What is GDPR cookie consent?

Create a Complaint Cookie Banner

Take a minute from your busy routine and check whether you are fully aware of the cookie consent requirements under the General Data Protection Regulation (GDPR) law? Being a business or a website owner, do you respect your user’s privacy? Have you specified terms and conditions along with a privacy policy for your consumers? Well, I guess it’s time to become aware of the importance of protecting personal data, so let’s get started.

Wait! Do you know what cookies are?

Cookies refer to small files that get dropped automatically on your computer, whenever you browse the web. Cookies are harmless bits of texts that are locally stored and can be viewed and deleted quickly. However, they give a great deal of insight into a user’s activity and preferences. They tend to identify a user without explicit content.

“From a legal point of view, it is an indication of a data breach. Therefore, there are more chances that the privacy of a user can get compromised increasingly.”

gdpr cookie consent

Overlooking other technologies

The legal requirements under GDPR are not only limited to cookies. While several privacy lobbies and solutions focus entirely on cookies, there is a lot more to the overall compliance strategy required of your business.

The other technologies that need to be regulated in a similar fashion as the cookies include tags, beacons, pixels, scripts and more. These may be tracking the data of the users for similar reasons to the use of cookies. This may include the need to collect and sort marketing data, consumer information, contact and behavioral data and so on.

The same law applies to these technologies as does to the use of cookies. Here is what each one of these entail essentially:

What are tags?

Tags are small labels attached to the data collected from a user. These may help the collector in sifting and analyzing data by placing it into smaller marketable chunks or segments.

Technologically speaking the tag is a small piece of code that is inserted into the page’s source code. It allows the third-party analytics tool to log connections on its server. In digital analytics, the tag is used to refine analysis using segments.

For many people and privacy enforcement authorities this segmentation needs to be consensual, transparently obtained and not abused.

However, not all privacy compliance solutions offer protection from these tags to the user. In many cases the user may not be aware of their use, purpose or effect. This is why companies require a complete consent management platform. Cookie consent in itself is essential too, but tracking technologies such as tags are also supremely important.

What are beacons?

The term ‘beacon’ refers to the technology that enables mobile apps to understand the geographic location of its user and then deliver relevant content to them based on their immediate environment.

This is complicated for privacy protection because many apps do not work without a geographical location and at the same time the use of the location and the collection of it puts the user’s data privacy at risk.

This can be very problematic where the data is prone to breaches and compromises, especially in today’s day and age. While you can aim to ensure the best possible protection of the collected data, these beacons can still be very risk-prone making the users vulnerable to fraud, predatory attacks, ruthless marketing abuse and more.

The rules applicable to the use of cookie consent must be applied to the use of beacons as well. The beacon must be used and placed only when the user has permitted its use. The usage must be consensual and consistent with the relevant laws and regulations. In Europe and the UK, the GDPR may apply to the use of these technologies, in a similar vein to the use of cookies.

gdpr cookie consent

What are pixels?

Marketers often use pixel technology to collect and track data of the users and performance of the website. A pixel technology is basically a tool that integrates your website with the user platforms that are able to identify and track people such as Facebook or Google.

The pixel then works by measuring the effectiveness of the advertising by understanding the actions people take on the website, identifying the people through their digital DNA and then making sense of their behavior in relation to the actions they take on the site.

This allows a much deeper understanding of the user base, the development of more sensitive and advanced products and the creation of critically targeted ads through deeper segmentation.

Like any other marketing tool, this must be used with delicacy and care. Any organisation must obtain consent of the users to be tracked as and when they provide an account authentication such as in the case for using the Google or Facebook Accounts.

The data collected must meet the requirements of the law and the use, purpose and storage of such data must be in accordance with the guidelines provided by various privacy protection authorities.

Yet again the problem remains with the pixel technology as it does with the rest that not many privacy protection solutions focus on this technology leaving their organisations in the face of severe exposure to legal risks and corrective measures.

What are scripts?

Many analytic tools and platforms use tracking scripts that record the user activity once the script is placed on the site. The script contains a library of user movements and activities. For example a user may search for ‘red shoes’ on your site. This amongst other keywords, click and scroll the movement of the user which is then recorded in an active tracking script.

In terms of the technology behind tracking scripts they are pieces of Javascript code that usually implement a tracking pixel on a website and are responsible for creating different types of requests to external domains, ultimately passing data to them. These lines of code allow advertisers, webmasters, and marketers to analyze the flow of visitors to websites and the activities of users.

This is a critical technology as it possesses a lot of power over the user behavior and can help in decoding the needs and wants of the users in a way that marketing can be made extremely difficult to avoid. The user may even lose touch of what they actually want, rendering their consent meaningless over time due to the numbing advertising placed on them targeted around their specific activity leaking the secrets to their deepest insecurities.

