As online privacy becomes increasingly relevant, data protection authorities have established cookie laws to promote data privacy.
To protect users’ personal data, website owners need to comply with these cookie laws.
But what exactly is cookie consent, and why is it important? We’ll discuss what cookie consent is, what cookie compliance website owners are obligated to do, and more in this article.
What Is Cookie Consent?
Cookie consent is a website visitor’s agreement, refusal, or specification to the use of cookies on a website to collect personal data.
Cookies are placed on a user’s computer to collect information that can be considered personal data.
Because these data are personally identifiable, websites must obtain cookie consent from users to inform them what information will be collected and for what reason.
Services like Google Analytics and Shopify plant cookies on websites to collect personal data from users for statistical, targeting, and marketing purposes.Cookie consent is a legal requirement under the EU’s General Data Protection Regulation (GDPR) and other international data privacy laws.
GDPR Cookie Consent
The GDPR is the most comprehensive data privacy law to date.
It is a legally binding data privacy regulation that applies to businesses around the world that intend to collect data from EU citizens.
Cookies are mentioned directly in Recital 30:
Natural persons may be associated with online identifiers provided by their devices… such as… cookie identifiers or other identifiers such as radio frequency identification tags.
Under the GDPR, cookie consent must be freely given, informed, specific, and unambiguous.
Countries that are part of the EU have aligned their data privacy laws to comply with the GDPR.
The UK has also updated its Privacy and Electronic Communications Regulations.
ePrivacy Directive
The ePrivacy Directive or Cookie Law is the precursor to the GDPR.
It states that website owners must legally obtain explicit consent from users before non-necessary cookies can be activated.
The Cookie Law encompasses other forms of technology that access users’ personal data, such as tracking pixels and unique identifiers.
Under this directive, cookie consents must have all the relevant information about:
- The cookies used by a website (or third-party services used by the website)
- How cookies work
- How the website will use it
- How the user can opt out of the use of cookies
Cookie consent can be asked in the form of a cookie notice or a cookie consent banner.
Pre-ticked cookie consent banners or implied consent (via scrolling) are NOT compliant with GDPR cookie consent regulations.
Does My Website Need Cookie Consent?
The need for cookie consent depends on where the website is based and where the website visitors are from.
There are different data protection laws in different countries.
The GDPR is to protect the personal data of EU citizens. In the US, the California Consumer Privacy Act (CCPA) applies to residents of California.
Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD) and South Africa’s Protection of Personal Information Act (POPIA) are other data privacy laws that protect their citizens.
Obtaining cookie consent is a KEY requirement in complying with these regulations.
It’s recommended that all website owners should abide by cookie consent requirements.
What Kinds of Cookies Need Consent?
According to the GDPR and the ePrivacy Directive, a website is required to give a cookie notice for cookies that are NOT essential to the website’s functionality.
Non-necessary cookies can fit one or multiple categories depending on the purpose, duration, and origin.
Persistent and session cookies need prior cookie consent before being implemented.
Performance or functionality cookies, statistics cookies, and marketing cookies are other non-necessary cookies that require cookie consent.
Although it is not required to show a cookie consent banner for essential cookies, what they do and why they are needed must be explained to users to comply with GDPR cookie consent.
A granular consent management allows users to choose which cookies they accept or reject and how to withdraw consent.
What Happens if I Don’t Have a Cookie Banner?
Although cookie consent is not legally required in the US, non-compliance with the GDPR cookie consent poses several risks, such as:
- Fines
- Loss of access to data
- Loss of public trust
- Damage to reputation
There are two levels of fines based on the severity of the violation.
A lower-level violation can amount to a fine of €10 million or 2% of the organization’s worldwide turnover for the preceding year, whichever is higher.
Some examples of violations that apply to this level include the following:
- Failure to follow the basic privacy protocols.
- Collecting information from children under 16 years old without parental consent.
- Sharing user’s data with other parties without the user’s consent.
- Failure to disclose third-party involvement or hiding them in privacy policies.
A severe violation can amount to €20 million or 4% of the organization’s worldwide turnover for the preceding year, whichever is higher.
Some offenses that are applicable include:
- Processing personal data without obtaining the user’s consent.
