Cookie consent - everything you need to know to be compliant

The GDPR and ePrivacy Directive state that you need to have cookie consent before setting cookies on your website visitors’ browser. But what exactly does that entail?

Disclaimer (16 October 2020): The information on this page is not intended as legal advice and shouldn’t be considered as such. We strongly recommend that you seek legal advice if you’re unsure as to how to become compliant. Please also keep in mind that this guide is not exhaustive and that more requirements might be applicable.

The ultimate guide to GDPR cookie consent

We have made this guide to provide those working with cookies in the EU. In the guide, you can read more about the different cookie types, an overview of the relevant laws, and what businesses need to do to stay compliant. The rules and information outlined in this guide apply to businesses operating in Europe.

Cookie consent guide agenda

To help you get a better overview of cookie consent, we will cover the following topics in this guide:

What are cookies?

Cookies are small files containing data that are placed on your computer via the browser when you visit a website. Cookies are a helpful - and necessary - tool for website owners, as they can store many different types of data, which are essential for running a well-functioning website.

Cookies can also contain different information about things like how a website visitor uses a website, their location, or language preferences, or be used with adtech to track users’ online activity to target visitors with relevant ads.This can be useful for marketing purposes or to create a personalised user experience.

What is cookie consent?

Cookie consent is the website visitor's permission allowing a company to place a cookie in their browser to gather specific data about them. Cookie consent is required to lawfully obtain most of the different types of data you collect via your cookies.

Cookie laws, the GDPR, and cookie compliance in the EU

The GDPR and the ePrivacy Directive regulate the use of cookies in the EU. The GDPR the most strict data privacy law; it relates to companies operating anywhere in the world if they collect personal data from people in the EU. The GDPR only mentions the use of cookies in the legislation once in recital 30 but is important because IP addresses are seen as personal data and thereby regulated by the GDPR. The GDPR is also regulating how consent should be captured and sets requirements and obligations on companies to be able to proof the consents they obtain from website visitors

The ePrivacy Directive governs the use of cookies and was passed in 2009. As a directive, the EU member states have to, as a minimum, live up to the requirements set out in the ePrivacy Directive, but may also regulate the area more tightly. The result is that how the law has been implemented varies from country to country.

The European Parliament is working on the ePrivacy Regulation which will replace the ePrivacy Directive once passed. When that happens is still uncertain.

Read also: Europe's top court says active consent is needed for tracking cookies

What are the consequences of not following the law?

There are a number of risks of not complying with the cookie rules. These include:

  • Fines
  • Damage to your reputation
  • Bad PR
  • Loss of access to your data
  • Loss of trust in your brand

The most obvious risk of not complying with the cookie laws is the risk of being fined. A recent example is the travel company Vueling, who was fined €30.000 for the cookie policy used on the company website. The Spanish Law on Information Society Services and Electronic Commerce also cited the lack of a visible cookie tool where website visitors could choose their cookie preferences.

Read also: The Spanish Data Protection Authorities fine Vueling €30.000 for a non-compliant cookie policy and widget

The Danish Data Protection Agency has also issued a statement regarding DMI (Danmarks Meteorologiske Institut). In the statement the Danish Data Protection Agency noted that DMI had been collecting and passing on personal data without a legal basis for processing regarding its visitors on DMI had on their website showed banner ads, including from e.g. Google's advertising platform, whereby DMI contributed to the collection and transmission of personal information about the website's visitors to Google. But DMI hadn’t captured a lawful consent from their visitors and therefore the Danish Data Protection Agency found that there are grounds for expressing serious criticism against DMI.

Learn more about cookie consent in this webinar recording

Watch a replay of our webinar Demystifying Cookies here:

Cookies and data ethics

Privacy and how companies treat data is something that many people, organisations, and the media focus on more and more. Treating website’s visitors, employees, or private citizens data without careful consideration can lead to scandals. Moreover, it has become a question of ethics. How do we want to behave as a society, and what we are willing to accept from companies who harvest or obtain data about us.

These questions create an opportunity for companies who prioritise privacy. Data Ethics experts Pernille Tranberg and Gry Hasselbalch point out the potential for a privacy-first approach as being a competitive advantage commercially;

"Being eco-friendly has become an investor demand, a legal requirement, a thriving market and a clear competitive advantage. Data ethics will develop similarly – just much faster..“ (Tranberg Data Ethics, 2016, p.9)

Although the general focus here is on data as a whole, how a company treats a website visitors cookies is a visible way of seeing how a company treats its data more generally.

