Cookie law compliance has become a challenging subject recently. In the last few years, there has been a growing movement towards ‘privacy by design’ — a way of thinking about the development and delivery of services that takes into account privacy from the outset, rather than something that is bolted on afterward. One outcome of this approach is the requirement to take affirmative action to provide users with notice and choice about their privacy before collecting any personally identifiable information from them. Businesses and organizations have become liable to implement cookie consent as a measure to stay compliant. However, the process of cookie consent is not easy. What is Cookie Consent? And how to manage it?
Cookie consent is a law that has been implemented to ensure that users’ data is not misused while they browse the internet. The legislation compels every website to ask for permission from the users before collecting user information using cookies.
Cookies are widely used on the internet, and while they are very useful, some of them can track personally identifiable information or online activity. For this reason, consent for cookies has been made mandatory or recommended by many privacy laws.
Consent allows people to have control over their data and protects their rights by providing them with options.
There are different types of cookies. Some cookies enhance the user experience by remembering user login information, holding times in the shopping cart or saving user account settings (essential or technical cookies). However, some cookies can follow users around the internet across other websites to understand one’s browsing behavior or track one’s movements (non-essential cookies). Such cookies are what privacy laws seek to regulate. Some examples of cookies that require consent include:
- Cookies that are used for direct marketing;
- Cookies that are used to track users’ behavior across multiple websites;
- Cookies that are used to compile a profile of a user’s interests, habits and preferences;
- Third-party cookies, in other words, cookies placed on your website by someone other than the owner of the site you are visiting;
- Socially shared content, for example, if someone shares content from your website on Facebook, or tweets a link to it; and
- First-party cookies that are used for tracking.
Consent can be given by checking a box or clicking a button on the banner. This will signal the website to load the cookies on the user’s device. For this to work, the website should not load the cookies before receiving user consent. If they don’t give consent, the cookies remain blocked.
Cookie consent under GDPR
The rules state that users must be made aware of what their data will be used for and that they must give informed consent before their data can be stored. Users have to be told exactly why they need to accept cookies and what (if any) benefit they will gain from doing so. They should be aware of the cookies being used, their true purposes, and how they can manage them. The crux, however, is the consent requirements. Like the Directive, GDPR considers freely given, informed, specific and unambiguous consent valid. It should also be withdrawable and provable.
How to implement GDPR cookie consent? Watch here:
Cookie consent under CCPA
The opt-out is usually implemented via a “Do Not Sell My Personal Information” link, which should be easily accessible on the website (the homepage footer is the most recommended place) and also on the cookie banner.
The CCPA also requires websites to notify users when or before using cookies by providing details about the type of cookies and their purposes in the privacy notice. If a user chooses not to share their personal information with the website, then the website must respect that decision and not store cookies on their device for one year.
What happens if you fail to get cookie consent?
Failing to get valid consent is a severe violation. Under GDPR, you could face a hefty fine of up to €20 million or 4% of your total worldwide annual turnover, whichever is higher. Read more on GDPR fines here.
Many big companies have had to pay whopping fines for violating cookie consent requirements. Recent examples include Amazon, which was fined a record-breaking €746 million by the Luxembourg authorities for failing to get valid consent to store marketing cookies.
Financial penalties are the most common consequence of this type of violation. However, depending on the severity of the violation, a website may be subjected to a complete ban on collecting data via cookies. This may severely affect its digital revenue stream.
How to obtain cookie consent?
The most common way of obtaining consent is the Cookie Banner. This is just what it sounds like — a banner placed on your website which displays the notice about cookies being used and their purpose. The banner must be visible on every page of your website and must use language that is clear, concise and easy to understand so that users can make an informed choice about whether or not they wish to have cookies placed on their device when browsing your website.
Here are a few things to consider for obtaining and managing cookie consent on your website:
- Load cookie banner on every page, especially during first visits.
- Keep the cookie notice concise, clear and easy to understand.
