Our new Data Protection and Privacy Support Portal "PrivacyAssist" in now available. Learn More!

Cookie Compliance for your Website | A Guide for Ensuring Compliance with ePrivacy Regulations and GDPR

Privacy Engine
Feb 08, 2023
Cookie Compliance

    Need world class privacy tools?

    Schedule a Call >

    Bonus Material: Cookie Compliance Checklist
    Bonus eBook: The Data Protection Commission (DPC) Cookie Sweep & Guidance
    Even More Bonus Content: Download this blogpost!

    Have you ever thought about whether the cookies used on your website comply with ePrivacy Regulations and GDPR? Cookies are a common feature utilised on most websites. They are applied to remember user preferences, browsing history, and other information to enhance the user’s experience on the website and for the website to function properly. Cookies can also be used for tracking purposes, allowing websites to collect information about a user’s behavior and deliver targeted advertisements, again all with the aim to enhance the user experience, store user preferences, and to optimise site functionality.

    Despite cookies being a common feature of most websites we visit, ensuring that they are used on a website in a compliant way whilst adhering to the ePrivacy Regulations and GDPR regulations can become a critical aspect of the websites overall operation.

    Only when the ePrivacy Regulation and the GDPR is in place, does it become important to understand the requirements the website should be considering to have compliance across all cookie compliance management. As effective cookie management is so important for ensuring the privacy and security of all users, as well as maintaining compliance with privacy regulations.

    Therefore, the nature of this blog is to guide you through the essential considerations that must be taken into account to ensure that the cookies deployed onto your website are compliant and in favour of the law!

    Consent for Cookies

    Consent is the legal basis required for deploying non-essential cookies on a user’s device. The cookie consent process on a website initiates a user’s agreement between both parties to store and access cookies from their device. This is usually achieved through a pop-up notice or banner that informs the user about the use of cookies on the site and asks for their consent.

    The purpose of cookie consent is to protect users’ privacy and give them control over their data. This is especially important in regions with strict privacy regulations, such as the European Union, where the General Data Protection Regulation (GDPR) and ePrivacy Regulations requires websites to obtain informed consent for the use of non-essential cookies.

    In order to be considered valid, cookie consent must be freely given, specific, informed, and unambiguous. This means that the user must have a clear understanding of what cookies are being used for and must have the option to accept or reject their use.

    To be effective, the overall cookie consent management ideal helps to ensure that a user’s privacy is protected and that their website remains as compliant as possible with privacy regulations.

    However, according to the ePrivacy Regulation, the only legal basis that is sufficient is user consent, which must be obtained.

    5. (3) A person shall not use an electronic communications network to store information, or to gain access to information already stored in the terminal equipment of a subscriber or user, unless the subscriber or user has given his or her consent to that use https://www.irishstatutebook.ie/eli/2011/si/336/

    It must be noted that consent obtained through pre-ticked boxes is not considered valid as it does not constitute an affirmative action taken by the user. Valid consent is only obtained if the user is informed, and if it is freely given and specific.

    Questions for Consideration for Cookie Consent

    Q – What is the legal basis for deploying non-essential cookies on a user’s device according to privacy regulations? Are you confident in your understanding of these regulations surrounding the deployment of non-essential cookies on a user’s device?

    A- The legal basis for deploying non-essential cookies on a user’s device is informed consent. This means that the website must obtain the user’s agreement to store and access these cookies on their device. The requirement for informed consent is established by privacy regulations, such as the European Union’s General Data Protection Regulation (GDPR).

    According to the GDPR, the use of cookies for non-essential purposes, such as tracking and advertising, is considered the processing of personal data. As such, the website must have a legal basis for processing this data, which is typically obtained through informed consent.

    The purpose of requiring informed consent is to protect users’ privacy and give them control over their data. By providing users with clear information about the use of cookies and giving them the option to accept or reject their use, the website ensures that users are aware of how their data is being processed and have the ability to make informed choices.

    Failure to obtain informed consent for the use of non-essential cookies can result in significant penalties under privacy regulations, such as the GDPR.

    Download this blogpost!






    Cookie Banners

    Upon the first visit to a website, the user should be presented with a cookie banner. The cookie banner should inform the user of the use of cookies on the website and allow the user to consent to each type of cookie they wish to deploy on their device. Each category/type of cookie should be listed individually, and users should be given the option to accept or reject each type. There should also be an option to reject all cookies if there is an option to accept all cookies. The cookie banner should include a link to the Cookie Policy for users who require further information regarding cookies.

    This can be achieved through a “Learn More” link.

    Cookie Policies

    To ensure informed consent, it is mandatory to have a Cookie Policy that is easily accessible to users. This document provides information about the use of cookies on a website whilst outlining the types of cookies that are used, their purpose, and how they are managed. A cookie policy is required by privacy regulations, such as the GDPR and its aim is to inform users about the use of cookies and obtain their informed consent for the use of non-essential cookies.

