GDPR Cookies Checklist: Your Toolkit for Compliance

Show more Show less

Cookies and other tracking technologies have become important tools for many online businesses. Despite that, many companies are struggling to reconcile their data strategy with changing regulations and standards.

There is a straightforward solution: Usercentrics

Uncertain about how to become compliant with GDPR and the ePrivacy Directive? We’re here to help.

At Usercentrics we offer a Consent Management Platform (CMP) that enables your website to be fully GDPR-compliant. Not only that, it gives you the option to adapt quickly to all legal changes and technical requirements.

This Toolkit provides an easy and comprehensive step-by-step guide to bring your marketing data strategy in alignment with GDPR and the ePrivacy Directive. Using the checklist will minimize your exposure to regulatory penalties.

Important to know: There are inconsistencies between the way countries in the EU implement GDPR and some rules apply to some but not all cases, which are not relevant enough to be covered here in detail. Please check with a lawyer specialized on data protection and privacy to make sure your data strategy fully complies with GDPR.

Understanding Cookies

If you have an online business, you are probably using cookies or a similar type of tracking technology. Cookies are small text files that are placed on a website to track website visits and optimize browsing behavior. They are storing and processing user information when visiting a website. If you want to learn more about cookies and their different functions, please visit our article “What are cookies?“.

Requirement	Key Points	Details
Duty to provide information	Let users know you are using cookies or other tracking technologies; Explain what your cookies are doing and why (purpose); Include this info in an easy to read, find and understand Privacy Policy	Name and contact of data controller; Purpose; Categories of users and personal data; Transfers of personal data to third countries; Time limit of deletion of personal data; General description of security measures (to be prepared for e. g. Against cyberattacks)
Consent	Obtain your users valid consent to store a cookie on their device	Explicit: Active acceptance e.g. ticking a box or clicking a link; Informed: Who, what, why, how long?; Documented: You have the burden of proof in the case of an audit; In advance: No data is to be collected before opt-in i.e. cookies cannot be set on your website before the user has consented to them Granular: Individual consent for individual purpose – i.e. consent cannot be bundled with other purposes or activities Freely given: “Accept” and “Reject” button Easy to withdraw: opt-out on the page; Exception: strictly necessary cookies(= essential cookies)
Setting cookies	Collect and process data with cookies only with valid consent.	Loading: Ensure cookies are not loaded until the user has given his consent. User Refusal: In the case that a user refuses processing, no cookies must be set; however, users should still be allowed to access your service even if they refuse to allow the use of certain cookies.
Legally compliant documentation	Document and store consent received from users.	Data Protection Authority (DPA) Audit: Comply with documentation obligation and be able to demonstrate the users’ consent in case of an audit by data protection authorities.
Opt-out	The objection must be as simple as the opt-in.	Easy in, easy out: Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place. External links: to a third page for opt-out are not sufficient. After Opt-out: it must be ensured that no further data is collected and forwarded from the moment of the objection, i.e. the opt-out must also be technically linked to the cookie and, at best, documented.

Need more info? More detailed explanations about cookie related regulations within GDPR can be found in our interview series with subject matter experts from the law firm Reed Smith. You can watch the videos here:

Are cookies personal data?

Do I need a user’s consent for cookies?