Cookies and the GDPR: How to achieve cookie compliance

Cookies play a crucial role in enhancing online experiences, making websites more functional and personalized, and enabling digital marketing. The shopping cart that stores your customers’ items while they continue to browse? That’s made possible via cookies, for just one example.

Cookies have also evolved into sophisticated tools for tracking user behavior, and empower businesses with valuable insights to boost engagement and optimize marketing activity, amongst other things. However, with this increased functionality comes consumer privacy concerns and regulatory requirements.

Companies that do business in the EU and collect personal data from EU residents in the process must comply with the General Data Protection Regulation (GDPR), which requires clear, unambiguous, and freely given user consent before collecting or processing personal data. It also requires transparency about cookie usage, and a defensible legal basis for data collection, among other stipulations.

Businesses must also keep up with evolving standards from industry leaders like Google (Alphabet), which, along with other designated “gatekeepers,” has to comply with the Digital Markets Act (DMA) — and as a result has levied data privacy requirements on its customers.

The DMA mandates that the gatekeepers meet certain requirements designed to encourage fair competition in digital markets and uphold the privacy rights of users. This adds another piece to the privacy compliance puzzle.

To navigate this landscape and continue to grow digital marketing operations, you’ll need to blend robust privacy practices with consent management software. By finding innovative ways to leverage cookie technology while complying with data privacy regulations, you can enhance the user experience, build trust, and protect advertising revenue.

While cookies play a pivotal role in enhancing user experience and delivering personalized content online, they can also raise significant privacy concerns, particularly the use of third-party cookies, which track users across websites.

The personal data collected can, in some cases, be used to identify individuals, and some of it can be quite sensitive, including financial details.

These concerns are addressed by the GDPR and the ePrivacy Directive (ePD), which mandate measures to ensure that an individual’s personal data is handled securely, with consent, and that the end user is provided with clear information about data handling, their rights, and consent options.

Let’s break down how these regulations impact cookie use and what businesses need to know to stay compliant.

The GDPR and the ePrivacy Directive govern the usage of cookies. The GDPR outlines the conditions for explicit user consent and a valid legal basis for processing personal data, while the ePrivacy Directive focuses on the privacy implications of electronic communications.

• Under the GDPR, information collected via cookies that can identify an individual — directly or indirectly — is considered personal data.
• Websites that use cookies must obtain consent from users before any data collection or processing takes place.
• Consent must be “freely given, specific, informed and unambiguous,” involving direct action by the user, like ticking a box. Pre-ticked boxes do not qualify, nor does only allowing the option you want, like presenting only an “Accept” button. The user must be notified how their data will be processed, stored, and shared, including information on any third parties that will have access to their data.

• Also known as the “cookie law,” the ePD complements the GDPR by requiring prior consent for cookies and similar tracking technologies, with the exception of those strictly necessary to provide a service explicitly requested by the user.
• The ePrivacy Directive mandates that users are provided with clear and comprehensive information about why any personal data is collected, stored, or accessed.

Key requirements of the GDPR and the ePrivacy Directive include:

• Consent: When used as the legal basis, websites need to provide a user-friendly way for users to give, change, or withdraw consent. All options must be equally presented, and users should be able to give or reject consent at a granular level, e.g. for specific categories of cookie use.
• Right to withdraw: Users must be able to withdraw their consent as easily as they gave it.
• Transparency: Information about cookie use must be clearly articulated in a privacy policy or cookie notice. This includes which cookies are active, what their purpose is, and how long they will remain in place.

These regulations apply to the various kinds of cookies and to similar technologies that store or access information on a user’s device, such as:

• Session cookies and persistent cookies: Whether they expire when users close their browser or remain longer, these cookies must comply if they collect personal data.
• First-party and third-party cookies: Both types of cookies need to adhere to these privacy laws, whether set by the website owner or a third party (like advertisers).
• Other technologies: This includes web beacons, pixel tags, and local storage used to track users and store information.

