When it comes to data privacy and compliance with privacy regulations, cookies are a crucial consideration because they are one of the most common methods of collecting user data.
Cookies are small text files that websites store on users’ devices. They enable various features and functions and also track preferences and behaviors to provide insights into users’ activities.
Typically, we don’t even notice cookies are in use, as they power websites’ critical functions. However, cookies can collect large amounts of data that can be used to identify users without their consent. They can track users not just on one website, but across websites throughout browsing sessions — on social platforms, ecommerce sites, and more. The data from cookies’ tracking can enable personalized marketing campaigns and targeting of individuals with specific advertisements.
Since cookies can collect personal information, privacy laws around the world require companies to ensure cookie compliance to meet regulatory requirements. Achieving cookie compliance can be fairly straightforward, but not necessarily easy to implement and maintain as technologies, business operations, and regulations change. Here’s what you need to know.
What is cookie compliance?
Cookie compliance requires ensuring that your use of cookies on your website, and the collection of visitors’ personal data that they’re activated for, follows global and national data privacy laws.
Each country or region’s laws have unique definitions and requirements. But in most cases, cookie compliance starts with informing users of:
- how your company will use cookies
- what data the cookies collect
- what the purpose(s) is for data collection
- legal basis for data processing (where required, e.g. under the GDPR)
- what parties will have access to the data, especially third parties
- how long the data will be retained/stored
- what users’ options and rights are regarding consent to data collection and use
- how users can withdraw consent
Types of cookie consent compliance
While privacy laws often don’t explicitly refer to cookies or requirements for their use, data collection and processing via cookies is considered like any other processing of personal data — including data that can be individually identifying or even categorized as sensitive.
Privacy laws therefore have various privacy-related requirements when it comes to website cookie compliance and what rules must be followed. Worldwide, one of the most common requirements for privacy compliance is to obtain consent from users before collecting or processing their personal data, including through the use of cookies. The most common way of obtaining this cookie consent is via a website cookie banner or pop-up.
It is also a typical requirement that companies provide a cookie notice or policy, which outlines the information listed above regarding data collection and use and users’ rights. Sometimes the cookie notice is a standalone document, but more commonly it’s included as part of a privacy notice or policy. There are various types of cookie notices, depending on the type of cookies a company uses, relevant privacy laws, and policies and guidelines from data protection authorities.
The type of consent banner and the implementation that is best for your organization will depend on what country-specific privacy regulations and guidelines require with regard to user notification and consent.
Information only
This type of cookie banner only informs users that cookies are being used. It does not provide an option to consent or opt out of data collection or use. This model is generally not compliant with most privacy regulations, including the GDPR.
It is very rare for websites to only use necessary cookies (and for authorities to agree that all the cookies in use are, in fact, strictly necessary), so it is not at all recommended to employ an information-only cookie banner that does not include consent options.
Soft opt-in
When this type of banner is in use, cookies are initially blocked when the visitor arrives on the site. However, any action taken by a website visitor, such as clicking a link to another page, is viewed as consent to the website’s cookies.
The soft opt-in consent model can be used for “communication over an electronic communications network”, like email or SMS, under certain conditions (i.e. the sole purpose is to carry out those communications) outlined in the UK’s Privacy and Electronic Communications Regulations (PECR).
Soft opt-in is not compliant with many global or national privacy regulations, as it is not considered explicit consent because that requires an affirmative consenting action (like clicking an “Accept” button).
Opt-out consent
The opt-out cookie consent model assumes website visitors agree to cookies unless they opt out. Or, under some specific state or national laws that use an opt-out model for consent, prior user consent for data collection is not required in many cases. Cookies are set by default, but users are provided an option to opt out or refuse cookies, which some laws do require. Some laws enable users to opt out of data collection and cookie use for specific purposes, like targeted advertising.
The opt-out consent model is in use in the state-level data privacy laws in the United States, such as with the Virginia Consumer Data Protection Act (VCDPA) and the California Consumer Privacy Act (CCPA).
Opt-in consent
Opt-in consent, also known as explicit or prior consent, is when cookies are blocked until the user performs a specific action like ticking a checkbox or clicking an “Accept” button, giving explicit consent to a website’s cookie usage. This type of consent is required under the General Data Protection Regulation (GDPR).