    This policy should not use overly technical language and should be located on the cookie banner as a “Learn More” link or at the footer of the website.

    What cookies/tracking technologies are – A cookie policy should explain what cookies are and how they are used on the website and highlight any tracking technologies that are also used – with context on how they are used to provide UX benefits to the user and site configuration.

    Third parties and storage – The policy should explain how long cookies will be stored on the user’s device and how they can be deleted. Cookies typically have a limited lifespan and will be automatically deleted after a certain period of time. The policy should explain how users can control the deletion of cookies, including how to delete cookies manually or adjust the settings in their web browser. Third-Party cookies may be deployed on a website and users should be informed of who they are and what information they may receive.

    Information that is obtained from cookies/tracking technologies – The policy should explain how users can control the use of cookies on their device, including the option to opt out of non-essential cookies and the information that it is tracking. This may include information on how to adjust the settings in their web browser or how to delete cookies manually. The policy should emphasise the importance of giving users control over their data and respecting their privacy.

    Purposes for using cookies / tracking technologies – The policy should explain the information obtained and the purpose of each type of cookie used on the website. For example, cookies may be used to remember user preferences, such as the preferred language or font size. They may also be used to track user behaviour, such as the pages visited, and the length of time spent on the site. The policy should explain the benefits of these uses and how they improve the user experience.

    Categories/Types of cookies deployed – The policy should list the different types of cookies used on the website, including essential and non-essential cookies. Essential cookies are necessary for the proper functioning of the website, while non-essential cookies are used for additional features and services, such as tracking and advertising. The policy should clearly distinguish between the two types of cookies and explain why they are used.

    For each type, there should be information regarding the following:

    • Host / third party
    • Name of the cookie
    • Description
    • Duration/expiration

    Contact information for DPO / DP Lead – A clear signpost for support whilst also explaining how the website complies with privacy regulations, such as the GDPR. This may include information on obtaining informed consent for the use of non-essential cookies and providing users with control over their data. The policy should also explain any other measures that the website has taken to ensure compliance with privacy regulations.

    Questions for Consideration for Cookie Policies

    Q. What types of cookies will be used on your website or app and for what purposes?
    A. The answer to this question will depend on the specific website or app, but some common examples of cookies used include session cookies (to keep users logged in), performance cookies (to improve website performance), and advertising cookies (to deliver targeted ads).

    Q. Will the type of cookies you use to collect any personal information?
    A. This will depend on the specific cookies used and the data they collect. It’s important to be transparent about what data is being collected and for what purposes.

    Q. Will the cookies used on your website be used for tracking and behavioural advertising?
    A. Again, this will depend on the specific cookies used. If tracking and behavioural advertising are used, it’s important to be transparent about this and provide users with the option to opt out.

    Types of Cookies

    There are several types of cookies that can be deployed on a website, and the ePrivacy Regulations stipulate that strictly necessary cookies do not require user consent for deployment.

    For a deep dive into all the different types see our free resource on the different cookie types and a handy checklist here:

    Free Cookie Compliance Checklist Download

    Cookie Comliance PrivacyEngine Checklist

    Download our Cookie Compliance Checklist to ensure your cookie policy is fully compliant

    In conclusion, having a comprehensive and up-to-date cookie policy is crucial for any website or app in today’s digital landscape. Not only does it provide transparency to users regarding the data being collected through cookies, but it also helps ensure compliance with data protection laws such as the ePrivacy Regulations and General Data Protection Regulation (GDPR). By considering the questions outlined in this blog post, website owners can ensure that their cookie policy covers all necessary aspects, including the types of cookies used, the data collected, opt-out options, security measures, legal requirements, and more. Ultimately, a well-crafted cookie policy helps build trust with users and helps ensure that the website or app operates in a responsible and compliant manner. We hope this helps you to manage your data compliantly.

    YOU MIGHT ALSO BE INTERESTED IN

    Check out these PrivacyEngine posts that are related to Cookies

    GDPR requires organisations seeking to operate in the EU to have the appropriate controls in place
    8 Minute Read

    GDPR requires organisations seeking to operate in the EU to have the appropriate controls in place
    Everything You Need to Know About Records of Data Processing Activities
    8 Minute Read

    Everything You Need to Know About Records of Data Processing Activities
    Data Protection & Privacy Management Leader Sytorus becomes PrivacyEngine
    8 Minute Read

    Data Protection & Privacy Management Leader Sytorus becomes PrivacyEngine

    Try PrivacyEngine
    For Free

    Learn the platform in less than an hour
    Become a power user in less than a day

    Get Started For Free
    Schedule Demo
    PrivacyEngine Onboarding Screen