GDPR Requirements for Cookie Consent Compliance
Learn more about the Clarip cookie management software module.
Although the GDPR largely does not refer to cookies, it did update EU privacy law for the personal data of identifiable natural persons (typically referred to as data subjects). In doing so, the GDPR extends additional protections to website visitors when the cookies set are used to collect and use the types of personal data that the GDPR protects.
Cookies will thus be considered personal data when it permits the identification of an individual via their device. Recital 30 of the GDPR specifically mentions cookies, stating that “Natural Persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as … cookie identifiers …. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
How will the GDPR change Cookie Consent?
Express Consent: Implied consent will not be enough. There must be a clear affirmative action or opt-in combined with the necessary level of transparency to permit the data collection and usage.
Easy Withdrawal of Consent: It will need to be as easy to withdraw consent as it is to give it according to GDPR Article 7. If consent can be obtained on any webpage, then website operators will need to find a similarly easy manner to provide the ability to withdraw the cookie consent.
Record-Keeping: It will not be enough to assume that visitors gave their consent because they proceeded past the cookie banner. Organizations will need to put a system in place to track their consents to fulfill the requirements of the GDPR’s accountability principle and provide the audit trail of consent to the government in the case of an inquiry into whether they have a valid justification for processing.
How will Businesses meet the GDPR Requirements?
The most likely scenario is the adoption of a consent management platform and data subject access rights (DSAR) portal that is built to comply with the GDPR requirements of transparency and accountability. Since many businesses will need to adopt such a system to capture marketing preferences anyway, the software will simply be extended to double as a cookie compliance tool.
Businesses will also need to engage in the other aspects of GDPR, such as conducting impact assessments to evaluate the scope of the impact of the cookies on privacy. Another area that will be the role of the DPO or another privacy processional (such as an outsourced DPO) will be conducting a cookie audit to ensure that the company’s usage of cookies in reality complies with the terms of the law. Website risk scanners can frequently be used as a cookie scanner to analyse whether a cookie is set without consent and what information that cookie is collecting and using.
Preparing for California?
Begin your compliance efforts for the California Consumer Privacy Act with Clarip.
Cookie Banner Generator for Enterprise Businesses
Cookie Consent Manager for GDPR & ePrivacy
EU Cookie Directive Law
Cookie Consent and the ePrivacy Regulation (formerly ePrivacy Directive)
Cookie Compliance Tools: Consent Manager and Cookie Scanner
Full Text of Proposed ePrivacy Regulation from April 2018