Cookie Consent Requirements: Everything You Need to Know
With the shift to “privacy by design,” businesses now must address the privacy of their consumers immediately and not as an afterthought.
Cookies play a vital role in this, so companies now must pay particular attention to different cookie consent requirements.
What are they? That’s what we’ll discuss in this article.
- Many data privacy laws require cookie consent, including the GDPR and CCPA.
- Cookie consent builds trust with consumers, which can provide a competitive edge.
- Cookie consent is obtained via a cookie consent banner.
- Strictly necessary cookies are the only cookies always exempt from cookie consent requirements.
Why is Cookie Consent Needed?
Cookies have been widely used on the Internet for a long time now.
And little surprise in that, as they have shown to be very useful in tracking the user’s online activities and personally identifiable information (PII).
It’s incredible how much information about the user you can get in just 4096 bytes.
But, at the same time, someone can easily misuse this information.
Many countries have implemented cookie consent into their data privacy laws to ensure users’ data stays safe as they browse the Internet and visit their favorite websites.
Why Do You Need Cookie Consent?
There are several reasons to include cookie consent. Here are a few of the reasons to use cookie consent:
Obtaining explicit consent from your users is a legal requirement by many data privacy laws, including the GDPR in the European Union and the CPRA in California, USA. There can be harsh penalties, like fines, for not abiding by these legal frameworks.
If for no other reason, you at least need to include cookie consent to observe these regulations.
Better User Experience
Users want to interact with your website in their way.
Some don’t want to be tracked by ads and limit trackers, while others want a more personalized experience and will allow all cookies.
You need to make it possible for them to tailor their experience with your website how they wish.
Being transparent about the type of cookies you use, the data you collect from consumers, and their purpose, helps them make more informed decisions.
This way, you promote and build trust between you and your users, so everyone has something to gain.
Protecting User Privacy
Cookies are a small but powerful tool in one’s arsenal.
They contain invaluable information about the user, including their preferences, how they behave online, their online activities, and even their personal information.
But it’s easy to misuse this power.
So, by providing cookie consent, you can empower your users to control their sensitive data.
Different Types of Cookies & Their Requirements
You’ve likely seen a cookie banner many times when visiting websites on the Internet.
This banner enables users to allow cookies, decline them, or select which types to allow and which to decline.
Not all cookies require consent, however.
The types of cookies that are “always on” are so-called “essential cookies” or “strictly necessary cookies.” These are necessary for the website to function correctly and provide an online service for its visitors.
On the other hand, the following types of cookies do require consent:
- Functional cookies: These cookies provide some basic features like helping maintain the user’s session, and remember their preferences or language selection.
- Analytics and performance cookies: These cookies tell you how your visitors use your website. For instance, how often they visit certain pages, how much time they spend on them, and more
- Targeting and advertising cookies: Probably the most notorious of all cookies, targeting and advertising cookies follow users across different websites and create profiles based on which advertisers can then display personalized ads based on their browsing behavior and interests. These cookies require explicit consent.
- Social media cookies: Finally, if you ever really wondered how you can share something on a website, it’s because of social media cookies.
Note that you might also see these cookies under different names than these, such as Preferences, Statistics, Marketing, and others.
So how can a user give or refuse consent via a cookie banner?
That’s called “being transparent” and is extremely important for building user trust.
Usually, a GDPR-compliant cookie banner will give you three options:
- Use strictly necessary cookies only: By selecting this option, the visitor allows only Necessary cookies, while declining the other three types, Preferences, Statistics, and Marketing. Again, strictly necessary cookies or essential cookies are required to make the website run properly
- Allow selection: The user can select this option after checking the box(es) next to the cookie type they want to allow. For example, they might allow Preferences cookies, but not Marketing cookies if they don’t want personalized ads
- Allow all cookies: Finally, the user can also give their consent for all cookies by selecting the Allow all cookies button.
Cookie Consent Requirements for GDPR
So what does the EU’s GDPR say about cookie consent requirements?
