How You Should Be Asked for Cookie Consent According to the GDPR

Updated: 12 August 2021
Updated: 12 August 2021

Miklos Zoltan

Fact-checked by

In this guide we will show you how websites should be asking you for cookie consent and what to do in case they’re violating your rights instead.

Many years ago, when someone accessed the internet, their data had been stripped off at the moment of arrival on any website. Cookies were starting to collect users’ data as soon as they possibly could. But, it has changed.

The European Union was quick to make an attempt to prevent this by passing the ePrivacy Directive in early 2000’s, which was updated a few times.

It didn’t bring the desired results at the desired scale, so the EU opted for a new law – the General data Protection Regulation (GDPR).

Starting from 2018, the cookie laws are more strict than ever and the penalties for non-compliance have never been bigger. However, many businesses are not compliant yet.

Data protection authority will likely never be able to go after every single non-compliant business, so you have to rely on yourself and protect your data.

That’s why you need to learn how you should be asked for consent for the use of cookies.

Related guide: How to Complain to the Data Protection Authority When Your Rights Have Been Violated
Related guide: The Ultimate Guide to Data Subject Rights Under the GDPR
Related guide: How to Understand the Privacy Practices of an Online Business Based on Their Privacy Policy

How to Ask for Cookie Consent

What Are Cookies?

Cookies are small textual files that a website or an app send into your device (laptop, smartphone, tablet), store it there and use it to collect data. Website or app owners, i.e. data controllers, then process the data for their own needs.

Why Is It Important to You?

Cookies collect your personal data and hand it to someone else to process it.

That doesn’t necessarily mean that you’ll suffer some damages, that you’ll be a victim of identity theft, or something like that.

It simply means that your data is in someone else’s hands and they have it readily available. They may process it in compliance with the laws, they may do nothing with it, or they may abuse it. You just never know.

What Businesses Need to Do?

Businesses must ask for user’s consent before injecting cookies into users’ devices.

The use of cookies without a consent is unlawful and is a violation of the GDPR. Moreover, the consent must be requested and obtained in a lawful way. Not all consents are equal.

Businesses, intentionally or not, often make mistakes in consent requests. In the short period of application of the GDPR that led to one significant decision of the Court of Justice of the European Union (CJEU) and detailed recommendations of the European Data Protection Board (EDPB).

The court decision is widely known as Planet49 decision, where a German company was fined for collecting consent in an unlawful way. Specifically, they provided users with pre-checked checkboxes instead of leaving the checking to users. That is not affirmative action, therefore it is a violation of the law.

Affirmative action is only one of the requirements for a lawful consent according to the GDPR, but that’s not the only thing you should be careful about.

GDPR Cookie Consent Requirements

The GDPR requires consent to be:

  • Freely given
  • Informed
  • Specific
  • Unambiguous, and
  • Easily withdrawn.

All these five requirements must be met for a lawful consent.

But, what does each one of them mean and how to recognize if you’ve been requested as you should be?

Freely Given

Consent is given freely if it was voluntary action by the user. The user has given their consent at their own will if:

  • They have not been coerced into giving consent. Websites that want to coerce users into giving consent often bundle the consent with the Terms of Use. That’s against the GDPR. Such a consent doesn’t count because it is not freely given.
    Remember: The website should always ask you for a consent separately.
  • They have been prevented from accessing content without a consent. This is called a cookie wall and is one of the sneaky ways in which websites intrude your privacy. The website must provide you with access to all the content without collecting a consent. This doesn’t include members area on a website, but that doesn’t require use of cookies either.
    Remember: Access to content does not require cookies. If someone requests your consent for access, they are violating your GDPR rights.
  • Prevent users from withdrawing consent without consequences. You are free to give consent and free to withdraw it. That means that the controller must not impose any negative consequences for withdrawing it.
    Remember: Withdrawing consent is a GDPR right. If a data controller wants to prevent you from doing so, it is time to react to authorities.

