In this guide, we will show you how websites should be asking you for cookie consent and what to do in case they’re violating your rights instead.
Many years ago, when someone accessed the internet, their data had been stripped off at the moment of arrival on any website. Cookies were starting to collect users’ data as soon as possible. But, it has changed.
The European Union quickly attempted to prevent this by passing the ePrivacy Directive in the early 2000s, which was updated a few times.
It didn’t bring the desired results at the desired scale, so the EU opted for a new law – the General Data Protection Regulation (GDPR).
Starting from 2018, the cookie laws are more strict than ever, and the penalties for non-compliance have never been bigger. However, many businesses are not compliant yet.
Data protection authority will likely never be able to go after every non-compliant business, so you must rely on yourself and protect your data.
That’s why you need to learn how you should be asked for consent for using cookies.
The EU passed the ePrivacy Directive in the early 2000s to prevent websites from collecting user data without consent.
However, it didn’t bring the desired results, so the EU introduced the General Data Protection Regulation (GDPR) in 2018.
The GDPR requires businesses to ask for users’ consent before using cookies and outlines specific requirements for lawful consent.
I also explain what cookies are and why it’s important to protect your personal data. Finally, I provide examples of how businesses should and should not ask for cookie consent.
Cookies are small textual files that a website or an app sends to your device (laptop, smartphone, tablet), store them there, and use them to collect data. Website or app owners, i.e., data controllers, then process the data for their own needs.
Cookies collect your personal data and hand it to someone else to process it.
That doesn’t necessarily mean that you’ll suffer some damages; you’ll be a victim of identity theft.
It simply means that your data is in someone else’s hands, and they have it readily available. They may process it in compliance with the laws, do nothing with it, or abuse it. You never know.
Businesses must ask for users’ consent before injecting cookies into users’ devices.
Businesses, intentionally or not, often make mistakes in consent requests. The short period of the GDPR led to one significant decision of the Court of Justice of the European Union (CJEU) and detailed recommendations of the European Data Protection Board (EDPB).
The court decision is widely known as the Planet49 decision, where a German company was fined for collecting consent unlawfully.
You can read more about GDPR fines on the linked page.
Specifically, they provided users with pre-checked checkboxes instead of leaving the checking to users. That is not affirmative action. Therefore it is a violation of the law.
Affirmative action is only one of the requirements for lawful consent according to the GDPR, but that’s not the only thing you should be careful about.
The GDPR requires consent to be:
All these five requirements must be met for lawful consent.
But, what does each of them mean, and how do you recognize if you’ve been requested as you should be?
Consent is given freely if it was voluntary action by the user. The user has given the consent of their own will if:
The consent is informed when you are informed about what will be going on with your personal data should you give consent. Businesses communicate this information through their privacy policies.
Remember: Websites must provide you with information about what happens to your data if it gets collected by cookies. That information must be provided in plain language, in a way that is easy to understand.
Businesses must obtain separate consent for every single processing purpose.
The business that tracks website analytics and uses advertising cookies must ask for consent for each purpose separately. One bundled consent doesn’t count.
Remember: Every cookie banner should look like the one above. The number of consent requests must be equal to the number of processing purposes.
The following cookie banner shows how to ask users for consent unlawfully because the toggles are on by default.
On the next one, the toggles are off. You can turn them on if you want. That’s how you give consent unambiguously, and that’s how businesses should ask you lawfully.
A common mistake websites make is assuming that users consent to data collection by staying on the website.
Remember: It is you who should take affirmative action to give consent. The cookie banner shouldn’t help. It should leave it up to you.
The business must allow you to withdraw the consent as easily as you have given it.
If you have clicked on an ACCEPT button to give consent, you should be allowed to click on a WITHDRAW button to withdraw it.
Businesses usually put the withdrawing option in the privacy center. It is a good practice as it provides easy access to exercise that right.
It is important to note again that the data controller must not condition the withdrawal by imposing some negative consequences unless the cookies are necessary for providing some features.
For example, cookies may be necessary to remember your language preferences on the website, and it makes sense to receive a worse user experience due to the withdrawal of consent.
However, advertising cookies are not related to the website functionalities in any way, so they must not be a condition for getting a better user experience.
Remember: You should be able to withdraw the consent as easily as you gave it.