Data Privacy and Security: What’s the Difference?
Information has always been a form of currency in society—from buying...
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Updated: March 3, 2024
Published: December 21, 2023
The General Data Protection Regulation (GDPR) has brought significant changes to how companies handle personal data—and cookies are easily one of the largest sources of personal information for businesses. Find out all about the essentials of the GDPR and cookies, how the GDPR treats cookie consent, and how you can get compliant here.
The GDPR, which stands for General Data Protection Regulation, is a comprehensive set of regulations implemented by the European Union (EU) to protect the privacy and personal data of EU citizens. It was introduced on May 25, 2018, replacing the Data Protection Directive of 1995. The primary goal of the GDPR is to give individuals more control over their personal data and ensure that organizations handle it responsibly.
Under the GDPR, personal data refers to any information that can directly or indirectly identify an individual, such as names, addresses, email addresses, and even IP addresses. The regulations apply to both data controllers, who determine the purposes and means of processing personal data, and data processors, who process personal data on behalf of the data controllers.
One major way in which businesses acquire personal information is through the use of cookies. Thus, businesses subject to the GDPR must adhere to certain requirements when using cookies, including securing cookie consent.
Failing to comply with the GDPR’s cookie consent requirements (or any of its other requirements) can result in severe consequences, such as hefty fines and reputational damage. The fines can be as high as 4% of the organization's annual global turnover or €20 million, whichever is higher.
Cookies are small text files stored on a consumer’s device that allow websites to remember information about the consumer. While they are essential for certain website functionality (like remembering what items you added to your cart on an eCommerce site), they can also raise privacy concerns (like tracking which websites you’ve visited to infer characteristics about you).
Cookie consent refers to obtaining clear and informed consent from website visitors for the use of cookies that collect their personal data. Under GDPR, websites must inform visitors about the types of cookies used, their purposes, and obtain their consent before any cookies are set or read on their devices.
When it comes to cookie consent, it is essential to understand the different types of cookies that websites may use. Broadly, there are four categories that cookies fall into:
Under the GDPR, businesses must provide their website visitors with granular choices on which of these cookie categories they wish to opt into. For example, a visitor might be okay with analytics and personalization cookies but not marketing cookies.
Before we can dive into the essentials of GDPR cookie consent, we need to understand the essentials of the GDPR.
The GDPR is built upon several key principles, which serve as the foundation for its various requirements, including cookie consent. These principles include:
By adhering to these principles, organizations can ensure that they are handling personal data in a responsible and ethical manner, respecting the rights and privacy of individuals. When applied to cookie consent, a clear framework emerges. Let’s dive in.
The GDPR imposes strict requirements on how organizations collect, process, and store personal data obtained through cookies. How do the seven principles outlined above apply to cookie consent under the GDPR?
The principle of lawfulness, fairness, and transparency is probably the most significant factor in cookie consent. The GDPR requires businesses to establish certain lawful bases before data processing—one of which is the data subject’s consent. For that consent to be valid, it must also be fair and transparent, meaning that data subjects need to be given information about what will happen to their data and their rights and they must be given a free choice to opt in. Additionally, opting out must be as easy as it was to opt in.
Businesses aren’t allowed to collect more information via cookies than what they need for a specific purpose, and they can’t reuse information for a second purpose beyond what was disclosed to the data subject. After that purpose has been met, the data should be destroyed or de-identified. That accounts for the purpose limitation, data minimization, and storage limitation principles.
If they do collect information via cookies, businesses should ensure that it is accurate. If a data subject requests that the business updates their personal information, they are obligated to comply.
The last principle is accountability. Organizations must maintain records of visitor consents and be able to demonstrate compliance with the regulation in case of an audit or investigation. This includes keeping track of when and how consent was obtained, as well as providing mechanisms for visitors to easily manage their cookie preferences.
Compliance with GDPR and cookie consent involves implementing several measures to protect consumer privacy and uphold data protection principles:
That’s what your GDPR cookie consent solution needs to include—how do you actually implement it?
If you choose to pursue a homegrown approach to implementing a cookie consent solution, you’ll be in for a difficult time.
You’ll have to discover, categorize, and document all of the cookies on your website.
Then, you’ll need to integrate your solution with your website’s codebase or tag manager and manually define what needs to happen with each cookie and when. Remember—visitors get to say no to all but necessary cookies, yes to all cookies, or yes to some cookies but no to others. Cookies must fire or not fire the moment they make the corresponding choice.
You’ll also need to develop a cookie consent banner for each EU member state, with compliant language in every language that a visitor might use. These will need to be maintained on an ongoing basis.
You’ll need a secure way to record visitor consent choices and a means of giving visitors the choice to change their cookie consent choices in the future.
Essentially, you’d have to spin up a whole team dedicated to managing cookie consent.
Fortunately, there are vendors who already provide cookie consent management solutions, like Osano. Osano Cookie Consent takes one line of JavaScript to set up on your website and directly addresses the major challenges associated with consent management. It:
But there can be a degree of comfort in handling compliance yourself—it can be difficult to trust a vendor with something as important as GDPR compliance after all. That’s why we offer the industry’s only “No Fines. No Penalties.” pledge, which covers the costs of any fines that result from the use of our platform.
There are other consent management platforms (CMPs) out there too, and it only makes sense to shop around for the right platform for your business. If you’re still evaluating ways to manage GDPR cookie consent, check out our CMP scorecard. It gives you a way to track your product evaluation and provides you with essential guidance on how to identify a worthwhile tool before making a commitment.
Use this free template to track and inform your evaluation of different consent management platforms (CMPs)!
Download Now
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.