Businesses must conduct regular audits to identify and manage all such technologies used on their sites as they change over time, to ensure ongoing compliance with both the GDPR and the ePrivacy Directive.

A high performance consent management platform will include a cookie scanner that can scan sites regularly to detect and manage the cookies and trackers in use on websites, including hidden third-party ones that may change regularly.

Cookie compliance misinformation can result in either overly cautious practices that hinder user experience or access to needed data, or insufficient preparation that risks noncompliance and potential penalties.

Debunking these myths will help to ensure your approach to cookie management is both effective and primed for GDPR compliance.

Many website owners assume that their site doesn’t collect personal data, especially if they’re only tracking website performance or functionality. Under the GDPR, however, the definition of personal data is broader than many realize.

Even cookies used for advertising or analytics often collect information that can, directly or indirectly, identify an individual. This includes IP addresses or unique identifiers within cookies.

In reality, nearly all cookies capture some form of personal data, bringing such practices under scrutiny from overseeing authorities.

While cookies themselves are not personal data, the data they collect can be. According to Recital 30. GDPR, identification is possible via online identifiers such as IP addresses or cookie identifiers. As such, it will depend on the kind of cookie in place as well as the data being collected.

It’s also wrong to assume that cookies are only regulated under the ePrivacy Regulation, which is expected to be in full effect by 2026.

While intended to replace the ePrivacy Directive of 2002 and the Cookie Directive of 2009, the forthcoming ePrivacy Regulation covers the processing of all electronic communications data, regardless of identifiable personal data. Read more about the ePrivacy Regulation below.

Cookies collect personal data irrespective of the intended use, so you are required to inform users about the collection and processing of their personal data. Provided information must include: what data is collected, how it’s processed, for what purpose, and on what legal basis.

Furthermore, the website operator must communicate how long the data is kept, who will have access to it, how they can contact the controller (the entity collecting personal data, like a website owner), and where they can revoke their consent.

Simply informing users that your site uses cookies is not sufficient for GDPR compliance, just like only presenting an “Accept” button for consent is not sufficient. The regulation demands a higher standard of transparency and user control.

Websites must provide clear, specific information about the types of cookies being used, the data they intend to collect, the purpose for processing, and who has access to this data.

Additionally, consent must be explicit and informed. This means users should be given the choice to accept or reject non-essential cookies without impacting their access to the website and its features.

Providing comprehensive cookie notices is crucial to ensure that users are fully aware of their choices and have meaningful control over their personal data.

A cookie notice can be a separate page on the website, but it’s commonly a section in the broader privacy policy. Regardless, like the privacy policy, it must be easy to access and understand for the average visitor.

Having a cookie banner doesn’t mean you are automatically GDPR-compliant. The GDPR defines seven criteria for collection to be valid within the meaning of the Basic Data Protection Ordinance.

This means that the website operator must obtain the user’s consent via its cookie banner per these criteria.

Moreover, compliance with other global privacy laws does not guarantee GDPR compliance. The GDPR has stringent and specific consent requirements that differ significantly from other jurisdictions.

For example, the GDPR uses an opt-in model for consent while US regulations such as the CCPA use an opt-out model.

The ePrivacy Regulation contains additional provisions for the use of cookies. While essential cookies used for the technical operation of a website do not require the user’s consent, those used for tracking or advertising purposes require explicit, active, and voluntary user consent.

It is also not compliant to try and categorize marketing cookies as essential, for example, in order to skirt consent requirements.

The ePrivacy Regulation is intended to counteract and eliminate cookie walls. Accordingly, all of the website must be accessible, even if the user has not consented to the use of cookies.

As you can see, these myths and assumptions can lead to confusion and compliance risks for website operators.

The following points should be noted to use cookies in a GDPR-compliant manner.

Cookie banners (aka consent banners) should include all necessary information, including how cookies are used on each web page.

Consent banner with granular user Privacy Settings options and Data Processing Services information

Furthermore, as per Art. 21 GDPR, visitors should know if their data is used to create profiles and if their data may be transferred to third parties in countries outside of the EU. This is needed if the cookie technology providers are based in the US, for example.

