General Data Protection Regulation (GDPR)
Defining Cookie Consent under the GDPR
The General Data Protection Regulation has everyone talking about cookies, consent, and privacy. But there’s an earlier privacy law called the ePrivacy Directive. This law, along with the GDPR, created the situation that website owners are now trying to navigate.
To understand the GDPR, it helps to first understand the overlap of ePrivacy and GDPR as it relates to cookies and consent.
Current requirements for cookies in Europe are derived from the ePrivacy Directive (ePD), first introduced in 2002.
The ePrivacy Directive established that storing or retrieving any information from a user’s device is subject to consent. That is, “unless it is technically necessary to enable the intended communication to take place.”
This rule made it necessary for websites to have cookie notification banners that you see on many websites.
But there was a problem…
Since this rule passed as a Directive, each member state had to write it into their national law. Also, while the ePrivacy Directive defined the need for cookie consent, it didn’t define consent.
Because of this, ePrivacy rules and enforcement rolled out in a fragmented way.
Part of the GDPR’s goal was to unify those rules. To do this, the GDPR needed to clearly define what consent is and when it’s needed.
Since the revision of the ePrivacy text in 2009, website operators in Europe have had to obtain the website visitor or app user’s consent to store or retrieve cookies or other tracking technologies on the person’s device (with the exception of strictly necessary cookies).
To ensure consistency with the new rules introduced by GDPR, the EU Commission introduced a proposal for ePrivacy Regulation (ePR) in January 2017 to replace the existing ePrivacy Directive to ensure consistency between the ePrivacy rules and GDPR.
The General Data Protection Regulation (GDPR) is a European Union (EU) regulation that replaces the Directive 95/46/EC and governs the current data protection framework in Europe.
It has a broad scope that impacts organizations that process the personal data of EU residents, wherever they are located in the world. The regulation is meant to harmonize the EU data protection landscape and protect the rights and freedoms of EU individuals.
You do not need to be headquartered in the EU for the GDPR and ePrivacy to apply to your organization. If you have customers from the EU visiting your site, you must have GDPR and ePrivacy compliant processes built into your website for your EU visitors.
Organizations that do not comply with GDPR face heavy fines and penalties. Some violations are subject to up to 4% of the organization’s global annual turnover.
GDPR Data Subject Rights
Data Subject Rights (DSR) are rights that can be enforced against organizations that collect or process personal data. DSRs include the right of a person to access the personal data an organization holds about him/her, and the right to have personal data deleted and corrected.
- Right to be Informed
- Right to Access
- Right to Rectification
- Right to Erasure
- Right to Restriction of Processing
- Right to Data Portability
- Right to Object
- Automated Individual Decision Making
- Right to Withdraw
Cookie Consent Under GDPR
Before the GDPR, cookie consent meant different things throughout the EU. However, in Recital 32, the GDPR established a unified rule that clearly defined what consent is:
“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her.”
Since terms like “clear”, “specific”, and “informed” are subjective, we still have to unpack Recital 32 a bit more.
A Clear Affirmative Act
Recital 32 says that consent can be “ticking a box” or another statement that “clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data.”
Specific, Informed, Freely Given, and Unambiguous.
Additionally, Recital 32 states that you need consent for “all processing activities carried out for the same purpose.” And if processing has multiple purposes, “consent should be given for all of them. Moreover, the consent request must be “clear, concise and not unnecessarily disruptive” to the user. Recital 32 also explains what consent is not, which includes “inactivity” or “pre-ticked” boxes.
One More Condition of Cookie Consent: Withdrawability.
The GDPR says that users must be able to withdraw consent and that it “shall be as easy to withdraw as to give consent.”
Meet EU Cookie Requirements
The GDPR has influenced the drafting of new ePrivacy regulation that brings the current ePrivacy Directive in line with the GDPR. Organizations face increased penalties and more focused regulatory action under the newly drafted regulation.
As the owner/operator/publisher of a website available in Europe, you need to collect the user’s consent before storing cookies or other tracking technologies that are not strictly necessary on their device.
Consent needs to be given for all types of cookies that are not strictly necessary when a user lands on a particular webpage and the website publisher is the person responsible for collecting the user’s consent (whether the cookie is a first-party cookie or a third-party cookie).
In short, to achieve compliance with the GDPR, you must enable a user to show their consent with a clear, affirmative action. Moreover, that action must be:
- Freely Given
How CookiePro Helps
CookiePro conducts ongoing website scans, and automatically generates a detailed report that categorizes cookies and tracking technologies found. Using CookiePro, you can create a customizable cookie banner and cookie notice using the results of your website scan. Within the cookie banner, provide visitors with a preference center to put them in control of opting-in and out of tracking.
Intake Data Subject Requests
Under the GDPR, data subjects have such as data portability, access, erasure or “right to be forgotten”, rectification, and more. When a data subject makes a request, there are requirements to manage the request, respond the request, validate the identity and transmit the response to the user.
How CookiePro Helps
Using CookiePro, users are able to configure a branded web form that intakes requests and receive notifications when a request has been submitted. When the request is fulfilled, securely transmit the data to the individual, and link the request to the underlying data map to efficiently fulfill the request, as well as ultimately generate the proper documentation and evidence should a regulator inquire about the request.
Ensuring Compliance with GDPR’s Rules Governing Cookie Consent
The GDPR is not just for organizations located in the EU. Any business with customers visiting their site from the EU are subject to the GDPR and its consent rules. And with proposals for new privacy regulations in the works, it’s becoming increasingly risky to ignore outdated cookie consent processes.
Other GDPR Resources:
- GDPR Compliant Cookie Banner Examples
- Resource: ePrivacy vs. GDPR
- Resource: GDPR vs. CCPA
Cookie Consent Models
There are several approaches to a cookie banner, and you can choose what’s best for your company depending on your level of risk tolerance.
Privacy Risk Assessment
Is Your Website Cookie Compliant?