerning cookie consent and the GDPR: Consent must be freely given, specific, informed, and unambiguous.
When it comes to cookies, some organizations may not be transparent about how they use personal data. Even if they do provide this information, it’s often buried in complicated privacy policies few people read. When organizations use cookies, many people are completely unaware their personal data is being collected. Often, they don’t even know whether they can prevent it.
The internet makes separating U.S. citizens from EU citizens impossible, so cookie consent is not just an issue for the EU. People who visit American websites can live anywhere on the planet. If cookies are present on your site and it collects personal data about EU residents, your organization must now comply with GDPR.
In January 2020, California enacted its own data privacy directive, the California Consumer Privacy Act. The CCPA, which will soon see its own major expansion in 2023, also treats cookies as "personal information" in most cases.
Thus, organizations that must comply with CCPA will need to disclose their cookie use and obtain consent. Unless a business is willing to eliminate residents of the EU and California from its customer base — and effectively block them from visiting their website — the organization must comply with GDPR and CCPA, plus obtain cookie consent.
Before information is collected via cookies or similar technologies, companies must provide users with a cookie notice, as required by the ePrivacy Directive. To give proper consent under the GDPR, users must have the ability to accept or decline the terms.
Unfortunately, many U.S.-based websites still fail to provide such notice in advance, thus consent for GDPR purposes is not obtained. Some organizations, however, are taking the cookie consent requirements seriously, building cookie consent pop-up boxes on their websites.
Still, besides informing visitors that a website uses cookies, are cookie consent pop-ups really giving people a true opportunity to opt-out (yet another GDPR requirement)? Often, the answer is no.
While cookie consent pop-up boxes may look like an organization is giving website visitors control of their personal data, many are nothing more than an inoperative placeholder. Even if a user clicks “decline” on the consent, a company’s site runs javascript and tracking with cookies, and that user’s information is processed regardless.
Another ineffective way to obtain cookie consent? Including links to company privacy policies. Even if a user were to read through the organization’s privacy policy, most policies fail to address the kind of data collected by cookies.
Instead, they focus more on the personal information a user submits, like name, address, phone number, and geographical location. Although the GDPR doesn’t go into specifics about cookies, it does cover personal data gathered about EU residents — which can include cookies — and it also provides clear direction on what constitutes consent.
Another GDPR requirement says a company must be able to demonstrate that a data subject consented to having their personal data processed. This means organizations must be able to prove how and when consent was given through an audit trail.
Bottom line: If your organization collects cookies and obtains consent from users to do so, you must be able to demonstrate to regulators that you’ve obtained the necessary consent.
The GDPR, CCPA/CPRA, and others like them all have specific requirements. As data and technology continue to evolve, those requirements will inevitably change. Without a single set of requirements with which to comply, designing a compliant cookie notice and method of consent may seem impossible.
When it comes to ensuring cookie compliance within your organization, consider the following:
First and foremost, let your website visitors know you use cookies. A pop-up box is the best way to get their attention, and it should be on the first page they visit.
You can allow users to opt in, opt out, or provide consent by continuing to use the site. The latter is likely the simplest way to obtain consent and requires minimal coding to your page. That said, it doesn’t meet consent requirements in many jurisdictions. Your users can also turn off cookies in their browser settings if they choose to control cookies.
If you decide on the opt-out method, provide a button where they can decline the use of cookies. This option requires more work on your side, but it does give users direct control over cookies specific to your website.
If the opt-in option is preferred, users can proactively accept the use of cookies on your site. You cannot use cookies if they do not accept the request. As with the opt-out method, you will have to modify your site to disable cookies if the user requests it.
Fortunately, there are free cookie consent tools — as well as DIY open-source cookie consent resources — to help organizations customize and build compliant cookie notices. Many are even specific to each country’s cookie law, and several include paid resources to help modify your site if a user opts out or declines cookies.
While a paid version is similar to a free open-source version of the cookie consent pop-up, paid versions provide more features than free open-source options.
The paid version by Osano, for example, automatically handles geolocation and language detection so visitors see the appropriate type of consent dialogue (in their respective language, no less). The paid version also tracks every consent, helping companies with their cookie consent record-keeping.
While the GDPR and other privacy laws will ultimately benefit us all by promoting transparency, organizations must leverage the tools available to help them comply with these complex, sometimes confusing regulations.
We’re here to help. Get your organization up-to-speed and compliant with Osano’s cookie consent management software.
Are you in the process of refreshing your current privacy policy or building a whole new one? Are you scratching your head over what to include? Use this interactive checklist to guide you.
Download Now
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.