In this guide we will show you how websites should be asking you for cookie consent and what to do in case they’re violating your rights instead.
Many years ago, when someone accessed the internet, their data had been stripped off at the moment of arrival on any website. Cookies were starting to collect users’ data as soon as they possibly could. But, it has changed.
The European Union was quick to make an attempt to prevent this by passing the ePrivacy Directive in early 2000’s, which was updated a few times.
It didn’t bring the desired results at the desired scale, so the EU opted for a new law – the General data Protection Regulation (GDPR).
Starting from 2018, the cookie laws are more strict than ever and the penalties for non-compliance have never been bigger. However, many businesses are not compliant yet.
Data protection authority will likely never be able to go after every single non-compliant business, so you have to rely on yourself and protect your data.
Related guide: How to Complain to the Data Protection Authority When Your Rights Have Been Violated
Related guide: The Ultimate Guide to Data Subject Rights Under the GDPR
Cookies are small textual files that a website or an app send into your device (laptop, smartphone, tablet), store it there and use it to collect data. Website or app owners, i.e. data controllers, then process the data for their own needs.
Cookies collect your personal data and hand it to someone else to process it.
That doesn’t necessarily mean that you’ll suffer some damages, that you’ll be a victim of identity theft, or something like that.
It simply means that your data is in someone else’s hands and they have it readily available. They may process it in compliance with the laws, they may do nothing with it, or they may abuse it. You just never know.
Businesses must ask for user’s consent before injecting cookies into users’ devices.
Businesses, intentionally or not, often make mistakes in consent requests. In the short period of application of the GDPR that led to one significant decision of the Court of Justice of the European Union (CJEU) and detailed recommendations of the European Data Protection Board (EDPB).
The court decision is widely known as Planet49 decision, where a German company was fined for collecting consent in an unlawful way. Specifically, they provided users with pre-checked checkboxes instead of leaving the checking to users. That is not affirmative action, therefore it is a violation of the law.
Affirmative action is only one of the requirements for a lawful consent according to the GDPR, but that’s not the only thing you should be careful about.
Related guide: GDPR fines list
The GDPR requires consent to be:
All these five requirements must be met for a lawful consent.
But, what does each one of them mean and how to recognize if you’ve been requested as you should be?
Consent is given freely if it was voluntary action by the user. The user has given their consent at their own will if:
The consent is informed when you are informed about what will be going on with your personal data should you give consent. Businesses communicate this information through their privacy policies.
Remember: Websites must provide you with information about what happens to your personal data if it gets collected by cookies. That information must be provided in plain language, in a way that is easy to understand.
Businesses must obtain a separate consent for every single processing purpose.
The business that tracks website analytics and uses advertising cookies must ask for consent for each purpose separately. One bundled consent doesn’t count.
Remember: Every cookie banner should look like the one above. The number of consent requests must be equal to the number of processing purposes.
The following cookie banner shows how to ask users for consent unlawfully, because the toggles are on by default.
On the next one, the toggles are off. You can turn them on if you want. That’s how you give consent unambiguously, and that’s how businesses should ask you lawfully.
Remember: It is you who should take affirmative action to give consent. The cookie banner shouldn’t help. It should leave it up to you.
The business must allow you to withdraw the consent as easily as you have given it.
If you have clicked on an ACCEPT button to give consent, then you should be allowed to click on a WITHDRAW button to withdraw it.
Businesses usually put the withdrawing option in the privacy center. It is a good practice as it provides easy access to exercise that right.
It is important to note again that the data controller must not condition the withdrawal by imposing some negative consequences, unless the cookies are necessary for providing some features.
For example, cookies may be necessary to remember your language preferences on the website and it makes sense to receive worse user experience due to the withdrawal of consent. However, the use of advertising cookies is not related to the website functionalities in any way, so they must not be a condition for getting a better user experience.
Remember: You should be able to withdraw the consent as easily as you gave it.