Cookie Compliance for your Website | A Guide for Ensuring Compliance with ePrivacy Regulations and GDPR
Bonus Material: Cookie Compliance Checklist
Have you ever thought about whether the cookies used on your website comply with ePrivacy Regulations and GDPR? Cookies are a common feature utilised on most websites. They are applied to remember user preferences, browsing history, and other information to enhance the user's experience on the website and for the website to function properly. Cookies can also be used for tracking purposes, allowing websites to collect information about a user's behavior and deliver targeted advertisements, again all with the aim to enhance the user experience, store user preferences, and to optimise site functionality.
Despite cookies being a common feature of most websites we visit, ensuring that they are used on a website in a compliant way whilst adhering to the ePrivacy Regulations and GDPR regulations can become a critical aspect of the websites overall operation.
Only when the ePrivacy Regulation and the GDPR is in place, does it become important to understand the requirements the website should be considering to have compliance across all cookie compliance management. As effective cookie management is so important for ensuring the privacy and security of all users, as well as maintaining compliance with privacy regulations.
Therefore, the nature of this blog is to guide you through the essential considerations that must be taken into account to ensure that the cookies deployed onto your website are compliant and in favour of the law!
Consent for Cookies
The purpose of cookie consent is to protect users' privacy and give them control over their data. This is especially important in regions with strict privacy regulations, such as the European Union, where the General Data Protection Regulation (GDPR) and ePrivacy Regulations requires websites to obtain informed consent for the use of non-essential cookies.
In order to be considered valid, cookie consent must be freely given, specific, informed, and unambiguous. This means that the user must have a clear understanding of what cookies are being used for and must have the option to accept or reject their use.
To be effective, the overall cookie consent management ideal helps to ensure that a user’s privacy is protected and that their website remains as compliant as possible with privacy regulations.
However, according to the ePrivacy Regulation, the only legal basis that is sufficient is user consent, which must be obtained.
- (3) A person shall not use an electronic communications network to store information, or to gain access to information already stored in the terminal equipment of a subscriber or user, unless the subscriber or user has given his or her consent to that use https://www.irishstatutebook.ie/eli/2011/si/336/
It must be noted that consent obtained through pre-ticked boxes is not considered valid as it does not constitute an affirmative action taken by the user. Valid consent is only obtained if the user is informed, and if it is freely given and specific.
Questions for Consideration for Cookie Consent
Q - What is the legal basis for deploying non-essential cookies on a user's device according to privacy regulations? Are you confident in your understanding of these regulations surrounding the deployment of non-essential cookies on a user's device?
A- The legal basis for deploying non-essential cookies on a user's device is informed consent. This means that the website must obtain the user's agreement to store and access these cookies on their device. The requirement for informed consent is established by privacy regulations, such as the European Union's General Data Protection Regulation (GDPR).
Failure to obtain informed consent for the use of non-essential cookies can result in significant penalties under privacy regulations, such as the GDPR.
This can be achieved through a "Learn More" link.
This policy should not use overly technical language and should be located on the cookie banner as a "Learn More" link or at the footer of the website.
Third parties and storage - The policy should explain how long cookies will be stored on the user's device and how they can be deleted. Cookies typically have a limited lifespan and will be automatically deleted after a certain period of time. The policy should explain how users can control the deletion of cookies, including how to delete cookies manually or adjust the settings in their web browser. Third-Party cookies may be deployed on a website and users should be informed of who they are and what information they may receive.
Purposes for using cookies / tracking technologies - The policy should explain the information obtained and the purpose of each type of cookie used on the website. For example, cookies may be used to remember user preferences, such as the preferred language or font size. They may also be used to track user behaviour, such as the pages visited, and the length of time spent on the site. The policy should explain the benefits of these uses and how they improve the user experience.
Categories/Types of cookies deployed - The policy should list the different types of cookies used on the website, including essential and non-essential cookies. Essential cookies are necessary for the proper functioning of the website, while non-essential cookies are used for additional features and services, such as tracking and advertising. The policy should clearly distinguish between the two types of cookies and explain why they are used.
For each type, there should be information regarding the following:
- Host / third party
- Name of the cookie
Contact information for DPO / DP Lead – A clear signpost for support whilst also explaining how the website complies with privacy regulations, such as the GDPR. This may include information on obtaining informed consent for the use of non-essential cookies and providing users with control over their data. The policy should also explain any other measures that the website has taken to ensure compliance with privacy regulations.
Questions for Consideration for Cookie Policies
Q. What types of cookies will be used on your website or app and for what purposes?
A. The answer to this question will depend on the specific website or app, but some common examples of cookies used include session cookies (to keep users logged in), performance cookies (to improve website performance), and advertising cookies (to deliver targeted ads).
Q. Will the type of cookies you use to collect any personal information?
A. This will depend on the specific cookies used and the data they collect. It's important to be transparent about what data is being collected and for what purposes.
Q. Will the cookies used on your website be used for tracking and behavioural advertising?
A. Again, this will depend on the specific cookies used. If tracking and behavioural advertising are used, it's important to be transparent about this and provide users with the option to opt out.
Types of Cookies
There are several types of cookies that can be deployed on a website, and the ePrivacy Regulations stipulate that strictly necessary cookies do not require user consent for deployment.
For a deep dive into all the different types see our free resource on the different cookie types and a handy checklist here:
Free Cookie Compliance Checklist Download