Cookies are specifically mentioned only in the GDPR Recital 30: Online identifiers for profiling and identification, which says:
“Natural persons may be associated with online identifiers provided by their devices, applications, tools, and protocols. Such as internet protocol addresses, cookie identifiers, or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
In particular, these include:
- Article 4(11) Information to be provided where personal data are collected from the data subject
- Article 5 Principles relating to processing of personal data
- Article 6(1)(a) Lawfulness of processing
- Article 7 Conditions for consent
- Article 13 (1)(c) Information to be provided where personal data are collected from the data subject
- Article 21 Right to object
We recommend you take a look at some of these after completing this article.
The “Cookie Law”
A more important EU regulation related to cookies than the GDPR itself is the ePrivacy Directive or EPD.
EPD, which is also colloquially known as “cookie law” since it was chiefly responsible for the growth of cookie consent pop-ups, was passed (2002) and later amended (2009).
The EPD deals with electronic communication, including user data confidentiality, tracking, and monitoring.
The EPD distinguishes between two categories of cookies upon which cookie consent requirements depend:
- Strictly necessary cookies: These are necessary for the core functioning of the website and are not subject to user consent. These are used for security, authentication, and some other essential tasks.
- Non-essential cookies: Without these, the website can function just fine. Their purpose instead is to obtain data about the user, including personal information. As such, they are subject to consent. These include advertising, preferences, tracking, social media, analytics, etc.
The ePrivacy Regulative is set to replace the ePrivacy Directive and to better align with the GDPR.
Cookie Consent Requirements for CCPA
Unlike the ePrivacy Directive and the GDPR, the California Consumer Privacy Act (CCPA) or its successor, California Privacy Rights Act (CPRA), does not have specific cookie consent requirements.
However, the CCPA/CPRA has a few things to say about data collection and processing relating to cookies.
First, one of the key provisions of the CCPA/CPRA is the right to disclosure, under which the business must divulge what types of data it collects and sells, who it sells it to, as well as the specific pieces of personal data that it collects and sells for which purposes.
Another key provision, the right to opt-out, obligates businesses to offer consumers an option to opt-out of collecting and selling their personal information. This is done by providing a clear and prominent Do Not Sell My Informationlink on the website.
How to Implement Cookie Consent?
Here are some general steps you can follow to implement cookie consent. Keep in mind that these will differ depending on the specific regulation and the website itself:
- Familiarize yourself with the applicable rules and the law.
- Perform a cookie audit and identify which types of cookies you use on your website, including their purpose.
- Provide a clear cookie notice or policy that the users can easily access and inform them about cookie types, their purpose, the data they collect, and any third parties.
- Display a cookie consent banner for first-time visitors to your site. The banner should provide clear information about cookie use as well as offer an easy option for the user to manage their cookie preferences. This can be made from a plugin or completely custom with code.
- Obtain non-essential cookie consent for analytics, marketing, social media, preferences, and similar cookies through checkboxes, on/off toggles, or a similar mechanism.
- Demonstrate your compliance by documenting the consent date and time, specific cookie preferences, and the consent version, and maintain these records.
- Finally, stay up to date with the regulations and industry best practices regarding the use of web cookies.
Exemptions to Cookie Consent
Certain types of cookies are always or sometimes exempt from cookie consent requirements. Here’s a list of them:
Strictly Necessary Cookies
We already mentioned that strictly necessary or essential cookies are always exempt from cookie consent.
That’s why, if you’re a user and want to manage your cookies, you can’t uncheck the box next to these types of cookies.
These cookies are needed for the core functionality of the website. With them, the user experience is maintained, and the website works as intended (or at all).
Besides these cookies, other types can also be exempt, depending on the specific law:
User Preferences Cookies
These cookies may be excluded from cookie consent as long as they are not used for tracking or processing personal data above the necessary scope.
