The GDPR and ePrivacy Directive state that you need to have cookie consent before setting cookies on your website visitors’ browser. But what exactly does that entail?
Disclaimer (16 October 2020): The information on this page is not intended as legal advice and shouldn’t be considered as such. We strongly recommend that you seek legal advice if you’re unsure as to how to become compliant. Please also keep in mind that this guide is not exhaustive and that more requirements might be applicable.
We have made this guide to provide those working with cookies in the EU. In the guide, you can read more about the different cookie types, an overview of the relevant laws, and what businesses need to do to stay compliant. The rules and information outlined in this guide apply to businesses operating in Europe.
To help you get a better overview of cookie consent, we will cover the following topics in this guide:
Cookies are small files containing data that are placed on your computer via the browser when you visit a website. Cookies are a helpful - and necessary - tool for website owners, as they can store many different types of data, which are essential for running a well-functioning website.
Cookies can also contain different information about things like how a website visitor uses a website, their location, or language preferences, or be used with adtech to track users’ online activity to target visitors with relevant ads.This can be useful for marketing purposes or to create a personalised user experience.
Cookie consent is the website visitor's permission allowing a company to place a cookie in their browser to gather specific data about them. Cookie consent is required to lawfully obtain most of the different types of data you collect via your cookies.
The European Parliament is working on the ePrivacy Regulation which will replace the ePrivacy Directive once passed. When that happens is still uncertain.
There are a number of risks of not complying with the cookie rules. These include:
The Danish Data Protection Agency has also issued a statement regarding DMI (Danmarks Meteorologiske Institut). In the statement the Danish Data Protection Agency noted that DMI had been collecting and passing on personal data without a legal basis for processing regarding its visitors on dmi.dk. DMI had on their website showed banner ads, including from e.g. Google's advertising platform, whereby DMI contributed to the collection and transmission of personal information about the website's visitors to Google. But DMI hadn’t captured a lawful consent from their visitors and therefore the Danish Data Protection Agency found that there are grounds for expressing serious criticism against DMI.
Watch a replay of our webinar Demystifying Cookies here:
Privacy and how companies treat data is something that many people, organisations, and the media focus on more and more. Treating website’s visitors, employees, or private citizens data without careful consideration can lead to scandals. Moreover, it has become a question of ethics. How do we want to behave as a society, and what we are willing to accept from companies who harvest or obtain data about us.
These questions create an opportunity for companies who prioritise privacy. Data Ethics experts Pernille Tranberg and Gry Hasselbalch point out the potential for a privacy-first approach as being a competitive advantage commercially;
"Being eco-friendly has become an investor demand, a legal requirement, a thriving market and a clear competitive advantage. Data ethics will develop similarly – just much faster..“ (Tranberg Data Ethics, 2016, p.9)
Although the general focus here is on data as a whole, how a company treats a website visitors cookies is a visible way of seeing how a company treats its data more generally.
There are many requirements you must live up to ensure cookie compliance. You need to:
Your cookie widget or banner should present your users with:
According to a court ruling, your widget must not include pre-ticked buttons or fields. Users need to make the decision themselves as to whether they want to give consent to non-necessary cookies or not.
One way to keep track of your cookie consents is to use a consent management platform or solution. The software allows you to collect and store consents for your cookies, and meet the GDPR and ePrivacy requirements. These types of tools are sometimes referred to consent management platforms or consent management solutions.
Some cookie solutions can help you to implement Google consent mode - a Google API, which manages consent among Google products.
There are different types of cookies, which all have different legal requirements, depending on a number of factors. The rules are dependent on the cookie type, what the cookies are used for, the data they collect, the purpose they are collected for, and also if they are sharing the data with others (also known as third party cookies). Knowing the difference is important in relation to obtaining the right consent.
In this section you can read about the following cookie types:
Cookies can be necessary or non-necessary. This distinction is based on whether they are necessary for the core functionality on a website. There are different legal requirements, based on which category they fit into, which makes it an important factor to how the consent for them is collected.
These are also known as essential cookies, or required cookies.. The purpose of necessary cookies are to secure and ensure the core functionality of your website. These are not the same as helpful cookies that give the user a better experience.
Necessary cookies, are cookies that;
You do not need consent from a user to use necessary cookies - but you must always tell a user that you are using necessary cookies, and what they are used for.
There are a number of different non-necessary cookies. Also known as non-essential cookies, they are used for things such as collecting personal data for marketing, remarketing and analytical purposes.
To ensure compliance, you need to obtain consent from a user before you can legally begin to track them with the use of non-necessary cookies.
Here are some examples of non-necessary cookies:
In the table below, you can see a description of the different cookie categories and whether they are necessary or non-necessary.
The difference between first and third party cookies is whether a cookie is placed by the website being visited by a user or a third party.
These are set directly by the website that a specific user is visiting. This means that when a user is visiting a website that specific website is placing a cookie.
These are set by another domain than the website / URL that the user is visiting. These types of cookies for e.g., social media plugins, images, or advertising.
The cookie rules, including the GDPR and the EU Cookie Directive, apply to both session and persistent cookies.
Temporary cookies that expire when you close your browser, or your session ends. Session cookies are typically used to remember what a user adds to their basket while they browse your website. As session cookies expire after the browser is closed or the session ends, these types of cookies are often seen as less privacy intrusive than the other cookie category.
Cookies that work and keep tracking your users after the session ends. In theory they can be set for a long time, years even, but there is no guarantee that they will last that long, as a user can reset their cookie settings as often as they would like to. They often work across different sites and make it possible for a user’s preferences to be remembered after the user leaves the site.
You need to obtain consent from users if you start to use new cookies or change the way you use any current cookies significantly.
This includes if you change the purpose of the cookies you have already set on your website. This means that website users who have already given consent, need to be asked to accept or reject your cookies again, so they can make an informed choice about this new activity.
A cookie provider is a company or tool, such as Google Analytics, HubSpot, Mailchimp, or Wordpress that can set cookies on your website, to gather data about activities related to that company.
You need to block cookies, so that they do not start tracking, before a website visitor gives consent in order to be compliant. To block a cookie, you need to block the scripts that set cookies on your website. This is only regarding non-necessary cookies.
You are required to inform your users about the cookies when they visit your website, this could be in the form of a cookie banner. You also need to make sure that you give them detailed information about your cookies.
Don’t hide it on a subpage, you have to make sure that your users can find it - easily - otherwise your cookie setup won’t be compliant.
Furthermore, you should also think about the design of your policy. Many authorities, including the ICO and the Danish authorities, recommend that policies be split up into sections so that each section can be “unfolded” making it easier for the user to read and understand the content of the policy - instead of being a 10 page wall of text.