While this proves to be an extremely effective tool for marketers, especially in the longer run, it is not exactly the most private way to be for the users. This is why many privacy watchdogs have revised their emphasis on the need to be transparent, consensual and careful when using scripts.

Despite the increasing emphasis and an equally important need to make script usage compliant with the law as cookie usage, there are not many solutions that will offer you the ability to ensure such safety.

GDPR and cookie compliance

Not every cookie is used to identify users, but the majority of these are used in this manner, similarly, they are subject to GDPR. Cookies for analytics, advertising and functional services, are the cookies that identify users.

The problem with cookies related to user privacy is that users are unaware of what personal data related to them is being registered? Who is tracking their personal data? What is the core purpose of their personal data being tracked in this manner? Where does their personal data go and where is it stored? For how long is their personal data stored for? What is a GDPR compliant consent management solution?

It is highly essential to understand what constitutes a GDPR compliant consent management platform. The consent obtained must be:

  • It is highly essential to understand what constitutes a GDPR compliant consent management platform. The consent obtained must be:
  • The consent must be given through affirmative action which cannot be interpreted.
  • The consent must be given before the initial processing of personal data.
  • The consent must be accessible to the user to withdraw if a user changes his or her mind.
  • All the personal data must be appropriately deleted on the user’s request under the “right to be forgotten.”
  • Consent should be tracked and recorded in the documentation.
  • Tracking devices such as tags, beacons, pixels, scripts must be taken care of on top of the cookies used.

The requirements mentioned above must be covered by a GDPR compliant consent management solution. Implied consent by merely visiting a site is not lawful under the GDPR. The same goes for banners and pop-ups that display messages such as: ‘By using this site, you accept cookies’. In simple words, any cookie banner design that incorporates features accepting cookies using an “Ok” button is not sufficient and is not compliant with the GDPR.

On top of this using implied consent for only cookies is even worse. You must take into account every single technology used and placed by your website on the user’s devices.

This is why a proper and comprehensively compliant consent management platform is an essential prerequisite. You can try the Seers Consent Management Platform to get started on your seamless compliance journey in the domain.

GDPR compliant cookie policy 

Under the GDPR, all businesses operating in the EU or dealing with EU citizens in any way, must revise their cookie policy and bring it in line with the regulation.

Organisations must obtain prior and informed consent from their website users and this consent must be registered as per the GDPR. In other words, you must know what user data you are sharing with third-party services on your website and where the information is being sent.

A GDPR compliant cookie policy must fulfil the following requirements:

1) Transparent cookie policy 

Make sure your GDPR cookie policy renders a clear and explicit picture to the users of a website and must be written in a clear, plain and easy to understand language.

2) Accountability for cookies on your website

You are required to control and account for the data processes going on in connection with your website. It is not as easy as it appears, because most sites have a large number of third-party cookies flowing through their system.

3) Consent requested through an affirmative action

This is the most significant change for cookies and online tracking. EU citizens have grown accustomed to banners on every website that state the use of cookies. At times they ask you to check the ok button but do not provide a specific choice of options for users. The regulation asserts that it is not sufficient. Consent should be given by means of affirmative and positive action. Moreover, an option for rejecting cookies should also be provided.

4) To withdraw the consent at any time 

The power to withdraw consent at any time must be given to the user. You must know that your user has access to their current consent state and are aware of the option of withdrawing their consent.

5) Renewal of consent

The renewal of consent for cookies is not an issue and the guidance indicates that the duration of consent should be reasonable. It is also impacted by any changes to the cookies or a similar technology that is added to track user behaviour.

6) User-friendly, no-nonsense dialogue

There are two obligations for website owners under the GDPR:

  • The cookie consent should be transparent and a user must be aware of how their data is being used.
  • The communication should be understandable for the user to have a valid choice.

7) Prior consent

General Data Protection Regulation (GDPR) and the ePrivacy Directive state that a user’s consent must be given prior to browsing a website. Under GDPR, prior consent is required to set cookies to track personal data. However, the ePrivacy Directive requires that you obtain consent for setting all but the strictly necessary cookies.

8) Consent must be recorded as evidence

Every user’s consent must be stored securely because it can be used as evidence in case of a data breach or loss of control over data within an organisation.

9) Cover other technologies too

You should make note of the use and placement of all other technologies on top of the cookies used everywhere possible, including but not limited to the cookie banner and the accompanying cookie policy.

Why is privacy important?

Your rights in relation to your personal data are long and very detailed. For businesses ensuring that all rights of their users are taken care of and upheld is essential. It is the key to complete legal compliance when it comes to privacy and data protection.

Users have certain rights over the way we process personal data relating to them. The business should aim to comply without undue delay, and within one month at the latest, in response to any requests submitted by them. It must be willing to extend the user’s right to erasure and complete or adequate representation to them. None of the rights to expression, or representation should be rejected or denied.