Informed

The consent is informed when you are informed about what will be going on with your personal data should you give consent. Businesses communicate this information through their privacy policies.

However, having one is not enough. The website should provide a link to the policy at the moment of collection, i.e. at the moment of consent request for the use of cookies.

In addition, the policy must clearly state that the website uses cookies, why they use them, and what data they collect with them. Without all of this information, the consent request is unlawful.

The following banner is a good example of meeting this requirement. They ask for consent and provide a link to the privacy policy. You can click there and inform yourself about their privacy practices before granting consent.

Cookie Banner

However, it is your own business if you read the privacy policy or not. No one obliges you to read it, but the law assumes that you have read it if you have been provided with easy access to it.

Remember: Websites must provide you with information about what happens to your personal data if it gets collected by cookies. That information must be provided in plain language, in a way that is easy to understand.

Specific

Businesses must obtain a separate consent for every single processing purpose.

The business that tracks website analytics and uses advertising cookies must ask for consent for each purpose separately. One bundled consent doesn’t count.

The following cookie banner is a good example of a specific request. The banner clearly states why the website uses cookies and explains the processing purposes. The user can provide consent only for the purposes they want to have their data processed. But, they do not have to consent to all purposes at once.

Remember: Every cookie banner should look like the one above. The number of consent requests must be equal to the number of processing purposes.

Unambiguous

Consent is given unambiguously if you give it with your own affirmative action. It is you, the internet user, who should clearly state that you consent to the use of cookies. But, the website’s cookie banner should allow it.

Every cookie banner should have an option to click on an ACCEPT button, but also a button to refuse cookies. In some cases, businesses may offer the opportunity to reject cookies in the cookie preferences center, if they have one.
Moreover, it is you who has to check the checkboxes or turn the toggles on to indicate that you consent to the use of cookies.

The following cookie banner shows how to ask users for consent unlawfully, because the toggles are on by default.

Cookie Content Settings

On the next one, the toggles are off. You can turn them on if you want. That’s how you give consent unambiguously, and that’s how businesses should ask you lawfully.

Cookie Consent Violation

A common mistake websites make is assuming that the user consents to data collection just by staying on the website. Their cookie banners say something like: “If you keep browsing on this website, it means that you consent to the use of cookies”. That’s not in compliance with the GDPR. That’s a clear violation of the users’ privacy rights.

Remember: It is you who should take affirmative action to give consent. The cookie banner shouldn’t help. It should leave it up to you.

Easily Withdrawn

The business must allow you to withdraw the consent as easily as you have given it.

If you have clicked on an ACCEPT button to give consent, then you should be allowed to click on a WITHDRAW button to withdraw it.

Businesses usually put the withdrawing option in the privacy center. It is a good practice as it provides easy access to exercise that right.

It is important to note again that the data controller must not condition the withdrawal by imposing some negative consequences, unless the cookies are necessary for providing some features.

For example, cookies may be necessary to remember your language preferences on the website and it makes sense to receive worse user experience due to the withdrawal of consent. However, the use of advertising cookies is not related to the website functionalities in any way, so they must not be a condition for getting a better user experience.

Remember: You should be able to withdraw the consent as easily as you gave it.

Written by: Petar Todorovski

Connect with the author:

Data privacy expert

Legal Advisor for IT Regulation - Ministry for Information Society and Administration of Macedonia

Petar Todorovski is interested in just about anything where law and technology intersect. His work includes legal consultation for companies, drafting IT-related legislation for the Macedonian government, and designing legal tech apps for a data protection management platform.

He has experience in data protection, cybersecurity, trust services, digital transformation of public services, access to justice, and writing for the internet.

He is a big advocate of automation, user-centered design, and the use of plain language in the legal industry.

Petar takes a break from law and tech by having a Crossfit workout, enjoying the outdoors, and reading smart people’s blogs.

Leave a Reply

Your email address will not be published.