5 steps to create a GDPR compliant cookie consent solution
Cookie Consent Solution: Cookie Law as passed in 2009 got a new enforcement life after GDPR. Court of Justice of European Union in the Planet49 case ruled that storing cookies required active consent (GDPR standard). Following the judgment Data Protection of Authorities of Ireland, Germany, Spain, and others have started enforcement actions against websites that do not have a GDPR compliant cookie consent banner on their website.
5 steps to create a GDPR compliant cookie consent solution for your website
- Give users a notice using a banner or cookie popup with clear and comprehensive information on the use & purposes of cookie tool GDPR. Ensure you add a link to your cookie policy or privacy policy in the notice
- Set the cookies only when the user has given consent for cookies
- Give users an option to Accept and Reject cookies
- Create a second layer where users can give consent to each purpose of cookies separately
- Create a permanent link or button for users to withdraw cookie consent. This should be placed on your home page or privacy policy page.
On implementing the above steps, your website should have the following flow for cookie consent:
Table of Contents
- What's the cookie consent
- Cookie Consent Banner Design
- GDPR Cookie Consent Examples
- Cookie Consent Script
- Cookie Consent for Google Tag Manager
- Cookie Consent for Website Builders
- Conclusion
What's the cookie consent
Cookie Consent is the process by which websites take user's consent to set cookies. It started with Europe's ePrivacy directive or the cookie law. With ePrivacy, it was mandatory for websites to take consent from users before storing or accessing cookies from user's devices. However, websites termed consent as showing cookie banners with just an Ok button or implying consent by use of the website. GDPR clearly defines what constitutes legal consent and hence now cookie consent has to include an option to deny alongside acceptance and a method to give consent based on purposes or use of cookies like Targeting, Analytics amongst others.
When is cookie consent needed?
Cookie consent is needed:
- If you offer your product or service to EU customers, including a free product or service. For example, media websites like Techcrunch are free services for EU customers
- If you are targeting EU customers, this is indicated if you have an EU domain like .eu, .de or you offer local currencies, local language on your website or you are advertising to EU users like an American university advertising for its courses in EU
What happens if you don't comply with cookie consent?
Users can file a complaint against your company with the Data Protection Authority of your country and this could lead to fines under GDPR. Recently, the Data Protection Authority of Ireland, Germany has started a sweep of websites to check if they comply with cookie consent and will be sending notices soon. Here are some actions are taken for not complying with cookie consent:
- Planet 49: CJEU Rules on Cookie Consent
- Oracle & Salesforce hit with class action GDPR lawsuit
- IKEA was fined 10,000 Euros for cookie consent violations
- Vueling Airlines was fined 30,000 Euros for not allowing users to give granular consent
Cookie Consent Banner Design:
A cookie consent banner has the following requirements to make it legal:
- Cookie Consent Text: This is also termed as Cookie Consent Notice and is used to inform in a simple, clear language that you use cookies on your website.
- Cookie Policy: This is a detailed version of your cookie consent notice explaining why you use cookies, a list of cookies with purposes, and a method for users to withdraw consent for cookies
- Accept & Deny Buttons: These are options for your users to either accept or deny the cookies. You should ensure that you don't use dark design patterns to give more weight to Accept over Deny. For your cookie consent to be valid in the EU, you have to ensure that for users ease of accepting and denying cookies is the same.
- Cookie Preferences: This should open up a preference center where users can give granular consent for each purpose. ePrivacy allows websites to set Strictly Essential Cookies without consent so that can always be on, for other purposes like Targeting, Analytics you should allow users to switch them on or off.
GDPR Cookie Consent Solution Examples
Cookie Consent is the first interaction that users will have on your website, you should ensure that it's styled according to your website. Smashing Magazines list some ways to create user-friendly cookie consent banners.
Some cookie banner examples we liked and you can take inspiration from:
Techcrunch
Techcrunch does a good job with the cookie consent notice. They explain to the users that they are using cookies, explains the use of the cookies, and also links to both privacy and cookie policy. However, they don't have an option to Reject cookies and thus not a great experience for users who want to reject the use of cookies.
AirBnB
Airbnb gives a preference center for users to give consent on each purpose separately. Here they have clearly defined Performance as one of the purposes explaining the use of cookies. Also, they allow users to switch off cookies for this purpose completely or switch off each cookie individually. In our opinion, consent for each cookie is overkill for users and you should be good with just giving a purpose level option to users.
Asos
Asos's cookie banner is well styled but does not give the option to users to reject or change cookie settings. This is something we would not recommend.
Webflow
Webflow gives a nice banner at the bottom but does not give the option to the user to accept or reject cookies. You can change your preferences, it would have been much better if we had the buttons on the banner itself.
If you liked these examples and want to know more, go ahead and read our post, 10 Examples of GDPR Cookie Consent
Cookie Consent Script
Cookie consent script blocks and unblocks cookies based on the user's consent. It ensures websites comply with the ePrivacy Directive and GDPR. There are two ways in which the script can function:
Manually block cookies:
- Change the class of each script that is setting a script from </type = javascript to </type=text & class = website-category>
- The class value will allow you to handle granular cookie consent
- Once the user gives you consent, change these scripts to type = javascript and execute them
One of the problems with the manual method is it takes a lot of time and you can miss some scripts which will make your website non-compliant.
Automatically block cookies:
- Scans the website for cookies and allows you to categorize them into different categories
- Automatically blocks the scripts and unblocks them once the user gives cookie consent
Sign-up to Privado and automatically block cookies with our cookie consent script.
Cookie Consent for Google Tag Manager
Your cookie consent solution should also ensure cookies set via tags from Google Tag Manager are blocked till the user gives consent. Here is how you can use our cookie consent solution to do that:
- Download the container from our dashboard
- Import the container to your GTM, it will add the triggers to block and allow tags in your GTM account. Some examples are Allow Analytics, Block Analytics
- You can either use the Allow triggers to fire these tags or use the Block triggers and add as an exception for your tags
- Go to preview and your tags should only be fired once the user gives consent
Cookie Consent for Website Builders
We offer integration with the following third-party website builder tools to seamlessly display a cookie consent banner:
Conclusion
Cookie Consent seems simple on the outside but involves you setting the right cookie banner, blocking cookies, tags, pixels with the help of a script, and allowing users to change cookie consent from your home page or cookie policy. This guide will help you with setting all these elements for your website.
You can also use our free cookie consent tool and make it compliant with privacy laws across the world including GDPR.
Vaibhav is the founder of privado.ai and a CIPM certified privacy professional.