Earlier this fall, the Court of Justice of the European Union (CJEU) issued a decision regarding cookie consent that will have a significant impact on websites worldwide. The CJEU established that explicit consent must be provided by a website visitor (when that visitor is from the European economic zone) before a site may place cookies on the visitor’s device.
In a press release issued by the CJEU, they state that:
“In today’s judgment, the Court decides that the consent which a website user must give to the storage of and access to cookies on his or her equipment is not validly constituted by way of a pre-checked checkbox which that user must deselect to refuse his or her consent.”
This ruling means that almost all cookie notification methods in use since the GDPR took effect are not GDPR compliant. Let’s dive in and see what this means for website owners.
Non-compliant cookie notices
Here are a few cookie consent methods that no longer work.
Forced consent
You’ve probably come across pop-up notices like the one below.
“This website uses cookies to ensure you get the best experience on our website. Learn More.”
This type of notice, what we’ll call a “forced consent” notice, is not GDPR-compliant. Site owners cannot presume the user’s intent. And having only a confirmation button is not sufficient.
Lazy blanket opt-out
Here’s another common cookie confirmation form with the added option to decline cookies.
Since this example allows users to refuse all non-essential cookies, it must be GDPR compliant. Right?
Actually it’s not. With this confirmation form, if the user clicks “Allow Cookies” or does not interact with the consent form at all (i.e. is lazy and does not click either button), cookies will still be written to the user’s device.
This type of cookie consent option is not GDPR compliant.
Pre-checked opt-in
A third type of cookie form provides users with the ability to refuse specific types of cookies (preferences, statistics, marketing). But in this case the boxes are pre-checked and the notice is assuming the user’s consent, requiring them to uncheck the boxes to opt-out of these cookies.
This type of form is not compliant with the GDPR because. Consent can’t be assumed.
How to make a GDPR-compliant cookie consent form
Real opt-in
In order for a site to be compliant, no non-essential cookies can be placed on a visitor’s browser until they deliberately click the Allow cookies button. And visitors must actively consent to any non-essential cookies that they accept.
The CJEU ruling also states that:
“Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them.”
This indicates that a button or select option allowing all cookies is not compliant with the GDPR. Cookies that serve different purposes, e.g. marketing, traffic reporting, etc. must be consented to separately. Therefore, it is necessary to provide checkboxes for each type of cookie.
In the above image you see that only the “Necessary” box is pre-checked. The boxes for other types of cookies are broken out by purpose or type and are unchecked. This is what is required of any site marketing to a European audience. Cookie consent must be explicit and unambiguous in this way.
The Backend Piece
It is important to point out that controlling the cookies that load for your site’s visitors requires some backend work. Website owners have, to date, taken a superficial approach to complying with GDPR. Most site owners have simply assumed user consent, presented a “forced consent” pop up and left their sites more or less as they were, with all cookies loading.
With this new ruling from the CJEU, site owners will have to adapt their sites to work with different groups of cookies activated.
And that is the tricky part. In the past, when a user visited a website, dozens of cookies would typically be loaded on their device, even when a cookie consent form was being displayed. And it’s no small task to modify a site to work with or without each of its cookies.
Now, for websites subject to GDPR compliance, their users must be presented with the option to accept or decline the different types of non-essential cookies. Therefore site owners and managers must create or integrate functions that allow users to control what types of cookie load for them.
Saas Cookie Notice Services
What is often not clear to website managers and marketing teams is that software-as-a-service cookie notice tools provided by online services like Osano, CookiePro, and Cookiebot are primarily supplying the front-end piece of the cookie opt-in process. This means they are providing only the consent form and ‘accept’ and ‘decline’ functions but they don’t provide any of the functionality for actually turning a site’s cookies on or off.
These services can also, in some cases, track user activity and produce reports on who opted in or out of cookies. But that is as far as they go. And that is important for site owners to know. We’ve seen some confusion with site owners thinking that integrating with one of these service providers actually turns on or off different types of cookies on their sites.