The importance of compliance and ethics for consumer brands. An interview with Bang & Olufsen's Chief Compliance Officer

How to stay cookie compliant with cookies

There are many requirements you must live up to ensure cookie compliance. You need to:

  • Know what cookies you are using and why
  • Have a cookie banner on your website
  • Be aware of the difference between necessary and non-necessary cookies, and follow the requirements for consent before tracking for non-necessary cookies
  • Obtain consent from your website visitors before you set non-necessary cookies
  • Ensure your users can change their cookie settings easily, and that the information you provide is comprehensible
  • Have an easily accessible cookie policy on your website
  • Have an audit trail, so you can document the cookie consents you obtained when users gave their consent, including the wording used in the cookie banner to obtain this consent
  • Remember to log and store the cookie consents for the duration required by law, e.g., in some countries up to 5 years
  • Be mindful of what are the cookies you have obtained consent for are used for - does this fit the purpose?

What do you need to include in your cookie consent widget?

Your cookie widget or banner should present your users with:

  • An option to accept or reject non-necessary cookies
  • Explain what cookies you are using, including information about your necessary cookies and their purpose
  • A link to your cookie policy
  • Information about your cookie providers
  • The duration of each cookie (also known as the cookie’s expiry date)
  • Information about who you will be sharing the information with

According to a court ruling, your widget must not include pre-ticked buttons or fields. Users need to make the decision themselves as to whether they want to give consent to non-necessary cookies or not.

Working with Cookie Consent solutions

One way to keep track of your cookie consents is to use a consent management platform or solution. The software allows you to collect and store consents for your cookies, and meet the GDPR and ePrivacy requirements. These types of tools are sometimes referred to consent management platforms or consent management solutions.

Some cookie solutions can help you to implement Google consent mode - a Google API, which manages consent among Google products.

How to install cookie consent with Openli?

Different types of cookies

There are different types of cookies, which all have different legal requirements, depending on a number of factors. The rules are dependent on the cookie type, what the cookies are used for, the data they collect, the purpose they are collected for, and also if they are sharing the data with others (also known as third party cookies). Knowing the difference is important in relation to obtaining the right consent.

In this section you can read about the following cookie types:

  • Necessary and non-necessary cookies
  • First and third party cookies
  • Session cookies and persistent cookies

Necessary and non-necessary cookies

Cookies can be necessary or non-necessary. This distinction is based on whether they are necessary for the core functionality on a website. There are different legal requirements, based on which category they fit into, which makes it an important factor to how the consent for them is collected.

Necessary cookies:

These are also known as essential cookies, or required cookies.. The purpose of necessary cookies are to secure and ensure the core functionality of your website. These are not the same as helpful cookies that give the user a better experience.

Necessary cookies, are cookies that;

  • remember what products a user placed in their online basket and make sure that the products are shown at the point of checkout, e.g. when the user is adding in their personal details,
  • or are security cookies making it possible for website owners to comply with security requirements, e.g. in regards to online payments.

You do not need consent from a user to use necessary cookies - but you must always tell a user that you are using necessary cookies, and what they are used for.

Non-necessary cookies:

There are a number of different non-necessary cookies. Also known as non-essential cookies, they are used for things such as collecting personal data for marketing, remarketing and analytical purposes.

To ensure compliance, you need to obtain consent from a user before you can legally begin to track them with the use of non-necessary cookies.

Here are some examples of non-necessary cookies:

Non-necessary cookies

Is the cookie necessary or non-necessary?

In the table below, you can see a description of the different cookie categories and whether they are necessary or non-necessary.

    Cookie categoryNecessary or non-necessaryDescription
    Cookies that are strictly necessary for your website to workNecessary cookiesThese types of cookies remember the goods a user wishes to buy when they go to the checkout, or add goods to their shopping basket.These are also cookies that are essential in order to comply with security requirements in regards to an activity a user has requested, e.g. in connection with online banking servicesStatistics cookiesNon-necessary cookiesHelps to collect data about how users’ are using your website, web traffic and other stats.Preference cookieNon-necessary cookiesCookies can be used to recognise a user when they return to your website so you can tailor the experience they receive.Marketing cookiesNon-necessary cookiesAdvertising cookiesRemarketing cookiesNon-necessary cookiesAdvertising cookies

First and third party cookies

The difference between first and third party cookies is whether a cookie is placed by the website being visited by a user or a third party.

