Articles

Understanding GDPR Cookie Consent

Written by Matt Davis, CIPM (IAPP) | December 21, 2023

The General Data Protection Regulation (GDPR) has brought significant changes to how companies handle personal data—and cookies are easily one of the largest sources of personal information for businesses. Find out all about the essentials of the GDPR and cookies, how the GDPR treats cookie consent, and how you can get compliant here. 

What is the GDPR? 

The GDPR, which stands for General Data Protection Regulation, is a comprehensive set of regulations implemented by the European Union (EU) to protect the privacy and personal data of EU citizens. It was introduced on May 25, 2018, replacing the Data Protection Directive of 1995. The primary goal of the GDPR is to give individuals more control over their personal data and ensure that organizations handle it responsibly. 

Under the GDPR, personal data refers to any information that can directly or indirectly identify an individual, such as names, addresses, email addresses, and even IP addresses. The regulations apply to both data controllers, who determine the purposes and means of processing personal data, and data processors, who process personal data on behalf of the data controllers. 

One major way in which businesses acquire personal information is through the use of cookies. Thus, businesses subject to the GDPR must adhere to certain requirements when using cookies, including securing cookie consent.  

Failing to comply with the GDPR’s cookie consent requirements (or any of its other requirements) can result in severe consequences, such as hefty fines and reputational damage. The fines can be as high as 4% of the organization's annual global turnover or €20 million, whichever is higher.  

What is Cookie Consent? 

Cookies are small text files stored on a consumer’s device that allow websites to remember information about the consumer. While they are essential for certain website functionality (like remembering what items you added to your cart on an eCommerce site), they can also raise privacy concerns (like tracking which websites you’ve visited to infer characteristics about you).  

Cookie consent refers to obtaining clear and informed consent from website visitors for the use of cookies that collect their personal data. Under GDPR, websites must inform visitors about the types of cookies used, their purposes, and obtain their consent before any cookies are set or read on their devices. 

When it comes to cookie consent, it is essential to understand the different types of cookies that websites may use. Broadly, there are four categories that cookies fall into: 

  1. Necessary cookies, which are essential for the function of the website and don’t usually cause much concern from a privacy perspective. 
  2. Analytics cookies, which don’t usually collect personal information but provide website owners with information on how people interact with their site on aggregate. 
  3. Personalization cookies, which record personal details about visitors, such as their login info. These can be, but aren’t often, a source of privacy concerns. 
  4. Marketing cookies, which are used to collect information to create targeted advertisements. These are usually the biggest source of privacy concerns, and often they’re set by third parties such as ad tech networks. 

Under the GDPR, businesses must provide their website visitors with granular choices on which of these cookie categories they wish to opt into. For example, a visitor might be okay with analytics and personalization cookies but not marketing cookies. 

Key Principles of the GDPR 

Before we can dive into the essentials of GDPR cookie consent, we need to understand the essentials of the GDPR. 

The GDPR is built upon several key principles, which serve as the foundation for its various requirements, including cookie consent. These principles include: 

  1. Lawfulness, fairness, and transparency: Organizations must process personal data lawfully, ensure fairness, and be transparent about their data processing activities. This means that organizations must have a legitimate basis for processing personal data and must inform individuals about the purposes and legal basis for processing their data. 
  2. Purpose limitation: Personal data must be collected for specified and legitimate purposes and cannot be further processed in a manner that is incompatible with those purposes. Organizations must clearly define the purposes for which they collect personal data and cannot use the data for any other purposes without obtaining additional consent. 
  3. Data minimization: Organizations should only collect and process the minimum amount of personal data necessary to fulfill the specified purpose. This principle encourages organizations to limit the collection and retention of personal data to what is necessary and relevant. 
  4. Accuracy: Organizations must ensure that personal data is accurate and kept up to date. They should take reasonable steps to rectify or erase inaccurate or incomplete data, considering the purposes for which the data was collected. 
  5. Storage limitation: Personal data should not be kept longer than necessary for the specified purposes. Organizations must establish retention periods for different types of personal data and regularly review and delete data that is no longer needed. 
  6. Integrity and confidentiality: Organizations must implement appropriate security measures to protect personal data from unauthorized access, alteration, or disclosure. This includes measures such as encryption, access controls, and regular security audits. 
  7. Accountability: If you control and/or process personal data, then you are accountable for following these principles and demonstrating your compliance, should a data subject or data protection authority ask for proof. 

By adhering to these principles, organizations can ensure that they are handling personal data in a responsible and ethical manner, respecting the rights and privacy of individuals. When applied to cookie consent, a clear framework emerges. Let’s dive in. 