A number of laws require individuals to be able to provide overall consent, i.e. to all data processing services in use, or granular consent, i.e. only to some services they choose. Regardless of granularity, the consent must be explicit. Individuals must also be able to deny all consent for data processing, or to be able to easily revoke previously granted consent.
This type of consent is required for compliance with the.
Mixed consent
Mixed consent is when different types of cookies are treated differently based on their purpose. For example, implied consent for analytics cookies and explicit consent for advertising cookies.
The California Privacy Rights Act (CPRA) takes a mixed approach to consent, requiring opt-in consent for certain types of data and activities (when data belongs to a child or is categorized as sensitive), while allowing opt-out consent for other uses.
What are GDPR cookie compliance requirements?
GDPR cookie compliance refers to General Data Protection Regulation requirements for websites to obtain valid consent from users before activating cookies or other tracking technologies that collect and process personal data. The key aspects of GDPR cookie compliance are:
- Websites must obtain “freely given, specific, informed and unambiguous” consent from users before using non-essential cookies. This means no pre-ticked boxes or assuming consent if the user continues scrolling, closes the consent banner, or otherwise does not take explicit consent action.
- Users must be provided with accessible and clear information about the cookies being used, their purposes, legal basis for processing, third-party access to data, and more. This is usually provided in a cookie policy.
- Users must be able to easily withdraw their consent or change their cookie preferences at any time, and it should be as easy to withdraw as giving consent.
- Consent must be securely documented and stored as proof of compliance, ready to show authorities if needed, or provided with a data subject access request.
- Only essential cookies for basic website functions can be used without consent, however, users must still be notified about the purposes of essential cookies. All other cookies and trackers, like those for analytics and marketing, require explicit consent.
To achieve GDPR cookie compliance, websites commonly use a consent management platform (CMP). The best CMPs can scan for all cookies and trackers present on a website, list and categorize them, block them until consent is given, provide the required information and consent options to users, and securely store consent records.
Scan your website for free to check cookies on your website and generate a detailed cookie audit report in minutes.
What is CPRA/CCPA cookie compliance?
The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) are data privacy laws in California that regulate how businesses handle the personal information of California residents. The CCPA was the first of the modern comprehensive data privacy laws passed in the United States, and the CPRA amended and expanded it. Here are the key requirements for CPRA/CCPA cookie compliance:
- Businesses should disclose in their cookie policy what types of cookies and tracking technologies they use and for what purposes as a best practice and to ensure clear user notification.
- Businesses must provide a “Do Not Sell or Share My Personal Information” link that enables California residents to opt out of the sale or sharing of their personal information collected via cookies and other tracking technologies.
- Companies must obtain prior opt-in consent for sensitive types of personal information collection or data belonging to children (consent must be obtained from a parent or guardian)
While the CCPA did not explicitly require cookie consent banners, the CPRA’s opt-in consent requirements for non-essential cookies make consent banners a best practice for compliance.
Learn more about similarities and differences between the CCPA vs the GDPR.
Other privacy laws related to cookie compliance
Although frequently mentioned, the GDPR and the CPRA are not the only privacy regulations requiring cookie consent. More and more cookie laws and regulations that cover cookie use are coming into effect, such as:
- Florida’s Digital Bill of Rights (FBDR)
- Brazil’s LGPD
- South Africa’s Protection of Personal Information Act (POPIA)
- China’s Personal Information Protection Law (PIPL)
These laws show a global trend towards stricter data privacy rules, making it important to get proper cookie consent from users to comply with different legal requirements. Even when prior consent is not required by law, transparency with users and requesting consent are best practices and are a good way to improve customer experience and build trust.
What are the consequences of cookie noncompliance?
The consequences of noncompliance with cookie consent laws like the GDPR, CPRA, and other data privacy regulations can be severe.
Monetary fines are a common consequence. Under the GDPR, companies can face fines of up to EUR 20 million or 4 percent of their global annual revenue, whichever is higher, for serious violations. CPRA violations can result in fines of up to USD 7,500 per intentional violation or violations involving minors.
Legal action is another consequence. In some jurisdictions data protection authorities can take legal action against noncompliant companies. This can include levying temporary bans on data processing activities and requiring deletion of data, which can cause serious issues for maintaining business operations. Class-action lawsuits from consumers (private right of action) are also a risk in some regions.
Lastly, reputational damage is another consequence. News of fines and legal actions can severely damage a company’s reputation and consumer trust. Consumers are increasingly aware of privacy issues and may leave or avoid businesses they don’t trust with their data or privacy.
