GDPR and Cookie Consent
Last Updated: April 27, 2020
Defining Cookie Consent Under the GDPR
The General Data Protection Regulation has everyone talking about cookies, consent, and privacy. But there’s an earlier privacy law called the ePrivacy Directive. This law, along with the GDPR, created the situation that website owners are now trying to navigate.
To understand the GDPR, it helps to first understand the overlap of ePrivacy and GDPR as it relates to cookies and consent.
The ePrivacy Directive and the GDPR
The ePrivacy Directive established that storing or retrieving any information from a user’s device is subject to consent. That is, “unless it is technically necessary to enable the intended communication to take place.”
This rule made it necessary for the cookie notification banners that you’ll see on many websites.
But there was a problem.
Since this rule passed as a Directive, each member state had to write it into their national law. Also, while the ePrivacy Directive defined the need for cookie consent, it didn’t define consent.
Because of this, ePrivacy rules and enforcement rolled out in a fragmented way.
Part of the GDPR’s goal was to unify those rules. To do this, the GDPR needed to clearly define what consent is and when it’s needed.
What Does Cookie Consent Mean?
Before the GDPR, cookie consent meant different things throughout the EU. However, in Recital 32, the GDPR established a unified rule that clearly defined what consent is:
“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her.”
Since terms like “clear”, “specific”, and “informed” are subjective, we still have to unpack Recital 32 a bit more.
A Clear Affirmative Act
Recital 32 says that consent can be “ticking a box” or another statement that “clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data.”
Specific, Informed, Freely Given, and Unambiguous
Additionally, Recital 32 states that you need consent for “all processing activities carried out for the same purpose.” And if processing has multiple purposes, “consent should be given for all of them.
Moreover, the consent request must be “clear, concise and not unnecessarily disruptive” to the user. Recital 32 also explains what consent is not, which includes “inactivity” or “pre-ticked” boxes.
One More Condition of Cookie Consent: Withdrawability
The GDPR says that users must be able to withdraw consent and that it “shall be as easy to withdraw as to give consent.”
How Does GDPR Apply to Cookies?
In short, to achieve compliance with the GDPR, you must enable a user to show their consent with a clear, affirmative action. Moreover, that action must be 1) specific, 2) informed, 3) freely given, 4) unambiguous, and 5) withdrawable.
Takeaways for Website Owners
For website owners, the GDPR means that their current cookie consent processes will likely need to change.
Many of the designs currently used for cookie consent are not compliant. These include:
- Implied consent. Visiting a site for the first time is not considered an affirmative act.
- Advice to adjust browser setting. Telling visitors to block cookies is not a valid way to make consent withdrawable, as required under the GDPR.
- Statements like, “By using this site, you accept cookies.” This is not a free choice so it is not valid consent.
Moreover, sites may also need to provide:
- An always-available opt-out.
- A response to Do Not Track browser requests.
- Control of consent for each cookie purpose.