Understanding GDPR Cookie Consent 

The GDPR imposes strict requirements on how organizations collect, process, and store personal data obtained through cookies. How do the seven principles outlined above apply to cookie consent under the GDPR? 

The principle of lawfulness, fairness, and transparency is probably the most significant factor in cookie consent. The GDPR requires businesses to establish certain lawful bases before data processing—one of which is the data subject’s consent. For that consent to be valid, it must also be fair and transparent, meaning that data subjects need to be given information about what will happen to their data and their rights and they must be given a free choice to opt in. Additionally, opting out must be as easy as it was to opt in. 

Businesses aren’t allowed to collect more information via cookies than what they need for a specific purpose, and they can’t reuse information for a second purpose beyond what was disclosed to the data subject. After that purpose has been met, the data should be destroyed or de-identified. That accounts for the purpose limitation, data minimization, and storage limitation principles. 

If they do collect information via cookies, businesses should ensure that it is accurate. If a data subject requests that the business updates their personal information, they are obligated to comply. 

The last principle is accountability. Organizations must maintain records of visitor consents and be able to demonstrate compliance with the regulation in case of an audit or investigation. This includes keeping track of when and how consent was obtained, as well as providing mechanisms for visitors to easily manage their cookie preferences. 

Ensuring GDPR Cookie Compliance

Compliance with GDPR and cookie consent involves implementing several measures to protect consumer privacy and uphold data protection principles: 

  • A clear and easily accessible cookie policy that explains the types of cookies used and their purposes. This policy should be written in plain language, avoiding complex legal jargon, to ensure that consumers can understand how their data is being used. 
  • Implementing a cookie consent banner that prominently displays information and seeks consent from consumers. The banner should provide clear options for consumers to either accept or reject the use of cookies, and it should not impede their access to the website if they choose not to consent. Note that this can be difficult to implement on your own! Each EU member state has its own unique take on what needs to appear on a cookie banner. 
  • Providing granular options for consumers to choose which categories of cookies they allow. This means giving consumers the ability to customize their cookie preferences based on their individual privacy concerns. 
  • Regularly monitoring and reviewing cookie consent mechanisms to ensure ongoing compliance. Organizations should regularly assess their cookie usage, review their privacy policies, and update their consent mechanisms to reflect any changes in data processing practices or legal requirements. 

That’s what your GDPR cookie consent solution needs to include—how do you actually implement it? 

Implementing GDPR-Compliant Cookie Consent 

If you choose to pursue a homegrown approach to implementing a cookie consent solution, you’ll be in for a difficult time. 

You’ll have to discover, categorize, and document all of the cookies on your website.  

Then, you’ll need to integrate your solution with your website’s codebase or tag manager and manually define what needs to happen with each cookie and when. Remember—visitors get to say no to all but necessary cookies, yes to all cookies, or yes to some cookies but no to others. Cookies must fire or not fire the moment they make the corresponding choice. 

You’ll also need to develop a cookie consent banner for each EU member state, with compliant language in every language that a visitor might use. These will need to be maintained on an ongoing basis. 

You’ll need a secure way to record visitor consent choices and a means of giving visitors the choice to change their cookie consent choices in the future. 

Essentially, you’d have to spin up a whole team dedicated to managing cookie consent. 

Fortunately, there are vendors who already provide cookie consent management solutions, like Osano. Osano Cookie Consent takes one line of JavaScript to set up on your website and directly addresses the major challenges associated with consent management. It: 

  • Automatically discovers cookies and scripts running on your website and recommends an appropriate category. 
  • Doesn’t require fiddling with your codebase or tag manager to block or fire cookies at the right time. 
  • Comes with compliant cookie consent banners for all EU member states (and the rest of the world) that are regularly updated and audited for compliance. 
  • Records visitor consent choices to a secure, immutable blockchain for proof of compliance. 
  • Allows visitors to change their consent choices at any time. 

But there can be a degree of comfort in handling compliance yourself—it can be difficult to trust a vendor with something as important as GDPR compliance after all. That’s why we offer the industry’s only “No Fines. No Penalties.” pledge, which covers the costs of any fines that result from the use of our platform. 

There are other consent management platforms (CMPs) out there too, and it only makes sense to shop around for the right platform for your business. If you’re still evaluating ways to manage GDPR cookie consent, check out our CMP scorecard. It gives you a way to track your product evaluation and provides you with essential guidance on how to identify a worthwhile tool before making a commitment.