GDPR Cookies Checklist: Your Toolkit for Compliance 

Cookies and other tracking technologies have become important tools for many online businesses. Despite that, many companies are struggling to reconcile their data strategy with changing regulations and standards. 

There is a straightforward solution: Usercentrics

Uncertain about how to become compliant with GDPR and the ePrivacy Directive? We’re here to help. 

At Usercentrics we offer a Consent Management Platform (CMP) that enables your website to be fully GDPR-compliant. Not only that, it gives you the option to adapt quickly to all legal changes and technical requirements.

This Toolkit provides an easy and comprehensive step-by-step guide to bring your marketing data strategy in alignment with GDPR and the ePrivacy Directive. Using the checklist will minimize your exposure to regulatory penalties.

Important to know: There are inconsistencies between the way countries in the EU implement GDPR and some rules apply to some but not all  cases, which are not relevant enough to be covered here in detail. Please check with a lawyer specialized on data protection and privacy to make sure your data strategy  fully complies with GDPR.

Understanding Cookies 

If you have an online business, you are probably using cookies or a similar type of tracking technology. Cookies are small text files that are placed on a website to track website visits and optimize browsing behavior. They are storing and processing user information when visiting a website. If you want to learn more about cookies and their different functions, click here.

Cookie Compliance Checklist

What you need to do to comply with GDPR:

RequirementKey Points Details 
Duty to provide information 
  • Let users know you are using cookies or other tracking technologies;
  • Explain what your cookies are doing and why (purpose);
  • Include this info in an easy to read, find and understand Privacy Policy 
  • Name and contact of data controller;
  • Purpose;
  • Categories of users and personal data; 
  • Transfers of personal data to third countries;
  • Time limit of deletion of personal data;
  • General description of security measures (to be prepared for e. g. Against cyberattacks)
Consent
  • Obtain your users  valid consent to store a cookie on their device
  • Explicit: Active acceptance e.g. ticking a box or clicking a link;
  • Informed: Who, what, why, how long?;
  • Documented: You have the burden of proof in the case of an audit;
  • In advance: No data is to be collected before opt-in i.e. cookies cannot be set on your website before the user has consented to them  
  • Granular: Individual consent for individual purpose – i.e. consent cannot be bundled with other purposes or activities
  • Freely given: “Accept” and “Reject” button
  • Easy to withdraw: opt-out on the page;
  • Exception: strictly necessary cookies(= essential cookies)
Setting cookies
  • Collect and process data with cookies only with valid consent. 
  • Loading: Ensure cookies are not loaded until the user has given his consent.
  • User Refusal: In the case that a user refuses processing, no cookies must be set; however, users should still be allowed to access your service even if they refuse to allow the use of certain cookies.
Legally compliant documentation 
  • Document and store consent received from users.
  • Data Protection Authority (DPA) Audit: Comply with documentation obligation and be able to demonstrate the users’ consent in case of an audit by data protection authorities.
Opt-out
  • The objection must be as simple as the opt-in.
  • Easy in, easy out: Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place.
  • External links: to a third page for opt-out are not sufficient. 
  • After Opt-out: it must be ensured that no further data is collected and forwarded from the moment of the objection, i.e. the opt-out must also be technically linked to the cookie and, at best, documented.

Need more info? More detailed explanations about cookie related regulations within GDPR can be found in our interview series with subject matter experts from the law firm Reed Smith. You can watch the videos here: 

Are cookies personal data?

Do I need a user’s consent for cookies?

 

Cookie Walls can’t be legally forbidden French CNIL says Cookie Walls can’t be legally forbidden French CNIL saysUsercentrics GmbH iab europe Logo TCF 2.0 Transition Guide: What publishers must know