The ePrivacy Directive (also known as EU cookie law) sets out guidance on protecting the personal data of users online, especially around the use of Cookies on websites. It enforces the importance of protecting the personal information of users online from online tracking, personal profiling, unsolicited marketing tactics, and collection of personal data by third parties without the users’ consent.
The ePrivacy Directive is applicable in all European Union member States and implemented in their own way. Under the General Data Protection Regulation (GDPR), cookie consent is required from the user to put cookies onto their device.
To be GDPR cookie compliant, website owners are required to obtain cookie consent from the user when putting cookies onto a device. In this article we will discuss the use of cookies, what you need to do to ensure your website is compliant with EU Cookie Law and GDPR, the importance of a Cookie Policy and Cookie Banner for your website, and how CookieScan can help your business achieve compliance!
There is no mention of “cookies” within GDPR. However, the use of consent in GDPR is applied to the cookie law, so they work hand in hand. The EU cookie law sets specific guidance concerning privacy and electronic communications around the use of cookies, whereas the GDPR gives guidance on the general collection of personal data. The EU cookie law takes into account GDPR’s standards for consent, which means that cookie consent is needed for certain cookies that are put onto a user’s browser.
Get all your consent worries out of the way by using CookieScan. CookieScan will collect the consent provided by your website users and record them for you. If needed you can request the consent log for your site, very handy if you have to defend your company against a wrongful marketing complaint.
As mentioned, to put cookies onto a user’s device, user consent is required. GDPR and EU Cookie Law go hand in hand, so the rights of the user need to be considered when putting cookies onto a user’s device. By law, all website users have the right to decide their cookie preference settings, this gives the user more control of their personal data privacy online and how the personal information collected from them will be used.
There are different types of cookies, and some don’t require user consent. This depends on the purpose of the cookies. For example, Strictly necessary cookies are necessary for the general running of the website.
Without these cookies, the website would not be able to function. For strictly necessary cookies, cookie consent is not required. But, where cookies are not essential for the general running of the site and are used for tracking a user’s activity for analytical and marketing purposes, you need to have user consent before you can put them onto a user’s device.
The following cookies require cookie consent from the user:
- Session Cookies – These are temporary cookies and are only stored on the users’ devices for the duration of their stay. These cookies are used for actions like keeping your items in a shopping cart while you navigate around the site.
- Persistent Cookies – these cookies will linger on the browser for much longer than a session. These are usually a preference, advertisement, analytics, or social media cookies. These cookies will store user logins, language settings, targeted adverts, and personal profiling. These cookies can be from third parties which do not originate from the website operator.
CookieScan will set the appropriate pop-up on your site depending on the country the site is being viewed in. This Geo-location feature is available to all Standard account holders and can be turned on and off in your admin dashboard.
What is required on your website?
To comply with both GDPR and the EU Cookie Directive, organisations need to inform users of the website’s use of cookies. You must clarify what cookies are active on the site, the purpose of each cookie, what personal data is being collected, and how long the cookie will remain on the user’s device. Cookie Consent will be required for most cookies on the site, so the option to accept, decline, and manage cookies is needed for each user.
Each website GDPR cookie compliance requires:
- A Cookie Banner – When someone visits your website you need to let them know that your site uses cookies. This can be done by the use of a cookie banner that pops up when the user first enters the site. The banner should give the user the option to accept, decline and manage their cookie preferences. Cookies that are not essential to the running of the site should not be put onto the users’ device until the user has given consent. If consent is not given, the cookies SHOULD NOT be put onto the users’ device.
- A Cookie Policy – you need to provide detailed information about how the data collected from your cookies will be used, its purpose for collecting, and the life of the cookie on the users’ device. This can be done by creating a Cookie Policy for your website. This Policy should be easily accessible to the site user and explain clearly how cookies are used. A good idea would be to provide a link to your notice on the cookie banner.
CookieScan can help you to achieve compliance with GDPR and Cookie law! First, our CookieScan platform will complete a scan of the cookies operating on your website, our database will then automatically categories your cookies, and build your own compliant Cookie Notice and Cookie Banner for your website. CookieScan will regularly update your cookies descriptions if they change and the use of our portal will help you easily manage your account. CookieScan makes compliance with Cookie Law and GDPR quick and simple!
CookieScan provides all of this, a fully automated Cookie Notice or Policy, a full description of the cookies used by your website, their purposes and the time they are active on your device.
