In today’s digital world, data is currency. Businesses use the personal information of data subjects as a resource to provide the best services and promote their products. In GDPR, consent of the users for their personal and sensitive information is a big factor that draws the line between compliance and non-compliance. In the case of websites, especially SaaS portals, this consent is often requested in the form of cookies. It is for this reason websites usually collect cookies from new visitors.
In this article, we check out the rules and requirements that GDPR compliance requires for cookie consent.
What is a cookie?
A cookie helps websites notify people of products, services, and information similar to what they initially searched for. They are intended to optimize the user experience making it personalized. They are small files that are stored on a user’s device. Their primary goal is to track users’ activities throughout the website. This allows the website to send them personalized ads about the products and services they showed interest in. Some cookies go a step further, tip-toeing around the line of ethics by tracking the user’s location. Thus, the concept of cookies and their ethics is very complicated.
What is cookie consent?
A cookie is the means to collect PII data. This is the reason consent is required. As per GDPR, there is consent required from the data subject before any cookies can be shared with the data subjects. Cookie Consent is a crisp and informative request from the website that a user is visiting to the user, asking for permission to access their activity on the website. As per GDPR, the following information must be included in the cookie consent banner.
- Why do you need to store cookies?
- The Cookies the website wants to use.
- How can users decline the cookie consent request?
How does cookie consent work?
Cookies generally are small files that are placed on websites to track users’ website activities. Some cookies also track browsing activities, location, purchase history, device info, and more. They can be used to identify website users, build their profiles, acquire their information and share it with several other party vendors. So there has been a growing concern for the user’s data privacy.
That is why Cookie data is also considered sensitive data under GDPR. The cookie consent should be specific, unambiguous, and inform the users of everything they will agree to. Cookie Consent request is usually presented in the form of Banners, Pop-ups, or Clickwraps.
Two types of consent regimes
To lawfully acquire and process the data of users, they are asked for their consent. Globally, privacy regulations and consent can be classified into two categories.
Opt-in consent
In an Opt-in consent request format, the request is made before the action with the data is done. That means that before any acquisition, processing, and sharing of data take place, the request for the same shall be accepted by the data subjects. GDPR is an active example of compliance legislation that requires organizations to ask for opt-in consent from their users.
Opt-out consent
On the other hand, in the Opt-out consent format, the data subject’s prior permission isn’t required for any desired action on the user data. That means that any acquisition, processing, and sharing of the data can take place from the beginning, but the user can choose to opt out of it on their own. CCPA is an active example of compliance legislation that requires organizations to provide a “Don’t sell my data Button” so the users can opt out of any data activity.
GDPR compliance requirements for cookies
GDPR compliance without hurting business is possible and cookie consent is a big part of that. Here we jot down a few requirements in the GDPR for the cookie consent request to the users.
- What cookies is your site using, and which categories do they belong to?
- Non-essential cookies must only be used after users have consented to them.
- Ensure users are aware of both your cookie policy and your privacy policy. The language of both these policies should be clear and concise.
- Respect the preferences and consent of users.
- Enable the data subjects to give clear and explicit consent to the use of cookies.
- Allow users to change their cookie preferences or withdraw consent completely at any time.
- Maintain retrievable logs and records of users’ consent preferences.
Get GDPR compliant with Scrut Automation
Scrut Automation is an innovative and radically simple governance, risk, and compliance automation platform for growing startups and mid-market enterprises. With Scrut, compliance teams can reduce ~70% of your manual effort in continuously maintaining compliance towards SOC 2, ISO 27001, PCI DSS, HIPAA, GDPR, and CCPA. Schedule your demo today to see how it works.