Cookies are also a popular topic once again. However, there seems to be a lot of misinformation about how cookies relate to the GDPR and what your responsibilities are as a website owner when it comes to consent and security. When you think about data law and privacy legislations, cookies easily come to mind as they’re directly related to both. This often leads to the common misconception that the Cookie Law (ePrivacy directive) has been replaced by the GDPR, which in fact, has not. Instead, you can think of the ePrivacy Directive and GDPR as working in harmony with each other, but in the case of cookies, the ePrivacy generally takes precedence.
The ePrivacy Directive, commonly known as the Cookie Law, came into effect in the E.U. in 2002. It has been amended a few times but has remained largely the same and covers electronic privacy as it relates to website cookies.
Cookies Aren’t All BadMention “cookies” and most people expect a chocolate chip treat to appear. When it comes to computers, however, cookies aren’t on the dropdown menu. In fact, they’re not even physical objects. And while they do a great deal of the work that makes it more convenient for you to browse the Internet, they can be troublesome if you don’t know how to clear or delete cookies.
- Consent to cookies must be informed and based on an explicit affirmative action. Subject to the local authority, these actions may include continued browsing, clicking, scrolling the page or some method that requires the user to actively proceed.
- The cookie law requires users’ informed consent before storing cookies on a user’s device and/or tracking them.
- You have to give visitors the opportunity to provide, withdraw or refuse consent. Before consent is obtained, no cookie-related scripts can be run on your site.
- The Cookie Law does not require that records of consent be kept but instead, indicates that you should be able to prove that consent occurred — even if that consent has been withdrawn.
At the same time, users must also be given the option to refuse consent. This doesn’t mean you have to provide them with a way to turn cookies off directly through your site. In fact, in most cases, the built-in cookie-blocking settings in major browsers are considered a valid method of withdrawing consent. Most importantly, you have to make sure that no installation or data collection is performed before the user has a chance to provide consent or refuse it.
You don’t need to keep active records of each user’s consent. This is a common area of confusion since consent records are often required under the GDPR. Now, this could change over time, and in the U.S. many states are creating their own privacy laws, and at any one time you should be ready with a consent manager to still prove a cookie was dropped. So we are not advocating you just forget about consents and tracking. We are just merely saying that if you get a request to prove today, you don't necessarily have to show a log, but show a process did occur in obtaining a consent.
Proof of ConsentWhen it comes to the Cookie Law and consent, you must simply be able to provide proof of consent if the need arises. The best way to do this is to use a cookie management solution like Osano that automatically blocks cookie scripts until consent is obtained. Therefore, if you ever need to prove consent, the fact that cookie scripts were installed in the first place is sufficient evidence that a consenting action took place.
Imagine that the ability to run cookies is like entering your office. The cookie management solution is the door to your office, and the cookie consent is the act of opening the door handle. In this analogy, you can only enter the office through the door if the door handle is rotated (the act of giving consent). In this example, if you’ve entered the office it can only be because the door handle was rotated and, therefore, your presence in your office is sufficient proof of this fact.
Showing a cookie banner at the user’s first visit the notice must:
- briefly explain the purpose of the installation of cookies that the site uses;
- clearly state which action will signify consent;
- be sufficiently conspicuous so as to make it noticeable;
- indicate the type of cookies installed (e.g. statistical, advertising, etc.);
- describe in detail the purpose of installing of cookies;
- indicate which third-parties are or could be installing cookies, with a link to their respective policies and any opt-out forms (where available);
- be available in all languages in which the service is provided;
- Blocking cookies before consent;
- In compliance with the general principles of privacy legislation, which prevent the processing before consent, the cookie law does not allow the installation of cookies before obtaining user consent. In practice, this means that you may have to employ a form of script blocking prior to user consent.