- Inform visitors that cookies are being used, what purpose they serve, what accepting or rejecting them mean.
- Block non-technical cookies until the user gives consent.
- Add three options on the banner: opt-in (accept all), opt-out (reject all) and preferences or settings for giving one-by-one consent to cookies per category.
- Closing the banner or scrolling the site without responding to the banner doesn’t imply user consent.
- Do not use pre-ticked options for opt-in consent.
- Implement a cookie banner recall option for users to withdraw/change consent at any time.
- Log the consent provided by the users for proof of compliance.
- Wait at least six months or 1 year before requesting users, who opted out, for cookie consent again.
Managing cookie consent doesn’t have to be complicated.
CookieYes is trusted by 1 Million+ websites for cookie consent management. Try for free and get compliant today!
FREE COOKIE CONSENT
*No credit card required
Frequently asked questions
Do I need cookie consent?
If you run a website you need to get consent from your visitors before you can store any cookies on their devices. You only need consent to store non-essential cookies – if they are necessary for the site to work then they are considered essential, otherwise, they are non-essential.
What is GDPR cookie consent?
Consent is an essential element of the General Data Protection Regulation (GDPR) legislation. The GDPR legislation requires that any entity wishing to store or track the personal data of EU individuals must first obtain consent from them. This applies to data monitored by websites via cookies. Under GDPR, a website must obtain explicit consent from users before it can store cookies on user devices.
Does CCPA require cookie consent?
As per CCPA rules, you do not need consent to store cookies on a user’s device, unless your visitor is a minor (< 16 years of age). However, the CCPA follows an opt-out approach. It requires you to give the users a choice to opt out of cookies and also, disclose details about cookies and their purposes.
Is cookie consent required in the US?
Websites that are subject to US laws—for example, the California Consumer Privacy Act (CCPA)—do not need to obtain consent for cookies. CCPA only emphasizes providing opt-out choices for cookies. However, if you are a US-based website that offers services to EU users and collects personal data using cookies, cookie consent is mandatory per GDPR.
How to implement cookie consent?
What is a cookie consent banner?
Do you need a cookie consent banner?
Yes, if your website uses and stores cookies on visitors’ browsers. Privacy regulations like GDPR require websites to inform people about cookies and give them the option to accept or deny them. Cookie consent banners are the most common method for notifying users about consent and giving them the options for consent. Using cookies, especially the non-essential type, without consent is a violation of user privacy.
How to add cookie consent to a website?
You can add a legally-compliant cookie consent banner to your website using CookieYes. It is a consent management platform for managing cookie consent on your website. You don’t need prior coding knowledge to add our cookie notice banner to your site.
Just follow three simple steps to get started for free:
- Sign up on CookieYes for free
- Copy the unique code
- Paste the code in your site’s HTML
How do I add cookie consent in WordPress?
How to revoke cookie consent?
Users may withdraw their consent for cookie use at any time by deleting or blocking cookies using browser settings. If a website uses a consent management platform, visitors may withdraw consent using its settings.
How long does cookie consent last?
A website must renew cookie consent at least once per year. In some European countries, websites are advised to do this every six months. CCPA allows websites one year to store cookies and then ask for consent again.
Where to save cookie consent?
You can save all the consent by adding a cookie banner to collect them first. So any type of consent that you receive: opt-in or opt-out must be recorded and saved in a log so that you can prove that you have requested consent and what the user responded.
Do you need cookie consent for Google Analytics?
Yes. Cookies set by Google Analytics fall under the non-essential category. The reason is that gathering analytical data is not a service explicitly requested by the user and hence, is not “strictly necessary” for the website’s functioning. Therefore, you need cookie consent to store Google Analytics cookies.
What is a cookie consent manager?
A cookie consent manager is a type of tool or service that allows websites to obtain consent from users before storing cookies on their devices. It helps site users stay safe while browsing online by giving them more control over third-party cookies. A cookie consent manager also allows you to block third-party cookies and log and revoke user consent for cookies, among other features.