Cookies: Proof of Consent vs. Records of Consent

  • by Dennis Dayman
  • last updated July 29, 2020
Cookies: Proof of Consent vs. Records of Consent

Security, privacy, and related topics have been all over the news in recent months and years. Much of this is due to the roll-out of the General Data Protection Regulation (GDPR) in 2018, the set of legal rules regarding the way personal data must be handled from the E.U.

Cookies are also a popular topic once again. However, there seems to be a lot of misinformation about how cookies relate to the GDPR and what your responsibilities are as a website owner when it comes to consent and security. When you think about data law and privacy legislations, cookies easily come to mind as they’re directly related to both. This often leads to the common misconception that the Cookie Law (ePrivacy directive) has been replaced by the GDPR, which in fact, has not. Instead, you can think of the ePrivacy Directive and GDPR as working in harmony with each other, but in the case of cookies, the ePrivacy generally takes precedence.

The ePrivacy Directive, commonly known as the Cookie Law, came into effect in the E.U. in 2002. It has been amended a few times but has remained largely the same and covers electronic privacy as it relates to website cookies.

Cookies Aren’t All Bad

Mention “cookies” and most people expect a chocolate chip treat to appear. When it comes to computers, however, cookies aren’t on the dropdown menu. In fact, they’re not even physical objects. And while they do a great deal of the work that makes it more convenient for you to browse the Internet, they can be troublesome if you don’t know how to clear or delete cookies.

A cookie is a small file that a website stores on a user’s computer. The cookie sends information back to the website owner about the visitor’s browsing activity to enable the site to deliver a more personalized user experience. This isn’t always a bad thing. For example, many online retailers use cookies to keep track of the items in a user’s shopping cart as they explore the site. Without cookies, your shopping cart would reset to zero every time you clicked a new link on the site, making it difficult to buy anything online. A website might also use cookies to keep a record of your most recent visit or to record your login information. Many people find this useful because they don’t have to re-enter their password and personal information every time they visit the site.

Different types of cookies keep track of different activities. Session cookies are used only when a person is actively navigating a website; once you leave the site, the session cookie disappears. Tracking cookies may be used to create long-term records of multiple visits to the same site. Authentication cookies track whether a user is logged in, and if so, under what name. No matter the type of cookie, the Cookie Law now regulates how they can be used.

What Is Cookie Consent

The Cookie Law requires that a website owner that uses cookies must obtain user consent from the user before any cookie files are stored on their computer or another device. This means:

  • You must let visitors know from the get-go that your site uses cookies, in a clear and visible way.
  • Consent to cookies must be informed and based on an explicit affirmative action. Subject to the local authority, these actions may include continued browsing, clicking, scrolling the page or some method that requires the user to actively proceed.
  • You also need to provide details on how you use cookies and why.
  • The cookie law requires users’ informed consent before storing cookies on a user’s device and/or tracking them.
  • You have to give visitors the opportunity to provide, withdraw or refuse consent. Before consent is obtained, no cookie-related scripts can be run on your site.
  • The Cookie Law does not require that records of consent be kept but instead, indicates that you should be able to prove that consent occurred — even if that consent has been withdrawn.

This last point is an important one that is often confusing. Consent doesn’t require a box to be checked or a button to be clicked . Consent can be assumed if the user continues to browse your site, travels to another section or a page on the site, or clicks on a link on the page after being informed that the site uses cookies. What matters is that you let them know what actions constitute consent.

At the same time, users must also be given the option to refuse consent. This doesn’t mean you have to provide them with a way to turn cookies off directly through your site. In fact, in most cases, the built-in cookie-blocking settings in major browsers are considered a valid method of withdrawing consent. Most importantly, you have to make sure that no installation or data collection is performed before the user has a chance to provide consent or refuse it.

You don’t need to keep active records of each user’s consent. This is a common area of confusion since consent records are often required under the GDPR. Now, this could change over time, and in the U.S. many states are creating their own privacy laws, and at any one time you should be ready with a consent manager to still prove a cookie was dropped. So we are not advocating you just forget about consents and tracking. We are just merely saying  that if you get a request to prove today, you don't necessarily have to show a log, but show a process did occur in obtaining a consent.

Proof of Consent

When it comes to the Cookie Law and consent, you must simply be able to provide proof of consent if the need arises. The best way to do this is to use a cookie management solution like Osano that automatically blocks cookie scripts until consent is obtained. Therefore, if you ever need to prove consent, the fact that cookie scripts were installed in the first place is sufficient evidence that a consenting action took place.

Imagine that the ability to run cookies is like entering your office. The cookie management solution is the door to your office, and the cookie consent is the act of opening the door handle. In this analogy, you can only enter the office through the door if the door handle is rotated (the act of giving consent). In this example, if you’ve entered the office it can only be because the door handle was rotated and, therefore, your presence in your office is sufficient proof of this fact.

What You Need to Do to Be Compliant

Overall and in practice, you’ll need to show a cookie banner at the user’s first visit, implement a cookie policy and allow the user to provide or decline consent. Prior to consent, no cookies — except for exempt cookies, which are only meant to serve their purpose over the course of the user’s session on your website. If they follow your users around the web, collecting information that isn’t necessary for website–user interactions, they are no longer exempt from consent requirements.

Showing a cookie banner at the user’s first visit the notice must:

  • briefly explain the purpose of the installation of cookies that the site uses;
  • clearly state which action will signify consent;
  • be sufficiently conspicuous so as to make it noticeable;
  • link to (a cookie policy) or make available details of cookie purpose, usage, and related third-party activity.

Implementing a cookie policy must:

  • indicate the type of cookies installed (e.g. statistical, advertising, etc.);
  • describe in detail the purpose of installing of cookies;
  • indicate which third-parties are or could be installing cookies, with a link to their respective policies and any opt-out forms (where available);
  • be available in all languages in which the service is provided;
  • Blocking cookies before consent;
  • In compliance with the general principles of privacy legislation, which prevent the processing before consent, the cookie law does not allow the installation of cookies before obtaining user consent. In practice, this means that you may have to employ a form of script blocking prior to user consent.

While GDPR is certainly important, it isn’t the only regulation you need to know about to protect your organization. The Cookie Law and the changes to the ePrivacy Regulation remain active and enforceable. Understanding these laws’ requirements are vital for protecting your interests by ensuring you don’t violate the laws and you are providing a secure and trustworthy service to all of your users. Recognizing what you don’t need to do is just as important as knowing what’s required of you. There’s a lot of misinformation floating around. Osano can help clarify your responsibilities and save you significant time and effort.

About The Author · Dennis Dayman

Dennis is the Chief Privacy Officer for Osano. He is a Certified Information Privacy Professional (CIPP/E CIPP/US FIP). Previously he was Return Path’s Chief Privacy and Security Officer. Prior to Return Path, he was Eloqua’s Chief Privacy and Security Officer. Dennis serves on the US Data Privacy and Integrity Committee for the Department of Homeland Security and is an advisory board member for the IAPP.