How You Should Be Asked for Cookie Consent According to the GDPR

What Are Cookies?

Cookies are small textual files that a website or an app sends to your device (laptop, smartphone, tablet), store them there, and use them to collect data. Website or app owners, i.e., data controllers, then process the data for their own needs.

Why Is It Important to You?

Cookies collect your personal data and hand it to someone else to process it.

That doesn’t necessarily mean that you’ll suffer some damages; you’ll be a victim of identity theft.

It simply means that your data is in someone else’s hands, and they have it readily available. They may process it in compliance with the laws, do nothing with it, or abuse it. You never know.

What Businesses Need to Do?

Businesses must ask for users’ consent before injecting cookies into users’ devices.

The use of cookies without a consent is unlawful and is a violation of the GDPR. Moreover, consent must be requested and obtained lawfully. Not all consents are equal.

Businesses, intentionally or not, often make mistakes in consent requests. The short period of the GDPR led to one significant decision of the Court of Justice of the European Union (CJEU) and detailed recommendations of the European Data Protection Board (EDPB).

The court decision is widely known as the Planet49 decision, where a German company was fined for collecting consent unlawfully.

You can read more about GDPR fines on the linked page.

Specifically, they provided users with pre-checked checkboxes instead of leaving the checking to users. That is not affirmative action. Therefore it is a violation of the law.

Affirmative action is only one of the requirements for lawful consent according to the GDPR, but that’s not the only thing you should be careful about.

GDPR Cookie Consent Requirements

The GDPR requires consent to be:

• Freely given
• Informed
• Specific
• Unambiguous, and
• Easily withdrawn.

All these five requirements must be met for lawful consent.

But, what does each of them mean, and how do you recognize if you’ve been requested as you should be?

Freely Given

Consent is given freely if it was voluntary action by the user. The user has given the consent of their own will if:

• They have not been coerced into giving consent. Websites that want to coerce users into giving consent often bundle the consent with the Terms of Use. That’s against the GDPR. Such consent doesn’t count because it is not freely given.
  Remember: The website should always ask you for consent separately.
• They have been prevented from accessing content without consent. This is called a cookie wall and is one of the sneaky ways in which websites intrude your privacy. The website must provide you access to all the content without collecting consent. This doesn’t include the members’ area on a website, but that doesn’t require the use of cookies either.
  Remember: access to content does not require cookies. If someone requests your consent for access, they violate your GDPR rights.
• Prevent users from withdrawing consent without consequences. You are free to give consent and free to withdraw it. That means the controller must not impose any negative consequences for withdrawing it.
  Remember: Withdrawing consent is a GDPR right. If a data controller wants to prevent you from doing so, it is time to react to authorities.

Informed

The consent is informed when you are informed about what will be going on with your personal data should you give consent. Businesses communicate this information through their privacy policies.

However, having one is not enough. The website should provide a link to the policy at the moment of collection, i.e., at the moment of consent request for the use of cookies.

In addition, the policy must clearly state that the website uses cookies, why they use them, and what data they collect with them. Without all of this information, the consent request is unlawful.

The following banner is a good example of meeting this requirement. They ask for consent and provide a link to the privacy policy. Before granting consent, you can click there and inform yourself about their privacy practices.

However, whether you read the privacy policy or not is your own business. No one obliges you to read it, but the law assumes that you have read it if you have been provided with easy access to it.

Remember: Websites must provide you with information about what happens to your data if it gets collected by cookies. That information must be provided in plain language, in a way that is easy to understand.

Specific

Businesses must obtain separate consent for every single processing purpose.

The business that tracks website analytics and uses advertising cookies must ask for consent for each purpose separately. One bundled consent doesn’t count.

The following cookie banner is a good example of a specific request. The banner clearly states why the website uses cookies and explains the processing purposes. The user can provide consent only for the purposes they want to have their data processed. But, they do not have to consent to all purposes at once.

Remember: Every cookie banner should look like the one above. The number of consent requests must be equal to the number of processing purposes.

Unambiguous

Consent is given unambiguously if you give it with your affirmative action. You, the internet user, should clearly state that you consent to the use of cookies. But, the website’s cookie banner should allow it.

Every cookie banner should have an option to click on an ACCEPT button but also a button to refuse cookies. In some cases, businesses may offer the opportunity to reject cookies in the cookie preferences center if they have one.

Moreover, you have to check the checkboxes or turn the toggles on to indicate that you consent to the use of cookies.

The following cookie banner shows how to ask users for consent unlawfully because the toggles are on by default.

On the next one, the toggles are off. You can turn them on if you want. That’s how you give consent unambiguously, and that’s how businesses should ask you lawfully.

A common mistake websites make is assuming that users consent to data collection by staying on the website.

Their cookie banners say, “If you keep browsing on this website, it means that you consent to the use of cookies.” That’s not in compliance with the GDPR. That’s a clear violation of the users’ privacy rights.

Remember: It is you who should take affirmative action to give consent. The cookie banner shouldn’t help. It should leave it up to you.

Easily Withdrawn

The business must allow you to withdraw the consent as easily as you have given it.

If you have clicked on an ACCEPT button to give consent, you should be allowed to click on a WITHDRAW button to withdraw it.

Businesses usually put the withdrawing option in the privacy center. It is a good practice as it provides easy access to exercise that right.

It is important to note again that the data controller must not condition the withdrawal by imposing some negative consequences unless the cookies are necessary for providing some features.

For example, cookies may be necessary to remember your language preferences on the website, and it makes sense to receive a worse user experience due to the withdrawal of consent.

However, advertising cookies are not related to the website functionalities in any way, so they must not be a condition for getting a better user experience.

Remember: You should be able to withdraw the consent as easily as you gave it.