The right to privacy is more than just a civil right. It is about security, wellness and protection of the users. This can be found under the Geneva Convention as well as in many human right charters and so on. Any user in the UK for example who feels like their rights in terms of privacy are not being taken care of with a particular business under question may contact the ICO and report the business.

Users may also enjoy extended privileges such as being able to request:

  • for a copy of personal data the business may be processing about them and/ or to have inaccuracies corrected;
  • to restrict, stop processing, or to delete their personal data;
  • for a machine-readable copy of their personal data, which they can use with another service provider. Where it is technically feasible, they can ask the business to send this information directly to another provider if they prefer; and
  • to make a complaint to a data protection regulator. They contact them at: https://ico.org.uk/concerns/. Thus, it is essential that the best level of compliance is implemented at all times.
gdpr cookie consent

Google Consent Mode

On September 3, 2020 Google launched their new Google Consent Mode. This is a ground-breaking new feature within the Google Platform that makes consent the defining condition for how their services: Google Analytics and Google Ads run on the user’s devices. The need to comply with the terms is essential or marketing will no longer be permitted to go forward.

With the fully compliant Seers Consent Management Platform you can simply plug and play GDPR compliance for your website. It allows its globally acclaimed and leading cookie scanner and consent management technology to supervise the use and functionality of the services while ensuring user consent and legal compliance. Seers offers new tag settings to run Google services based on your end-users’ consent. It is also able to aggregate non-identifying data if users do not consent to statistics cookies.

The Consent Mode also means that Google will then display contextual ads instead of targeted ads if users do not consent to marketing cookies in their consent provision. This shows that the leading tech companies are working tirelessly to ensure security and safety of user privacy as per data privacy regulations worldwide.

The Seers CMP

Seers can save your business from the non-compliance with data privacy regulations globally including GDPR, PECR, CCPA and LGPD. Non-compliance with data privacy regulations can result in hefty fines of up to €20 Million or 4% of global annual turnover (whichever is higher) of the company as well as loss of reputation and business. And yet, 3 out 4 SMEs across Europe are currently not compliant with data privacy regulations (source: International Association of Privacy Professionals (IAPP). The Seers CMP is able to handle tracking technologies including cookies, pixels, tags, beacons, scripts etc. It is completely compliant with global data privacy regulations including GDPR, PECR, CCPA & LGPD as opposed to several other solutions that are popular but not truly comprehensive like the Seers CMP.

The average website places 34 cookies or tracking technologies on a user’s device on first visit, and 70% are third-party cookies. Security vulnerabilities may allow a cookie and other tracking technology data to be read by a hacker and that can increase chances of litigation and fines. In order to avoid such a case where your business is in serious legal trouble, you can implement the Seers CMP today!

Frequently Asked Questions (FAQs)

1) How does the GDPR cookie consent work?

By default, our cookie plugin blocks all the cookies until and unless a user clicks on the “I accept” button in the consent pop-up. Only then a user can enable different services in the privacy setting.

2) Define GDPR cookie consent?

The General Data Protection Regulation (GDPR) and ePrivacy Directive impacts how website owners obtain and store cookie consent from their EU visitors.

3) Who enforces cookie compliance?

The Information Commissioner Office (ICO) enforces cookie compliance in the UK under the GDPR. Whereas, other member states are expected to have designated authority enforcement of the cookie law. In many cases, it is the local Data Protection authority, but sometimes it is a telecoms regulator or a business regulation organisation who enforces compliance.

4) Why is it crucial to comply with the EU cookie law?

In general terms, it is a law formulated for the ease and safety of humans; therefore, compliance is important. Any non-compliant website must be ready for enforcement actions from the regulators. In most serious cases within the UK, the ICO can force a website for compliance, and in the case of non-compliance, the website can face a penalty of approximately £500,000. Compliance is a way to meet visitors’ expectations and to show respect for his or her privacy preferences. In no time, it will become a key business driver for all website owners.

5) Is my site 100% GDPR compliant after installing the cookie plugin?

No, but it provides you with many tools to look after most of the features required under GDPR. To achieve 100% compliance, you must contact a legal advisor to improve your situation.
6) How can I obtain the Seers Consent Management Platform and what does it cover?

Seers world’s leading Consent Management Platform is available here

It covers:

  • Cookie audit or scan – to discover what cookies you are running on your website & what do you need to do to become compliant.
  • Cookie policy – a legally drafted fully compliant cookie policy that includes a unique “automatically updating” cookie table updated via HTML script that is placed on your website which ensures that you are compliant at all times.
  • Cookie banner – provides explicit prior consent, periodic website scan to update cookie policy, covers different jurisdictions for different users and lastly, auto-generates cookie policy and regular updates.