To ensure GDPR cookie compliance, you need to be doing the following on your website:
- before you use any cookies on a users visit (except necessary cookies) you ask for the consent of the user
- provide accurate information to the user on the data the cookie collects and tracks and its purpose for doing so. Provide this in an easy to read format and in an understandable language to the user
- keep a record of the users’ consent
- even if certain cookies are refused, the user should still have access to your site and services
- it must be just as easy for the user to withdraw their consent as it was for them to give it. When the users have given their preferences on the cookies banner and accepted it, they should have that option to edit and change their cookie preference settings at any point while they are using the site.
To ensure the compliance of your website in each of these areas, CookieScan will ensure you have a comprehensive cookie banner and cookie policy that complies with cookie regulations and is put in simple language and easy to read format for every user. The use of your own Portal will enable you to access and update cookie preferences and settings on your website easily.
GDPR Checklist
To ensure compliance with GDPR on your website you must explain to the user how their personal data is processed in an accessible and easy-to-read manner. The best way to do this is by the use of a Privacy Policy that explains to the user what personal data your organisation processes on your customers and how their data is used. This does not just apply to cookies, but rather the collection of personal data throughout the entire organisation.
It is important to consider the following when creating a Privacy Policy that is GDPR compliant:
- Provide Contact details of the data controller – if the individual has any questions about the use of their personal data or would like to make a subject access request they can do so by this contact.
- State your purpose of collecting – you must state to the user what personal data you collect from them and why this data is being collected. For example, you may collect an email address from an individual for the purpose of communication with them on a request that was made. In your privacy notice, you must specify this as your reason for processing.
- State your legal basis for processing – once you have explained what personal data is collected and for what purpose you must show your legal basis for processing. In GDPR there is 6 lawful basis to consider, which one you use will depend on the data that is being collected. (Article 6- GDPR)
- Transfer of the personal data – If an individual’s personal data is shared with 3rd Parties for certain purposes, this must be explained within the privacy notice.
- How long the personal data is kept – the privacy policy must state how long the users’ data will be kept before it is no longer needed and disposed of.
- The individual’s rights – you must explain to their individuals their rights concerning their personal data and the ability for them to exercise their rights under GDPR. Some of their rights include; right of access, right of rectification, right to erasure, etc.
- Privacy by design and default – you must also explain the security measures you have in place to protect the personal data of individuals. for example, Firewalls, password-protected systems, multifactor authentication, data minimisation etc.
If your website targets individuals within the EU, you must comply with GDPR. Also, If your website targets individuals in the US, specifically in California, you must comply with the California Consumer Privacy Act (CCPA). In many cases, websites will target individuals in all these jurisdictions, so compliance with both these laws is essential.
What is the California Consumer Privacy Act (CCPA)? The CCPA was effective on 1st January 2020. Currently, the only Data Protection law in the US! Much like GDPR, the CCPA sets guidance on how businesses from all over the world can collect, store and process the personal data of those in the state of California.
While CCPA doesn’t require businesses to gain opt-in consent for cookies, it does require them to disclose what data is being collected by cookies and what is done with the data. The law aims to protect individuals from the resale of their personal data to third parties. These requests can be made in a similar way to a Data Subject Access Request.
To comply with both GDPR and CCPA you must consider both laws when aiming to achieve compliance. Within your Privacy Notice and Cookie Policy, it is important to reference both laws and demonstrate your compliance with them. Both laws are similar, both state the website must specify the cookies that are in use (first and third-party cookies), the purpose of processing, what personal data is being collected, and the option for the user to opt-out of the use of certain cookies and make a DSAR request when required.
CookieScan will help you make your website compliant with any countries cookie requirements. We are even going to go a step further, CookieScan will soon help you with your data protection compliance and offer your site users an easy way to request their data from you. The pop-up will have a feature to allow the site user to put in a ‘do not sell my data’ complying with the CCPA requirements, put in a data subject access request, and any of the other rights you have under GDPR.
Show your site users how serious you are about protecting their data.
CookieScan – Cookie Scanner
CookieScan will help you ensure your website cookie disclosure is in full compliance with ePrivacy and GDPR. Our platform will complete a scan of the cookies on your website, then our database will automatically categories your cookies, and build your own compliant Cookie Policy and Cookie Banner for your website.
CookieScan will regularly update your cookies descriptions if they change and the use of our portal will help you easily manage your account.
If you want to see what CookieScan is like for yourself, try out our 30-day trial!