When the European Union established the General Data Protection Regulation (GDPR) in 2018, for them, it was just an added layer of protection within the territory’s already well-established data protection directive. But for the US, many leaders were left scratching their heads: “If the latest iteration of data privacy in the EU is meant to protect them, what does that have to do with us?”
A lot, as it turned out. Any American organization with users, data subjects, or clients residing in the EU became subject to the GDPR’s stricter data privacy laws. Especially as it pertained to cookie consent requirements and cookie consent record-keeping.
Today, the laws are still steadfast and ever-evolving. Make no mistake: Companies must comply with GDPR or face hefty penalties — including fines and data-processing bans — if they offer goods or services to EU data subjects.
What are cookies?
A cookie is a text file, sent by a website you visit, to your computer through a browser. It’s a type of technology that “remembers” something about you in order to improve a website’s functionality and/or overall user experience. It saves data like login information, shopping carts, wish lists, user inputs, and more. It’s also used for analytics and advertising purposes.
The downside to that last part? The information cookies collect about you can be sold to other companies.
The EU ePrivacy directive — the precursor to GDPR, established in 2002 and amended in 2009 — requires users to provide consent before cookies or trackers are placed (except for those strictly necessary for a website’s function).
Additionally, when cookies can identify an individual, it’s considered personal data under the GDPR. Therein lies the problem concerning cookie consent and the GDPR: Consent must be freely given, specific, informed, and unambiguous.
The internet makes separating U.S. citizens from EU citizens impossible, so cookie consent is not just an issue for the EU. People who visit American websites can live anywhere on the planet. If cookies are present on your site and it collects personal data about EU residents, your organization must now comply with GDPR.
In January 2020, California enacted its own data privacy directive, the California Consumer Privacy Act. The CCPA, which will soon see its own major expansion in 2023, also treats cookies as "personal information" in most cases.
Thus, organizations that must comply with CCPA will need to disclose their cookie use and obtain consent. Unless a business is willing to eliminate residents of the EU and California from its customer base — and effectively block them from visiting their website — the organization must comply with GDPR and CCPA, plus obtain cookie consent.
Cookie consent pop-up boxes are not the last step
Before information is collected via cookies or similar technologies, companies must provide users with a cookie notice, as required by the ePrivacy Directive. To give proper consent under the GDPR, users must have the ability to accept or decline the terms.
Unfortunately, many U.S.-based websites still fail to provide such notice in advance, thus consent for GDPR purposes is not obtained. Some organizations, however, are taking the cookie consent requirements seriously, building cookie consent pop-up boxes on their websites.
Instead, they focus more on the personal information a user submits, like name, address, phone number, and geographical location. Although the GDPR doesn’t go into specifics about cookies, it does cover personal data gathered about EU residents — which can include cookies — and it also provides clear direction on what constitutes consent.
Another GDPR requirement says a company must be able to demonstrate that a data subject consented to having their personal data processed. This means organizations must be able to prove how and when consent was given through an audit trail.
Bottom line: If your organization collects cookies and obtains consent from users to do so, you must be able to demonstrate to regulators that you’ve obtained the necessary consent.
A quick guide to complying with data protection and cookie laws
The GDPR, CCPA/CPRA, and others like them all have specific requirements. As data and technology continue to evolve, those requirements will inevitably change. Without a single set of requirements with which to comply, designing a compliant cookie notice and method of consent may seem impossible.
When it comes to ensuring cookie compliance within your organization, consider the following:
2. Choose how you want users to provide consent.
You can allow users to opt in, opt out, or provide consent by continuing to use the site. The latter is likely the simplest way to obtain consent and requires minimal coding to your page. That said, it doesn’t meet consent requirements in many jurisdictions. Your users can also turn off cookies in their browser settings if they choose to control cookies.
3. Choose your cookie-consent build tool.
Fortunately, there are free cookie consent tools — as well as DIY open-source cookie consent resources — to help organizations customize and build compliant cookie notices. Many are even specific to each country’s cookie law, and several include paid resources to help modify your site if a user opts out or declines cookies.
While a paid version is similar to a free open-source version of the cookie consent pop-up, paid versions provide more features than free open-source options.
The paid version by Osano, for example, automatically handles geolocation and language detection so visitors see the appropriate type of consent dialogue (in their respective language, no less). The paid version also tracks every consent, helping companies with their cookie consent record-keeping.
While the GDPR and other privacy laws will ultimately benefit us all by promoting transparency, organizations must leverage the tools available to help them comply with these complex, sometimes confusing regulations.
We’re here to help. Get your organization up-to-speed and compliant with Osano’s cookie consent management software.