These include the following:
- Language preferences cookies: These, once set, remember the language the user selects and automatically load that language the next time they visit the website
- Location preferences cookies: For websites that provide localized content to their users (like local news and events or geo-targeted content) these allow them to remember their preferred region or location
- Font size preferences cookies: These allow the user to select the font size they want to use on your website and are especially useful for those with visual impairment
- Captcha cookies: Certain situations, like form submissions or preventing spam comments, require captchas. However, what you don’t want is to repeat this prompt in the same session Captcha cookies remember that the user has already passed the captcha challenge
- Notification preferences cookies: If your website uses a notification system, such as alerts or reminders, these cookies remember which type of notification they set up to use
- Communication preferences cookies: Similarly, communication preferences cookies remember whether the user opted in or out of any communications like email newsletters
- Consent preferences cookies: Most important for our topic here are these cookies, as without them, users would need to reconfirm their cookie preferences every time they visit a website (and that would be annoying as hell)
Analytics Cookies (with Anonymized and Aggregated Data)
When set up to gather and process data in an anonymized and aggregate format, these cookies are exempt from cookie consent requirements.
This data can’t be tracked back to their respective owner (the consumer) and presents a much less privacy risk to them.
Anonymized data is any data cleaned of PII or any data that can directly identify a person.
Aggregate data are, on the other hand, combined data points, which can be used to get a cursory but non-specific look at the data
Another type that may not require obtaining user consent is security cookies.
These cookies are essential for the security of both the website and the network.
For the visitor, security cookies ensure that their online experience is safe, including:
- Securing their data while they’re on the website
- Protect the user’s sensitive information and accounts against unauthorized access
- Verify user activity and prevent suspicious or unusual user behavior
- Preventing session hijacking in situations when an attacker attempts to take control of the user’s session by stealing their session ID
- Prevent brute-force attacks by, for instance, locking the account temporarily following repeated failed login attempts (usually three or four)
Load Balancing Cookies
These improve the website performance, minimize response times, and prevent server overload by evenly distributing user requests throughout multiple servers.
As such, load-balancing cookies don’t contain any data that can identify the user but are used for traffic distribution only.
Cookies have always been important for the business and the consumer.
For the business, cookies provide website functionality such as remembering the user’s login status and preferences, providing a better browsing experience.
They also collect anonymized information about how the user interacts with the website, enable the website owner to deliver more personalized content based on the visitor’s preferences and browsing history, and play an important role in website security and fraud prevention.
Having cookies enhances the user experience, provides transparency, and builds user trust as they can see how their data is being collected, used, and shared and that they have a clear say in that.
Again, implementing cookies will vary depending on the specific law, industry standards, or website, so it’s best to consult with legal and data privacy experts like our team at Captain Compliance who can help you with all you need to know about cookie consent. Get in touch today!
What is Required for Cookie Consent?
Cookie consent generally requires the following elements:
- Clear and easy-to-understand information about the type of cookies used on the website, their specific purposes, and any third parties involved in the processing of collected data
- A mechanism allowing the visitor to freely give consent for cookie use on the website
- Granular control over the different types of cookies that the user wishes to accept or decline
- A clear option to opt out of data collection, including an option to withdraw the user’s cookie consent at any time
Find out more about the importance of cookie consent here.
Is Cookie Consent Mandatory?
Yes, cookie consent is mandatory in many countries and jurisdictions, especially under the GDPR and the e-Privacy Directive.
To understand more about cookies or different types of GDPR consent, visit our page on GDPR
What are the GDPR Cookie Notification Requirements?
The GDPR requires all cookie notifications and policies to be:
- In clear and concise language
- Easily accessible to users
- Granular and to provide an option to accept or decline individual cookies or categories of cookies
- Able to provide withdrawal of consent at any time
- Non-implied. Specifically, consent must be obtained through the user’s affirmative action
Learn more about GDPR compliance solutions here.
Are Cookie Consent Banners Required?
Article 7 of the GDPR provides clear guidelines and conditions for obtaining data subject consent, although it doesn’t explicitly mention “cookie banners”.
“Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.”
On the other hand, CCPA/CPRA doesn’t mention cookie banners either. However, it highlights the importance of providing clear and transparent information to consumers about the collection and use of their personal information.
Here are the main differences between CCPA vs GDPR.
Does GDPR Require Cookie Banner?
The General Data Protection Regulation never specifically mentions cookie banners, but Article 7 outlines clear conditions for obtaining user consent, and cookie banners fall into this.