How to become cookie compliant?
No matter the location of your company, there are certain steps you can take to implement best practices and become cookie-compliant.
- Start by identifying the cookies and trackers in use on your website. You cannot achieve cookie compliance without knowing what cookies your website sets on users’ devices. Be aware that some third-party ones can be more difficult to detect. The first step is to conduct a cookie audit to identify all the cookies and trackers used on your site.
- Have a clear and accessible cookie policy that explains what cookies you use, their purposes, and how long they last, and other required information. This policy should be linked to your cookie banner. Ensure that it’s kept up to date.
- Have a privacy policy that outlines how you process users’ personal data collected via cookies. Link to this policy whenever collecting data. Under some countries’ requirements a privacy policy link must be placed on each page of the website. Also ensure that the privacy policy is kept up to date.
- Use a cookie banner displaying clear cookie text to inform individuals about the cookies being used, their purposes, expiration periods, and third-party providers. The banner must give people clear options to accept or reject each type of cookie. The language should be easy to understand. Do not use cookie walls that block access until visitors give consent.
- Enable users to consent granularly, and to easily change or withdraw their cookie consent at any time. Respect consent withdrawals immediately by stopping tracking.
- Document and store records of users’ cookie consent choices to demonstrate compliance. Store consent records for both accepted and rejected cookies.
- Conduct periodic audits to identify any new cookies in use on your site and update your policies and consent flows accordingly.
- Consider using Google’s Consent Mode to maintain some analytics data even when cookies are rejected.
The first step to becoming cookie compliant: conduct a website cookie compliance check
The first step to becoming cookie-compliant is to conduct a comprehensive website cookie audit. This involves identifying, categorizing, and documenting all cookies and tracking technologies used on your website.
Cookiebot CMP can automate this process. The CMP scans your website to detect all cookies and trackers being used, automatically categorizes them based on purpose (e.g. necessary, preferences, statistics, marketing), and generates a cookie declaration report you can use for consent notification, in your cookie notice, and elsewhere.
Experience streamlined cookie compliance – try Cookiebot CMP free for 14 days!
Frequently Asked Questions
Cookie compliance means following the data privacy regulations governing cookie use on a website. It requires websites to obtain user consent for setting non-essential cookies and informing users about what cookies are being used and their purposes, among other details.
To comply with cookie law in many jurisdictions, websites must obtain user consent before setting non-essential cookies and inform users about what cookies are being used and their purposes. This typically involves displaying a cookie banner or notice that enables users to accept or reject the use of cookies, as well as providing a clear and accessible cookie policy.
To check cookie compliance, you can use the free online cookie scanner tool from Cookiebot™, which crawls your website and detects all the cookies being set, providing details like their name, purpose, provider, and duration. The Cookiebot CMP cookie checker automatically categorizes the cookies based on their purpose and helps enable compliance with data privacy laws.
Website and app operators are responsible for ensuring cookie compliance. They must obtain user consent for all cookies — or often all except non-essential cookies — and provide clear information about their cookie practices to comply with global and national cookie laws.
Yes, your website needs a cookie banner if your site collects personal data from visitors residing in a country with a data privacy regulation (so safest to use one for all visitors). A cookie banner informs users about the use of cookies, allows them to provide or deny consent as required by law, and is a key component to comply with data privacy regulations. Consent requirements differ by region, regulation, and national guidelines, and your company may need to comply with multiple regulations, so a cookie banner that enables geotargeting, like Cookiebot CMP, could be important.
If a user does not consent to cookie use on a website, the website should not be able to collect, store, or retrieve any data from your device, limiting its ability to track your online activity or provide personalized experiences. Under most laws, you can’t prevent access to the site or features if consent for cookie use is declined (e.g. a wall that prevents site access unless the visitor consents). In some cases some website functions cannot not work correctly without specific cookie usage. If a website visitor declines all consent for cookie use, those cookies are blocked and those functions will not work. The website experience for those nonconsenting visitors would be different from that of consenting users, but this would not generally be considered discriminatory.
The main GDPR compliance requirements are:
- Having a legal basis for processing personal data, such as consent, acquiring valid consent for data collection and use, and being transparent about data processing activities.
- Implementing appropriate technical and organizational measures to protect personal data, such as encryption, access controls, and data protection policies and training.
