Contact us Today!

GDPR Requirements for Cookie Consent Compliance

The intersection of GDPR and the EU Cookie Directive is the source to achieve cookie consent compliance between the implementation date for GDPR and the update to the EU ePrivacy Directive. Ultimately, the intersection of these laws will provide guidance going forward for websites in their use of cookies for the benefit of both their visitors and their own purposes, as well as when and how consent needs to be obtained.

Learn more about the Clarip cookie management software module.

The EU Cookie Directive provides the current framework for websites seeking to lawfully place and use cookies through a visitor’s browser. It went into effect in 2011 and altered the existing 2002 ePrivacy Directive. There were plans to update the EU’s handling of cookies in tandem with the EU General Data Protection Regulation (GDPR), but the modifications to the ePrivacy Directive are now expected to follow the implementation date of the GDPR by a year or more. They will be called the ePrivacy Regulation and one section will cover cookie consent.

Although the GDPR largely does not refer to cookies, it did update EU privacy law for the personal data of identifiable natural persons (typically referred to as data subjects). In doing so, the GDPR extends additional protections to website visitors when the cookies set are used to collect and use the types of personal data that the GDPR protects.

Cookies will thus be considered personal data when it permits the identification of an individual via their device. Recital 30 of the GDPR specifically mentions cookies, stating that “Natural Persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as … cookie identifiers …. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”

Websites that use cookies which meet the GDPR threshold will need to meet the higher standard for data collection and processing set by the GDPR. Although operators may be able to rely on some of the other basis for lawful processing, express consent is expected for many to be the primary mechanism for justifying their operations.

How will the GDPR change Cookie Consent?

Under the present EU Cookie law, most website operators are providing a clear notice about their use of cookies when a visitor lands, a link to a page with more information, and obtaining implied consent to set the cookie through continued usage of the website. However, for cookies covered by the GDPR and where consent is obtained because the other basis for lawful processing are insufficient, this will not be enough. At the core they will need to make three changes:

Express Consent: Implied consent will not be enough. There must be a clear affirmative action or opt-in combined with the necessary level of transparency to permit the data collection and usage.

Easy Withdrawal of Consent: It will need to be as easy to withdraw consent as it is to give it according to GDPR Article 7. If consent can be obtained on any webpage, then website operators will need to find a similarly easy manner to provide the ability to withdraw the cookie consent.

Record-Keeping: It will not be enough to assume that visitors gave their consent because they proceeded past the cookie banner. Organizations will need to put a system in place to track their consents to fulfill the requirements of the GDPR’s accountability principle and provide the audit trail of consent to the government in the case of an inquiry into whether they have a valid justification for processing.


How will Businesses meet the GDPR Requirements?

The most likely scenario is the adoption of a consent management platform and data subject access rights (DSAR) portal that is built to comply with the GDPR requirements of transparency and accountability. Since many businesses will need to adopt such a system to capture marketing preferences anyway, the software will simply be extended to double as a cookie compliance tool.

Businesses will also need to engage in the other aspects of GDPR, such as conducting impact assessments to evaluate the scope of the impact of the cookies on privacy. Another area that will be the role of the DPO or another privacy processional (such as an outsourced DPO) will be conducting a cookie audit to ensure that the company’s usage of cookies in reality complies with the terms of the law. Website risk scanners can frequently be used as a cookie scanner to analyse whether a cookie is set without consent and what information that cookie is collecting and using.

Preparing for California?

Begin your compliance efforts for the California Consumer Privacy Act with Clarip.

Related Content

ePrivacy News
Cookie Banner Generator for Enterprise Businesses
Cookie Consent Manager for GDPR & ePrivacy
EU Cookie Directive Law
Cookie Consent and the ePrivacy Regulation (formerly ePrivacy Directive)
Cookie Compliance Tools: Consent Manager and Cookie Scanner
Full Text of Proposed ePrivacy Regulation from April 2018