Cookie Consent in GDPR

Cookie Consent in GDPR

By Safwana

Published on 26th December 2018

Over the last few months, the discussions regarding online privacy and user data collection were seen all over and the data mismanagement stories by tech giants have piqued the interest of online users. Concerns about user's privacy have risen among people. GDPR and alongside with ePrivacy directive aims at protecting the privacy by putting regulations over the data that are collected by websites from its users. This article discusses what GDPR have in store with regards to the cookie consent and what users and website owners should know about it.

What are Cookies?

Cookies are small files that a website installs on a users browser many purposes. It could be to store the login details of users, or storing the items that a user have added into the cart in an online store, etc. Most of the time cookies are harmless little files that do not contain any executable code or harmful viruses unlike many would believe. So they do not potentially cause any harm to the user's device. Most of the time the cookies' job is to store information which the users have given voluntarily. More details about the cookies have been covered in this article.

Let's say you have been looking for a smartphone online. After searching for the best deals for a while, you move on to some other website. And there it is! the ad for the smartphone you admired a while ago appears in that totally unrelated website. Ever wondered how you are being shown ads that look tailored to your interests? This kind of custom advertisement is all over the internet and is a way for companies to reach out to their consumers and potential buyers.

Targeted advertising is done by collecting data of a user which includes their browsing history, search data, online purchase history, data that users have voluntarily given in their social media profile including their interests and even their reaction to different stories on these social media.

There are multiple ways in which advertisers collect information about the users one of which are the cookies that track the user behavior on a browser. The cookies set on a user's browser when they visit them which helps the website track how the users interact with their website. Among these cookies are the third-party cookies that are set by domains other than that of the site the user is currently visiting. These cookies collect sufficient amount of data that helps for the advertisers to serve users with the ads that are most relevant to them and that the users are most likely to click on. 

Users have begun noticing this trend and have raised concerns over the advertising companies using collecting and using these data. As the data of millions of users around the globe are taken and profiled for practices like targeted advertising. To make things worse, the situation takes a dark turn when you draw a comparison with the real world. Imagine this situation where someone is tracking your every move and taking note of everything that you do.

This is why the people are paying more attention to laws like GDPR that aims at protecting the privacy of users online.

Informing the users

When the user visits the website for the first time, they should be notified that the website uses cookies, in a clear and understandable manner. It should be informative so that the user can give informed consent. The websites can take the users consent from this notification. 

As, the law needs the website owner to clearly state all the cookies and their purpose and how they are used, it might not be possible to inform all of that in a simple notification on the website. For this, the users can be provided with a link that redirects the users to the cookie policy of the website. The cookie policy needs to be transparent and written in a plain, user-friendly language so that the users get a clear picture of what cookies are used, and what they are used for.

So when a user visits a website, they can see a cookie banner that explains in a clear manner in which the user understands that the website uses cookies and if they want to know more, they can click on the link to the privacy policy.

Prior Consent

The cookies should not be set prior to the user consent. With the GDPR and ePrivacy Directive, no cookies should be set unless and until the user has explicitly given their consent. Generally, it is by clicking on a button.

The user should also be able to reject the cookies. The websites should provide the users with an option where they can explicitly opt-out of the usage of cookies as well.

Reconsider Consent

The idea is to give the users real choice when it comes to the cookies. When we say real choice, it means that the consent should be informed and should be reversible. The users should be able to come back anytime revoke their consent. 

Explicit Consent

The consent of the user should not be implicit. It should always be taken by positive, affirmative action by the user. When websites say that they use cookies and continuing browsing through the website means that the users agreed to the use of cookies is not explicit consent and is not sufficient to comply with the law.

Also, for taking explicit consent, various cookies or cookie categories should not be enabled by default or the boxes should not be pre-checked for the cookies. It should be the users who enable them and then record their consent.

Consents Need to be Recorded

The data collected should be deleted at the user's request and consent should be recorded as documentation as they could be used as proof.

To know more about how different websites have implemented cookie notification bar on their website, read this article on GDPR Cookie Consent Website Examples.

Technical Implementation

This part is for the website owners. It's easy to display a notification for the users where they get to give their consent by clicking or toggling a button, but the website owners now have to implement the consent. Below is the basic workflow of how the website should reflect the changes according to the consent of the user.

Third-party services add tracking scripts to a website that track the user's behavior. These scripts are what installs the cookies on a users browser in order to collect the user data. So, to make a website compliant with the law, the website owners need to find a way in which these scripts will only be rendered on the website when the users have given their explicit consent by affirmative action to the use of these cookies.

It is to be noted that there are other cookies installed by the website that are necessary for the website to function in its intended way. These cookies are the least of your worries. You don't need the user consent to use these cookies as they do not collect any data that can identify the users.

So, when the users visit the website, and the site loads on their browser, these scripts should be blocked until the users say that they allow these cookies to be used. When the user has given their consent, the scripts can be rendered on the website and install the cookies on the user's browser. Alternatively, if the users have rejected the use of the cookies, the website will not place any tracking script on the users' browser. 

As GDPR also requires that the users be provided with the option to reconsider their choice. If the user has given their consent and later at some point in time decide that they do not want these cookies to be used, they should be able to come back to the website and do so. At which point, the website should remove all the third-party scripts that have been installed earlier.

Wrapping Up

As the general public has become more aware of their rights and privacy online, laws like GDPR are very likely to be implemented in many more countries across the globe. As the law applies to all websites that serve the European Union, many of the website owners are left scratching their heads on how they can comply with the law. Implementing the requirements of the law will not be easy for someone who is not tech-savvy. The first step for them is to understand what the law requires of them and find the right solution that can help them comply. 

Make Your Website GDPR Compliant With CookieYes

CookieYes is a new and easy solution to make your website comply with the GDPR Cookie Law from Cookie Law Info. Join the 700,000+ website using our solutions now!


Safwana is a Content Marketer for Cookie Law Info. She's passionate about writing and promoting content that is helpful to readers.