- Sharing sensitive personal data of the user to third parties without the user’s consent.
- Non-disclosure of how users can opt out of the cookies.
Violating the GDPR cookie consent does NOT necessarily result in fines.
Depending on the offense, the offending party can be issued a warning, temporarily or permanently banned from processing activities, or forced to delete the data collected.
What Should I Do if My Cookie Changes?
A website is still required to obtain user cookie consent if there are new cookies or changes to the current cookies being used.
Cookie banners should reflect these changes CLEARLY and EXPLICITLY.
Even if users have already given prior consent, they must be asked again to accept or reject the cookies.
How Often Should I Show the Cookie Banner?
Showing a cookie banner ONCE during a user’s first visit would suffice.
That said, the cookie consent banner should remain accessible to users in a few clicks should they want to change their preferences.
Users who have not given their consent or have only permitted certain cookies should not be presented with a cookie banner again.
This rule generally applies to most scenarios except in the following cases:
- When there are one or more changes to the cookie usage
- When a user deletes cookies, and there is no record of technical cookies on the user’s computer
- When at least six months have passed since the presentation of the cookie banner
What Are Cookies?
In a nutshell, a cookie is a small text file containing data that is stored on a user’s device when they visit a website.
The main purpose of cookies is to personalize user experience.
Cookies collect data like login information, internet protocol addresses (IP), shopping carts, browser history, and other relevant information from users.
It’s an important mechanism for a website owner to improve their website’s functionality.
Cookies are also used for advertising purposes to target website visitors with relevant ads.
Despite cookie consent solutions, some website owners are NOT transparent about how they use the personal data collected.
One of the major concerns when it comes to website cookies is that the collected data can be sold to third-party companies.
Kinds of Cookies
There are different kinds of cookies with different legal requirements.
Regulations on each type depend on several factors, such as what data the cookie collects, what it will be used for, or if it will be shared with third parties.
It’s essential to know the different cookie categories to be able to obtain the proper consent.
Necessary and non-necessary cookies are defined based on how integral they are to the website’s core operation.
Necessary Cookies
Also known as essential cookies, they are used to protect and maintain the operation of a website.
Without necessary cookies, the website CANNOT function.
Necessary cookies are required for a website’s visitors to access the secure areas of a domain. They don’t collect personal data or online identifiers from users.
An example of necessary cookies is those that keep your products in your cart when you’re shopping online.
These cookies allow site owners to comply with security requirements during check-out.
Site owners don’t need to obtain consent for necessary cookies, but they are required to notify visitors that they are using them and for what purpose.
Non-necessary Cookies
Non-essential cookies refer to any cookies that are not required to maintain a site’s technical performance.
These are cookies that are intended for statistical, social, and advertising purposes.
For example, statistics cookies are used to analyze website visitors’ behavior on a site. Other non-essential cookies include:
The following cookies are intended to recognize individual users and tailor their site experience based on the collected data.
Site owners are legally REQUIRED to obtain cookie consent from visitors before tracking them with non-essential cookies.
There is no technical difference between first-party and third-party cookies. Both function the same way and contain the same data.
These two types of cookies only differ on whether the cookie is placed by the site owner or a third party.
First-party Cookies
The host domain creates first-party cookies to optimize user experience. They can also be created by computer scripts.
First-party cookies are unique to a website and only work for that particular site. Data privacy laws classify most of them as “essential cookies.”
These cookies contain sensitive information visitors input into the site, such as their personal data and IP addresses.
Only the host domain can store information gathered from these cookies.
Third-party cookies
These are cookies created by third parties. They do not come from the host domain itself.
Most third-party cookies are tracking scripts advertising companies create to target visitors with relevant ads.
Third-party cookies are primarily used to:
- Track visitors across different websites
- Direct visitors to websites that sell things they may like
- Serve ads that target visitor’s preferences
The most common third-party services that use cookies to track website visitors are social media plugins, ad-retargeting services, and chat box pop-ups.
Session Cookies and Persistent Cookies
Under the GDPR and the ePrivacy Directive, cookie laws are applicable to both persistent and session cookies.
Session Cookies
Session cookies do not retain information about visitors after a session. They are deleted after a session expires or if the browser window is closed.
They are temporary cookies often used to “remember” users within a domain as they navigate between web pages.
