Articles

Cookie consent requirements: Are you doing enough?

Written by Matt Davis, CIPM (IAPP) | September 13, 2022

When the European Union established the General Data Protection Regulation (GDPR) in 2018, for them, it was just an added layer of protection within the territory’s already well-established data protection directive. But for the US, many leaders were left scratching their heads: “If the latest iteration of data privacy in the EU is meant to protect them, what does that have to do with us?”

A lot, as it turned out. Any American organization with users, data subjects, or clients residing in the EU became subject to the GDPR’s stricter data privacy laws. Especially as it pertained to cookie consent requirements and cookie consent record-keeping. 

Today, the laws are still steadfast and ever-evolving. Make no mistake: Companies must comply with GDPR or face hefty penalties — including fines and data-processing bans — if they offer goods or services to EU data subjects.

What are cookies?

A cookie is a text file, sent by a website you visit, to your computer through a browser. It’s a type of technology that “remembers” something about you in order to improve a website’s functionality and/or overall user experience. It saves data like login information, shopping carts, wish lists, user inputs, and more. It’s also used for analytics and advertising purposes.

The downside to that last part? The information cookies collect about you can be sold to other companies.

The EU ePrivacy directive — the precursor to GDPR, established in 2002 and amended in 2009 — requires users to provide consent before cookies or trackers are placed (except for those strictly necessary for a website’s function). 

Additionally, when cookies can identify an individual, it’s considered personal data under the GDPR. Therein lies the problem concerning cookie consent and the GDPR: Consent must be freely given, specific, informed, and unambiguous.

When it comes to cookies, some organizations may not be transparent about how they use personal data. Even if they do provide this information, it’s often buried in complicated privacy policies few people read. When organizations use cookies, many people are completely unaware their personal data is being collected. Often, they don’t even know whether they can prevent it.

The internet makes separating U.S. citizens from EU citizens impossible, so cookie consent is not just an issue for the EU. People who visit American websites can live anywhere on the planet. If cookies are present on your site and it collects personal data about EU residents, your organization must now comply with GDPR.

In January 2020, California enacted its own data privacy directive, the California Consumer Privacy Act. The CCPA, which will soon see its own major expansion in 2023, also treats cookies as "personal information" in most cases. 

Thus, organizations that must comply with CCPA will need to disclose their cookie use and obtain consent. Unless a business is willing to eliminate residents of the EU and California from its customer base — and effectively block them from visiting their website — the organization must comply with GDPR and CCPA, plus obtain cookie consent.

Cookie consent pop-up boxes are not the last step

Before information is collected via cookies or similar technologies, companies must provide users with a cookie notice, as required by the ePrivacy Directive. To give proper consent under the GDPR, users must have the ability to accept or decline the terms.

Unfortunately, many U.S.-based websites still fail to provide such notice in advance, thus consent for GDPR purposes is not obtained. Some organizations, however, are taking the cookie consent requirements seriously, building cookie consent pop-up boxes on their websites. 

Still, besides informing visitors that a website uses cookies, are cookie consent pop-ups really giving people a true opportunity to opt-out (yet another GDPR requirement)? Often, the answer is no.

While cookie consent pop-up boxes may look like an organization is giving website visitors control of their personal data, many are nothing more than an inoperative placeholder. Even if a user clicks “decline” on the consent, a company’s site runs javascript and tracking with cookies, and that user’s information is processed regardless.

Another ineffective way to obtain cookie consent? Including links to company privacy policies. Even if a user were to read through the organization’s privacy policy, most policies fail to address the kind of data collected by cookies. 

Instead, they focus more on the personal information a user submits, like name, address, phone number, and geographical location. Although the GDPR doesn’t go into specifics about cookies, it does cover personal data gathered about EU residents — which can include cookies — and it also provides clear direction on what constitutes consent.

Another GDPR requirement says a company must be able to demonstrate that a data subject consented to having their personal data processed. This means organizations must be able to prove how and when consent was given through an audit trail. 

Bottom line: If your organization collects cookies and obtains consent from users to do so, you must be able to demonstrate to regulators that you’ve obtained the necessary consent.

A quick guide to complying with data protection and cookie laws

The GDPR, CCPA/CPRA, and others like them all have specific requirements. As data and technology continue to evolve, those requirements will inevitably change. Without a single set of requirements with which to comply, designing a compliant cookie notice and method of consent may seem impossible.

When it comes to ensuring cookie compliance within your organization, consider the following:

1. Disclose that you use cookies.

First and foremost, let your website visitors know you use cookies. A pop-up box is the best way to get their attention, and it should be on the first page they visit.

2. Choose how you want users to provide consent.

You can allow users to opt in, opt out, or provide consent by continuing to use the site. The latter is likely the simplest way to obtain consent and requires minimal coding to your page. That said, it doesn’t meet consent requirements in many jurisdictions. Your users can also turn off cookies in their browser settings if they choose to control cookies.

If you decide on the opt-out method, provide a button where they can decline the use of cookies. This option requires more work on your side, but it does give users direct control over cookies specific to your website.

If the opt-in option is preferred, users can proactively accept the use of cookies on your site. You cannot use cookies if they do not accept the request. As with the opt-out method, you will have to modify your site to disable cookies if the user requests it.

3. Choose your cookie-consent build tool.

Fortunately, there are free cookie consent tools — as well as DIY open-source cookie consent resources — to help organizations customize and build compliant cookie notices. Many are even specific to each country’s cookie law, and several include paid resources to help modify your site if a user opts out or declines cookies.

While a paid version is similar to a free open-source version of the cookie consent pop-up, paid versions provide more features than free open-source options. 

The paid version by Osano, for example, automatically handles geolocation and language detection so visitors see the appropriate type of consent dialogue (in their respective language, no less). The paid version also tracks every consent, helping companies with their cookie consent record-keeping.

While the GDPR and other privacy laws will ultimately benefit us all by promoting transparency, organizations must leverage the tools available to help them comply with these complex, sometimes confusing regulations.

We’re here to help. Get your organization up-to-speed and compliant with Osano’s cookie consent management software.