First-party cookies

These are set directly by the website that a specific user is visiting. This means that when a user is visiting a website that specific website is placing a cookie.

Third-party cookies

These are set by another domain than the website / URL that the user is visiting. These types of cookies for e.g., social media plugins, images, or advertising.

Session cookies and persistent cookies

The cookie rules, including the GDPR and the EU Cookie Directive, apply to both session and persistent cookies.

Session cookies

Temporary cookies that expire when you close your browser, or your session ends. Session cookies are typically used to remember what a user adds to their basket while they browse your website. As session cookies expire after the browser is closed or the session ends, these types of cookies are often seen as less privacy intrusive than the other cookie category.

Persistent cookies

Cookies that work and keep tracking your users after the session ends. In theory they can be set for a long time, years even, but there is no guarantee that they will last that long, as a user can reset their cookie settings as often as they would like to. They often work across different sites and make it possible for a user’s preferences to be remembered after the user leaves the site.

What if your cookie use changes?

You need to obtain consent from users if you start to use new cookies or change the way you use any current cookies significantly.

This includes if you change the purpose of the cookies you have already set on your website. This means that website users who have already given consent, need to be asked to accept or reject your cookies again, so they can make an informed choice about this new activity.

Cookie providers

A cookie provider is a company or tool, such as Google Analytics, HubSpot, Mailchimp, or Wordpress that can set cookies on your website, to gather data about activities related to that company.

Google Analytics cookie usage on websites

It's important that you know who your cookie providers are, as you are responsible for any cookies you place on your website. You are accountable for your cookie providers, including how they are processing and handling data collected via the cookies. You need to inform your website visitors about who your cookie providers are in your cookie policy and in connection with obtaining consent from your users.

Overview of the cookies set in a visitor's browser by Hubspot

Why should I block cookies and how do I do it?

You need to block cookies, so that they do not start tracking, before a website visitor gives consent in order to be compliant. To block a cookie, you need to block the scripts that set cookies on your website. This is only regarding non-necessary cookies.

How to block cookies with Openli?

Why do you need a cookie policy?

You need a cookie policy to be compliant. Your cookie policy is where you communicate to your website visitors, e.g., how you use cookies, for what purpose, what types of cookies you are using, and when the cookies expire.

What are the cookie policy requirements?

You are required to inform your users about the cookies when they visit your website, this could be in the form of a cookie banner. You also need to make sure that you give them detailed information about your cookies.

This information is typically found in or as a subsection of your privacy policy or in a separate cookie policy. The cookie policy, whether it's incorporated into your privacy policy or a separate policy) needs to be accessible in your cookie banner and also directly on your website, either in the top or bottom of your website.

Don’t hide it on a subpage, you have to make sure that your users can find it - easily - otherwise your cookie setup won’t be compliant.

What you need to include in your cookie policy

You cookie policy needs to include:

  • A description of why, how and what you use cookies for
  • A definition of what a cookie is
  • A description of the different types of cookies on your website and how you use them, including but not limited to
  • Necessary or essential cookies
  • Performance cookies
  • Functionality cookies
  • Targeting and advertising cookies
  • Third party cookies employed your website
  • Your agreement (or lack thereof) with thirds party providers, declaring whether or not you have reviewed third party vendors privacy and cookie policy and cookie use
  • How users can control their cookie settings, and how they can opt-out of being tracked, and whether this will impact their use of the website (necessary cookies only).
  • Letting the user opt-out of of being tracked, it is required that this is easy for the user to find and do
  • Remember to draft your cookie policy in a way so that people can actually understand it. Avoid very complex and lengthy sentences.

Furthermore, you should also think about the design of your policy. Many authorities, including the ICO and the Danish authorities, recommend that policies be split up into sections so that each section can be “unfolded” making it easier for the user to read and understand the content of the policy - instead of being a 10 page wall of text.

Cookie policy generator or template

Think about the design of your cookie policy. Many authorities, including the ICO and the Danish authorities, recommend that policies should be split up into sections so that each section can be “unfolded”, instead of being a 10 page wall of text. This is to make it easier for the user to read and understand the content of the policy.

Many cookie widgets include an unfoldable cookie policy in the widget design. You can see in the example how Openli cookie policy is included in the widget.

    Learn how to get a vetted cookie policy template with Openli’s Cookie Business