Persistent Cookies
Cookies that store information and keep track of users even after a session ends are persistent cookies.
They contain the user’s preferences, information, and settings and are saved on the user’s device.
Persistent cookies save users time during future visits, allowing for a more convenient web experience.
These cookies run across different websites to track users’ online behavior.
Cookie Consent Requirements
The GDPR has instituted certain cookie consent requirements that web owners must follow to ensure compliance.
Below are the general cookie consent requirements for websites:
- Explicit consent must be obtained from users before any cookies (except necessary cookies) can be used.
- Cookie consent can be in the form of a cookie consent banner.
- The cookie consent banner should list what cookies will be used, for what purpose, and who will have access to the information gathered by cookies.
- The cookie consent banner should apply the granular consent principle: users have the right to consent to and opt out of certain cookie categories.
- Users’ consent must be freely given. Obtaining consent from users shouldn’t be forced in any way.
- Users have the right to withdraw consent from the website despite any previous prior consent.
- All explicit and implicit consent should be safely stored in the website’s database and classified as sensitive legal documents.
- Cookie consent must be renewed every year. To obtain cookie consent, websites must prompt users again.
Displaying cookie walls that prevent users from accessing web content until they accept cookies is in violation of the GDPR.
The GDPR also requires that organizations prove that users consented to have their data processed through an audit trail.
An effective way to ensure cookie consent compliance is by using a cookie consent solution.
Certain sites also support cookie policies through the use of plugins.
For WordPress site owners, several cookie consent plugins are available, making it easier to create GDPR-compliant cookie policies.
Are There Exemptions to the Consent Requirement?
The only exemption to cookie consent pop-ups is websites that do not use cookies that track users’ personal data.
Necessary cookies are the only exception to the need for prior consent.
They are cookies that are essential to the functioning of the website, without which it would not work properly.
Frequently Asked Questions
Below are commonly asked questions about cookie consent:
Can You Block Cookies From Being Collected Before Consent?
Yes, you can block cookies from being collected before users can give informed consent.
There are different ways you can do this.
If you’re a backend developer yourself or have qualified personnel, you can code a script that blocks cookies from being placed before users can provide consent.
This script should then be embedded into the source code of your website.
Another method is applying a consent management platform.
Cookie consent managers automate cookie collection and prevent cookies from being set before a user clicks the consent button.
Is Cookie Consent Required in the US?
There is NO federal law in the US that states cookie consent as a legal requirement for websites.
That said, certain states have laws that regulate cookie usage related to their residents, such as the California Consumer Privacy Act (CCPA).
TRIVIA: The CCPA will be superseded by the California Privacy Rights Act (CPRA) effective on January 1, 2023, which gives new rights to consumers and the types of data that are protected.
The CCPA applies to all businesses that collect personal data from California residents.
The only federal law that works similarly to cookie rules is Children’s Online Privacy Protection Act (COPPA).
COPPA is responsible for regulating websites and online services that target children below 13 years old.
Any website for children that uses cookie identifiers must obtain consent from parents or legal guardians.
Does the Cookie Law Also Cover Anything Outside of Cookies?
Broadly speaking, the Cookie Law applies to cookies and similar technologies that access, store, and retrieve information from a user’s device.
It includes fingerprints, tracking pixels, and unique identifiers. These are all collectively referred to as trackers.
How to Revoke Cookie Consent?
According to GDPR cookie consent requirements, it should be easy for users to withdraw consent as it is to give consent.
A cookie banner is required to allow acceptance and withdrawal of consent.
The webpage should have a button for users to “revisit” the cookie consent banner. It will make the banner reappear.
Once visible, an option should be clearly displayed that allows users to withdraw their consent.
For site owners, implementing a cookie consent solution or using a cookie policy generator are the easiest ways to ensure a comprehensive cookie policy.
Conclusion
For website owners, cookie consent is an essential privacy practice that ensures users that their data is safe and secure.
The GDPR, CCPA, and other data privacy laws ultimately aim to protect users’ personal information.
These regulations will continue to evolve as new technologies and cookies themselves evolve.It is the responsibility of site owners to properly inform users about the cookies they use to maintain trust and remain compliant to these regulations.