Over the last few months, the discussions regarding online privacy and user data collection were seen all over and the data mismanagement stories by tech giants have piqued the interest of online users. Concerns about user's privacy have risen among people. GDPR and alongside with ePrivacy directive aims at protecting the privacy by putting regulations over the data that are collected by websites from its users. This article discusses what GDPR have in store with regards to the cookie consent and what users and website owners should know about it.
What are Cookies?
Cookies are small files that a website installs on a users browser many purposes. It could be to store the login details of users, or storing the items that a user have added into the cart in an online store, etc. Most of the time cookies are harmless little files that do not contain any executable code or harmful viruses unlike many would believe. So they do not potentially cause any harm to the user's device. Most of the time the cookies' job is to store information which the users have given voluntarily. More details about the cookies have been covered in this article.
So Why is Cookie Consent so Important?
Let's say you have been looking for a smartphone online. After searching for the best deals for a while, you move on to some other website. And there it is! the ad for the smartphone you admired a while ago appears in that totally unrelated website. Ever wondered how you are being shown ads that look tailored to your interests? This kind of custom advertisement is all over the internet and is a way for companies to reach out to their consumers and potential buyers.
Targeted advertising is done by collecting data of a user which includes their browsing history, search data, online purchase history, data that users have voluntarily given in their social media profile including their interests and even their reaction to different stories on these social media.
There are multiple ways in which advertisers collect information about the users one of which are the cookies that track the user behavior on a browser. The cookies set on a user's browser when they visit them which helps the website track how the users interact with their website. Among these cookies are the third-party cookies that are set by domains other than that of the site the user is currently visiting. These cookies collect sufficient amount of data that helps for the advertisers to serve users with the ads that are most relevant to them and that the users are most likely to click on.
Users have begun noticing this trend and have raised concerns over the advertising companies using collecting and using these data. As the data of millions of users around the globe are taken and profiled for practices like targeted advertising. To make things worse, the situation takes a dark turn when you draw a comparison with the real world. Imagine this situation where someone is tracking your every move and taking note of everything that you do.
This is why the people are paying more attention to laws like GDPR that aims at protecting the privacy of users online.
How to Take Consent for Cookies?
Informing the users
The cookies should not be set prior to the user consent. With the GDPR and ePrivacy Directive, no cookies should be set unless and until the user has explicitly given their consent. Generally, it is by clicking on a button.
The user should also be able to reject the cookies. The websites should provide the users with an option where they can explicitly opt-out of the usage of cookies as well.
The idea is to give the users real choice when it comes to the cookies. When we say real choice, it means that the consent should be informed and should be reversible. The users should be able to come back anytime revoke their consent.
Also, for taking explicit consent, various cookies or cookie categories should not be enabled by default or the boxes should not be pre-checked for the cookies. It should be the users who enable them and then record their consent.
Consents Need to be Recorded
The data collected should be deleted at the user's request and consent should be recorded as documentation as they could be used as proof.
To know more about how different websites have implemented cookie notification bar on their website, read this article on GDPR Cookie Consent Website Examples.
This part is for the website owners. It's easy to display a notification for the users where they get to give their consent by clicking or toggling a button, but the website owners now have to implement the consent. Below is the basic workflow of how the website should reflect the changes according to the consent of the user.
Third-party services add tracking scripts to a website that track the user's behavior. These scripts are what installs the cookies on a users browser in order to collect the user data. So, to make a website compliant with the law, the website owners need to find a way in which these scripts will only be rendered on the website when the users have given their explicit consent by affirmative action to the use of these cookies.
It is to be noted that there are other cookies installed by the website that are necessary for the website to function in its intended way. These cookies are the least of your worries. You don't need the user consent to use these cookies as they do not collect any data that can identify the users.
So, when the users visit the website, and the site loads on their browser, these scripts should be blocked until the users say that they allow these cookies to be used. When the user has given their consent, the scripts can be rendered on the website and install the cookies on the user's browser. Alternatively, if the users have rejected the use of the cookies, the website will not place any tracking script on the users' browser.
As GDPR also requires that the users be provided with the option to reconsider their choice. If the user has given their consent and later at some point in time decide that they do not want these cookies to be used, they should be able to come back to the website and do so. At which point, the website should remove all the third-party scripts that have been installed earlier.
As the general public has become more aware of their rights and privacy online, laws like GDPR are very likely to be implemented in many more countries across the globe. As the law applies to all websites that serve the European Union, many of the website owners are left scratching their heads on how they can comply with the law. Implementing the requirements of the law will not be easy for someone who is not tech-savvy. The first step for them is to understand what the law requires of them and find the right solution that can help them comply.