The cookie banner must ensure that the user can give their informed consent in advance, voluntarily, explicitly, and granularly for each web technology or category of technologies (or bundled for individual use areas).

There must also be a straightforward and simple way for users to object to the processing of their personal data, or to withdraw their consent.

Under the GDPR, you may not use cookies to process or collect any data without a legal basis. Plus, cookies may not load until consent has been granted, meaning there must be a technical link between the cookie banner and your web technology. If the user refuses processing, cookies cannot be loaded.

Usercentrics CMP enables you to control cookies and block them until consent has been obtained. With the Google Consent Mode integration, it also signals consent information to Google services, controlling their function and data collection based on consent status.

In the event of a review by data protection authorities, the website operator must comply with its documentation obligation and be able to demonstrate their users’ consent.

To ensure all data is available in the event of an audit, various data points should be documented, including timestamps, user agents, and the version of the consent text.

The condition under which consent was given is also important — how large the “Accept” button was compared to the “Reject” button, whether the choice was voluntary, could the user use the site unhindered even when rejecting cookies, etc.

Most data privacy laws also include the right for consumers to know if website operators are collecting data about them, and to access a copy of that data, of which consent data is a part. This is another reason robust and secure documentation is important.

According to the GDPR, the process to opt out must be as straightforward as opting in. This ensures that users can easily decline the use of cookies initially, and similarly, can just as easily change their preferences or withdraw consent at any time.

Consent banner with data processing information, consent buttons, and informational links

It’s not sufficient to direct users to external links or third-party pages to opt out. From the moment a user opts out, no further data should be collected or forwarded to any third parties. Any processing taking place on the controller’s behalf by third parties must also cease right away.

Therefore, the opt-out mechanism must be technically integrated with the cookie settings on your site and documented for compliance and transparency. This approach helps meet legal requirements and builds trust by respecting user choices at every step.

Ensuring GDPR cookie compliance involves following a series of regulatory requirements and data protection best practices that also help build user trust and form the foundation of privacy-led marketing.

1. Have a cookie policy: Clearly outline what cookies are used, their purpose, and how data is managed in a cookie policy. This policy should be easily accessible on your website, either as an independent document or as part of the privacy policy.
2. Implement cookie consent banners: Present contextually relevant consent banners. For example, when a user first visits your site, provide them with immediate, clear options to accept or reject non-essential cookies. Ideally use geotargeting to determine which regulations are relevant to the user, with multi-language support to present consent information in the visitor’s preferred language.
3. Obtain granular consent: Enable users to give separate consent for different types of cookies (e.g., analytics, advertising). This helps ensure that consent is specific and informed.
4. Monitor tracking technologies: Continuously review and update the cookies and tracking technologies present on your site to ensure they comply with the latest legal standards and technical requirements. A robust scanner built into your CMP can automate this to save time and resources.
5. Optimize consent mechanisms: Ensure that consent mechanisms are intuitive and enable users to withdraw consent as easily as they gave it. This can be streamlined using a consent management platform like Usercentrics.

Google has specific requirements of its own, especially concerning how advertisers use cookies and data.

With Google Consent Mode, you can adjust how your Google tags behave based on the consent status of your users. This ensures that you continue gathering valuable data while still complying with the GDPR by respecting user preferences about cookies and data tracking.

Usercentrics is a Google-certified CMP that integrates with the latest version of Google Consent Mode. Plus, with its library of over 2,200+ legal templates and comprehensive Data Processing Services (DPS) Scanner Usercentrics enables you to obtain, document, and signal granular cookie consent.

There’s a lot to consider when it comes to cookie compliance under the GDPR, but consent management tools like Usercentrics CMP simplify the process of collecting, managing, and signaling valid consent significantly.

Usercentrics provides a comprehensive solution for collecting, processing, and securely storing granular cookie consent, managing cookie banners, and documenting user consent as required by the GDPR. Speak to a Usercentrics expert today.