Data Mapping: Frequently Asked Questions
Most people find data privacy compliance to be complicated enough....Read Now
December 21, 2023
The General Data Protection Regulation (GDPR) has brought significant changes to how companies handle personal data—and cookies are easily one of the largest sources of personal information for businesses. Find out all about the essentials of the GDPR and cookies, how the GDPR treats cookie consent, and how you can get compliant here.
The GDPR, which stands for General Data Protection Regulation, is a comprehensive set of regulations implemented by the European Union (EU) to protect the privacy and personal data of EU citizens. It was introduced on May 25, 2018, replacing the Data Protection Directive of 1995. The primary goal of the GDPR is to give individuals more control over their personal data and ensure that organizations handle it responsibly.
Under the GDPR, personal data refers to any information that can directly or indirectly identify an individual, such as names, addresses, email addresses, and even IP addresses. The regulations apply to both data controllers, who determine the purposes and means of processing personal data, and data processors, who process personal data on behalf of the data controllers.
Failing to comply with the GDPR’s cookie consent requirements (or any of its other requirements) can result in severe consequences, such as hefty fines and reputational damage. The fines can be as high as 4% of the organization's annual global turnover or €20 million, whichever is higher.
Cookies are small text files stored on a consumer’s device that allow websites to remember information about the consumer. While they are essential for certain website functionality (like remembering what items you added to your cart on an eCommerce site), they can also raise privacy concerns (like tracking which websites you’ve visited to infer characteristics about you).
When it comes to cookie consent, it is essential to understand the different types of cookies that websites may use. Broadly, there are four categories that cookies fall into:
Under the GDPR, businesses must provide their website visitors with granular choices on which of these cookie categories they wish to opt into. For example, a visitor might be okay with analytics and personalization cookies but not marketing cookies.
Before we can dive into the essentials of GDPR cookie consent, we need to understand the essentials of the GDPR.
The GDPR is built upon several key principles, which serve as the foundation for its various requirements, including cookie consent. These principles include:
By adhering to these principles, organizations can ensure that they are handling personal data in a responsible and ethical manner, respecting the rights and privacy of individuals. When applied to cookie consent, a clear framework emerges. Let’s dive in.
The GDPR imposes strict requirements on how organizations collect, process, and store personal data obtained through cookies. How do the seven principles outlined above apply to cookie consent under the GDPR?
The principle of lawfulness, fairness, and transparency is probably the most significant factor in cookie consent. The GDPR requires businesses to establish certain lawful bases before data processing—one of which is the data subject’s consent. For that consent to be valid, it must also be fair and transparent, meaning that data subjects need to be given information about what will happen to their data and their rights and they must be given a free choice to opt in. Additionally, opting out must be as easy as it was to opt in.
Businesses aren’t allowed to collect more information via cookies than what they need for a specific purpose, and they can’t reuse information for a second purpose beyond what was disclosed to the data subject. After that purpose has been met, the data should be destroyed or de-identified. That accounts for the purpose limitation, data minimization, and storage limitation principles.
If they do collect information via cookies, businesses should ensure that it is accurate. If a data subject requests that the business updates their personal information, they are obligated to comply.
The last principle is accountability. Organizations must maintain records of visitor consents and be able to demonstrate compliance with the regulation in case of an audit or investigation. This includes keeping track of when and how consent was obtained, as well as providing mechanisms for visitors to easily manage their cookie preferences.
Compliance with GDPR and cookie consent involves implementing several measures to protect consumer privacy and uphold data protection principles:
That’s what your GDPR cookie consent solution needs to include—how do you actually implement it?
If you choose to pursue a homegrown approach to implementing a cookie consent solution, you’ll be in for a difficult time.
You’ll have to discover, categorize, and document all of the cookies on your website.
Then, you’ll need to integrate your solution with your website’s codebase or tag manager and manually define what needs to happen with each cookie and when. Remember—visitors get to say no to all but necessary cookies, yes to all cookies, or yes to some cookies but no to others. Cookies must fire or not fire the moment they make the corresponding choice.
You’ll also need to develop a cookie consent banner for each EU member state, with compliant language in every language that a visitor might use. These will need to be maintained on an ongoing basis.
You’ll need a secure way to record visitor consent choices and a means of giving visitors the choice to change their cookie consent choices in the future.
Essentially, you’d have to spin up a whole team dedicated to managing cookie consent.
But there can be a degree of comfort in handling compliance yourself—it can be difficult to trust a vendor with something as important as GDPR compliance after all. That’s why we offer the industry’s only “No Fines. No Penalties.” pledge, which covers the costs of any fines that result from the use of our platform.
There are other consent management platforms (CMPs) out there too, and it only makes sense to shop around for the right platform for your business. If you’re still evaluating ways to manage GDPR cookie consent, check out our CMP scorecard. It gives you a way to track your product evaluation and provides you with essential guidance on how to identify a worthwhile tool before making a commitment.
Use this free template to track and inform your evaluation of different consent management platforms (CMPs)!Download Now
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.