GDPR Cookie Consent

GDPR Cookie Consent

By Safwana

Published on 26th Dec 2018|Last updated on 3rd Feb 2020

Over the last couple of years, discussions regarding online privacy and user data collection were all over. The data mismanagement stories by tech giants have piqued the interest of online users. Data protection laws, the GDPR (read the guide) and ePrivacy Directive aimed at protecting the privacy of European Union (EU) individuals. This article discusses what GDPR has in store with regards to the cookie consent and what users and website owners should know about it.

What are Cookies?

Cookies are small files that a website installs on a user’s browser for many purposes. It could be to store the login details of users, or storing the items that a user has added into the cart in an online store, etc. Most of the time, cookies are harmless little files that do not contain any executable code or harmful viruses, unlike many would believe. So, they do not potentially cause any harm to the user’s device. Most of the time, their job is to store information which the users have given voluntarily. Read more details about the cookies in this article.

Let’s say you have been looking for a smartphone online. After searching for the best deals for a while, you move on to some other website. And there it is! The ad for the smartphone you admired a while ago appears on that unrelated website. Ever wondered how is this possible? 

Website servers carry out targeted advertising by collecting data of a user. These data include their browsing history, search data, online purchase history, data that users have voluntarily given in their social media profile, including their interests. There are multiple ways in which advertisers collect information about the users, one of which is cookies that track the user behavior on a browser. 

The cookies set on users’ browsers when they visit a website track how the users interact with the site. Among these are third-party cookies that domains other than the ones users are currently using, set on the browsers. These cookies collect a sufficient amount of data that helps advertisers to serve the users with ads that are most relevant to them and that the users are most likely to click. 

Users have begun noticing this trend and have raised concerns over the advertising companies using collecting and using these data. The data of millions of users around the globe are taken and profiled for such targeted advertising. Imagine this situation in real life where someone is tracking your every move and taking note of everything that you do. Scary, right?

This is why the people are paying more attention to laws like GDPR that aims at protecting the privacy of users online. GDPR emphasizes obtaining consent before collecting personal data from people. It applies to the tracking cookies as well.

To take cookie consent that complies with the GDPR, website owners must follow specific requirements.

Informing the users

When the user visits the website for the first time, they should be notified that the site uses cookies in a clear and understandable manner. It should be informative so that the user can give informed consent. 

As the law needs the website owner to state all the cookies and their purpose clearly, it might not be possible to inform all of that in a simple notification on the website. For this, a link that redirects the users to the cookie policy of the site would be enough. The cookie policy needs to be transparent and written in plain, user-friendly language so that the users get a clear picture of the cookies the site uses and their purposes.

So when a user visits a website, they can see a cookie banner that explains in a clear manner in which the user understands that the site uses cookies. If they want to know more, they can click on the link to the privacy policy.

The cookies, especially third-party, should not be set before the user consents. The user should also be able to reject the cookies. The websites should provide the users with an option where they can explicitly opt-out of the usage of cookies as well.

The idea is to give the users a real choice when it comes to cookies. When we say real choice, it means that the consent should be informed and reversible. The users should be able to go back anytime and revoke their consent. 

The option to withdraw consent should be as easy as it was to give it.

The consent of the user should not be implicit. It should always be taken by positive, affirmative action from the user. Some websites assume users’ consent if they continue to browse without any response. It is not explicit consent and such consent is invalid under the law.

Also, for taking explicit consent, there should not be any pre-checked options for such cookies or cookie categories. It should be up to the users to enable them and then record their consent.

The data collected should be deleted at the user’s request, and consent should be recorded as documentation, as they could be used as proof.

To know more about how different websites have implemented cookie notification bar on their website, read this article on GDPR Cookie Consent Website Examples.

Here is an example of a GDPR complying cookie consent banner:

GDPR Cookie Consent - CookieYes
CookieYes cookie consent banner
cookie settings

Technical Implementation

This part is for the website owners. It’s easy to display a notification for the users where they get to give their consent by clicking or toggling a button. However, the website owners now have to implement the consent. 

Third-party services add tracking scripts to a website that tracks the user’s behavior. These scripts are what installs the cookies on a user’s browser to collect the user data. So, to make a website compliant with the law, the website owners need to find a way in which these scripts will only be rendered when the users have given their explicit consent.

So, when the users visit the website and the site loads on their browser, block these scripts until the users register their consent. Upon receiving the consent, the scripts can be rendered on the website. Alternatively, if the users reject, the site will not place any tracking script on the users’ browser. 

Please note that there are cookies that are necessary for the website to function in its intended way. These cookies are the least of your worries. You don’t need user consent to use them as they do not collect any data that can identify the users.

If the users who have given their consent decide to revoke it later, they should be able to come back and do it without any difficulty. At this point, the website should remove all the third-party scripts that have been installed earlier.

Wrapping Up

As the general public has become more aware of their rights and privacy online; laws like the GDPR are very likely to be implemented in many more countries across the globe. The first step for any website owner is to understand what the law requires of them and find the right solution that can help them to obtain GDPR cookie consent. 

Disclaimer: The purpose of this article is to share general information with the readers. It should not be used as a substitute for legal advice. For any legal counsel related to compliance, please contact a lawyer or professional that specializes in this area.

Make Your Website GDPR Compliant With CookieYes

CookieYes is a new and easy solution to make your website comply with the GDPR Cookie Law from Cookie Law Info. Join the 1 Million+ website using our solutions now!


Safwana is a Content Marketer for Cookie Law Info. She's passionate about writing and promoting content that is helpful to readers.