The EU’s General Data Protection Regulation (GDPR) represents the biggest change to people’s data protection rights since 1998. It enforces new standards for data protection which you must comply with to ensure you operate within the law.
One area webmasters now need to treat differently is website cookies. Before GDPR, cookies would often track users without their knowledge, and even when notified of their use, users would have no idea what data was being collected and why.
Users now have the right to know about the cookies tracking them and for what purpose your organisation uses those cookies. Cookies should be split into distinct segments. 1) those that are essential for the operation of the website. 2) those that the owner of the website will use to target you for future marketing. 3) those that will be shared with 3rd parties for wider marketing activity. And here’s the clincher - you must get their consent to use them. If you don’t do this, you can’t use them.
Lawful basis for processing
To process personal information under the GDPR, your company or organisation must be able to identify a lawful basis for doing so. Personal information comes in many forms and the Information Commissioner’s Office (ICO) has published clear guidance on this. Under the GDPR, there are six legal enablers for processing personal data:
1. Consent of the individual
2. Contractual necessity
3. Compliance with legal obligations
4. Vital interests of the data subjects
5. Public interest
6. Legitimate interests
We have bolded the enabler relevant to cookies on websites: consent.
Consent must be provided by the user in a specific way. It must be freely given, specific, informed, and give an “an unambiguous indication of the individual’s wishes.” The GDPR demands transparency, which is key to the approach you should take when implementing cookie tracking notifications on your website.
What constitutes lawful consent?
The aim here is to gain lawful consent from the user, and the only way to do so under the GDPR is to get them to opt in or
What’s interesting right now is there are some very dubious notices out there from leading retailers. Here’s one we grabbed from a leading retailer:
The message itself is fine, but when you click “manage cookies” the user actually gets no choice at all. You are told you can manage cookies “on your device” and there is no opt-out box. This DOES NOT satisfy the GDPR. It is insufficient because under the GDPR, if you say users can manage their cookies you’ve got to enable that. Users must also be able to opt-out after opting in. That’s cookies 101[AC1] .
Does not meet the GDPR’s requirements. And this one:
Which we grabbed from another leading retailer is also unlawful. Alarmingly, most of the retailers we have visited use this notice. Both these notices would be made GDPR compliant with an opt-in box, so a simple solution.
If you’re in any doubt about that, the ICO says this: “Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.” They also say that, “consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand, and user-friendly.” Could the guidance be any clearer?
Implementing cookie consent
There is an obvious point webmasters will raise to displaying a prominent cookie notice on their website: that their customers could be turned off from using the website. Perhaps this is why so many retailers hide their notices with colours that blend in and use the outlawed practice of implied consent. Whatever the case, there’s ways to make your notice lawful and good at keeping customers on your website.
The simplest way to implement cookie consent is this: give users an initial notice and a simple choice to opt-in. It really is that simple. And here’s the most important point – it is not mandatory for the notice to give users a choice to the cookies they object to, so a simple ‘in’ or ‘out’ box is absolutely fine.
Achieving compliance is possible with a soft opt-in which gives the user the opportunity to act before cookies are set. A fair notice before the user continues to browse will meet valid consent requirements for standard cookie policies.
Your website must also give users the option to change their mind or opt-out after getting valid consent. If you get consent through an opt-in box, the user must be able to return to that menu, so they can adjust their preferences. But this can be after the fact with a soft opt-in. That’s what makes it such useful option.
With that in mind, here’s a good written example of a soft-opt in with a box (underlined text is actionable):
With this box, you could load it before the visitor can navigate elsewhere so that consent is very clearly attained from them. They must “click” to proceed. Alternatively, you can allow them to navigate without agreeing, but you wouldn’t be able to track them until they opted-in by selecting the opt-in button.
Here’s a good written example a soft opt-in with navigation consent:
[box] or [button] “Okay”
The best way to integrate a cookie notice so it doesn’t adversely affect your visitor’s experience is to let the notification ‘roll’. By letting it ‘roll’ you have it load when your user first visits your site and you continue to display the notice until they opt-in. Once they opt-in you no longer have to display the pop-up notice.