Next Steps to be GDPR Compliant
If you are a site owner or manager, here are the steps you’ll want to take to make your site compliant. (NOTE: We are not lawyers or legal advisors. These steps are, to the best of our knowledge, accurate but should not take the place of professional advice from your lawyer.)
Step 1. Identify what cookies your site is dropping on your users’ devices.
Step 2. Classify the cookies into the essential and non-essential categories. Essential cookies are those that are required by the site (e.g. a load balancer cookie) and that don’t track and personally identifiable information. Non-essential cookies include categories like: Analytical, Preferences, Performance, Marketing, Third Party.
Step 3. Have your web developers modify and/or test your site to ensure it works with or without each type of cookie.
Step 4. Add a GDPR-compliant consent form (or use one from the aforementioned service providers) and integrate it with your site so that your users can control which cookies load when they visit your website.
Step 5. Add a function to your site that allows users to review and modify their cookie preferences in the future.
Cookie classification
To help you with Steps 1 and 2, Cookiebot will conduct a free scan of your website and will email you a report that lists all of the cookies used by your site and the category into which each cookies falls.
Cookie preferences
The GDPR also stipulates that a site’s users must have the ability to modify or revoke their consent of cookies at any time. This means that users who initially approved a certain type of cookie must be able to modify their consent on future visits.
Cookie duration
In addition to the issue of consent, the ruling also included a clarifying statement about the duration of cookies and who has access to them.
“…the Court held that the duration of the operation of the cookies and whether or not third parties may have access to those cookies form part of the clear and comprehensive information which must be provided to a website user by the service provider.”
Your website’s cookie policy should include information explaining both the purpose and duration of cookies used on the site.
Analytics implications
The GDPR provides website visitors with an unprecedented level of control over the information that is gathered about them. But there will be some very tangible consequences for website owners. For example, since website visitors will now be able to opt out of all non-essential cookies, GDPR-compliant sites could potentially see a significant drop-off in the reported traffic to their websites. Analytics tools are dependent on cookies to track visitor activity. Without these cookies, many visits will go unrecorded.
How does an online EU Newspaper comply with GDPR?
The Express has an interesting approach to cookie consent that is worth taking a closer look at. In their case, they decided that rather than allow users to decline certain types of cookies from the consent form, they would provide them with a “Manage” option. This option takes the user to a console for turning cookie types on and off.
Note that the site cannot be accessed until the visitor interacts with the popup.
When a visitor first reaches the site, they are immediately greeted with a popup that requires the visitor to engage with the popup before they are able to interact with the website at all. Visitors can click the Accept button to immediately proceed to the site.
However, if they click the Manage button, they will see a series of popups that gives the user the ability to accept or reject certain types of cookies. This method seems like it could be an effective way to address the cookie consent issue, but there are a couple reasons why it treads a fine line in terms of whether it is in compliance with the spirit of this recent ruling.
The first is that the initial popup does not immediately give users the ability to choose which cookies they are willing to accept. Only if users click the manage link do they get that option.
The second is that on the second popup (see second slide above), they identify “functional cookies” which are presumably essential cookies that the site requires in order to function correctly. Visitors do not have the option to reject these cookies. And among these cookies are Google and Twitter. It would be difficult to argue that these are essential, but such is the claim here.
The more hoops a website visitor is required to jump through, the more likely they are to abandon the site. Getting a visitor to your site is the hard part. So you should certainly do everything you can to make their visit as easy as possible while they’re on your site. For this reason, we’d recommend using the first option (popup with checkboxes on the page of entry) over the second (a series of popups preventing the site from being accessed until a user grants consent). Tracking might be affected, but your visitors won’t be.
In Conclusion
If you determine that your organization must comply with GDPR standards and you need to make your website fully compliant, the changes required are not insignificant. But neither are they insurmountable. You may want to consult your website management team to determine how to put you on the path to compliance.