10 min read
Cookies are files with small pieces of data that help websites remember user preferences or improve their experience. While they’re generally safe, some cookies can be intrusive by extensively tracking user activities.
Over 40% of websites use cookies according to Web Technology Surveys. The increasing usage of such technologies led to the formation of data privacy laws, like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Such regulations developed strict rules for user data handling and compliance.
While cookie compliance can seem challenging at first, it becomes a straightforward process once you know the requirements. Read further to learn how to become cookie-compliant for your website.
What is cookie compliance?
Cookie compliance is the act of complying with data privacy regulations in regards to the use of cookies on a website. This includes acquiring user consent on a website that uses cookies to collect the personal details of users.
Different regulations have unique requirements for cookie compliance. However, the general rules are usually similar. It involves:
- Informing users about the use of cookies
- Providing users with an option to opt out
- Collecting user consent in a secure place
- Blocking cookies before consent is granted
Free plan availableOne-click setupHow to make a website cookie-compliant?
Becoming cookie-compliant involves auditing your cookies, obtaining user consent, and creating a cookie policy. Here’s how to do all of these steps in a compliant manner:
1. Conduct a cookie audit
You need to know what cookies are used on your website so you’d know all types of user data that you collect. This helps ensure that you comply with data privacy regulations like GDPR, CCPA, or others.
The first step is to perform a cookie audit. It involves finding out all types of cookies used on your website, their types, expiry, and what data they collect. The easiest way to do it is using a cookie scanner.
For example, if you’re a Shopify user, you can leverage TinyCookie to scan your website and give you a detailed cookie report in a matter of seconds.
You can use it not just to view but also manage cookies. This includes changing the provider or cookie category.
2. Obtain user consent
Website owners must inform users about cookies or obtain their consent, depending on the data privacy regulations they must follow. For example, the GDPR and many other regulations require businesses to obtain user consent.
Meanwhile, regulations like the CCPA assume automatic consent. Yet, businesses must still inform users about cookie usage and provide an option to withdraw consent.
The most popular method to inform users or obtain consent is using a cookie consent banner or popup. It shows up as soon as the site visitor enters the site, so they’re informed upon entering.
There are certain general cookie consent compliance requirements that must be followed. Here are the main tasks:
- Provide information on your cookie banner about what cookies are used and their purpose
- Include an “Accept cookies” button so it involves an affirmative action
- Add a “Reject all” or similar button for users who would like to reject consent
- Allow users to manage cookie preferences and choose what they’d like to consent to
- Don’t allow users to continue browsing before setting their cookie choice
- Collect user consent in one place securely
3. Create a cookie policy
A cookie policy is a document that contains all of the information about the cookies on your website. It can be created as a separate page or it can be a section in your privacy policy.
Here’s what a cookie policy should include:
- The definition of “cookie” to help users understand what it is
- The list of cookie types on your website and their purposes, such as essential, functional, or advertising cookies
- Information about cookie consent management on your website, including how to opt out
- Company contact details for users to be able to contact you
You may also use the provided official GDPR cookie policy template to help you head in the right direction.
What happens if you don't comply with cookie regulations?
If you don’t comply with data privacy laws, like GDPR or CCPA, you may face warnings, fines, or even a ban on processing.
For businesses processing data of users from the European Union (EU), non-compliance could lead to such GDPR fines:
- For less serious violations (like not recording user consent): a fine of up to €10 million, or 2% of the firm’s global annual revenue from the previous financial year (whichever is higher).
- For serious violations (like data leaks): a fine of up to €20 million, or 4% of the firm’s global annual revenue from the previous financial year (whichever is higher)
Meanwhile, if a business processing California user data without compliance, CCPA fines can be:
- For non-intentional violations (due to lack of awareness): up to $2,500 per single violation.
- For intentional violations (like not allowing to withdraw consent): up to $7,500 per single violation.
What is GDPR cookie compliance?
GDPR cookie compliance refers to the process of obtaining user consent for the use of cookies on a website as required by the GDPR. Since cookies are used to identify users, the GDPR states that they “qualify as personal data and are therefore subject to the GDPR.”
This means that businesses must ensure compliance with the regulation in order to prevent fines and manage user data in accordance with the law.
Together with the ePrivacy Directive, the GDPR focuses on ensuring businesses are transparent with users about their data collection practices and obtain consent for it.
User consent under the GDPR
According to the GDPR Article 4, consent must be:
- Freely given – users must give consent without being pressured to do so. For example, cookie walls, which block access to the site if consent is not given, are considered invalid.
- Specific – site visitors must be able to make different consent choices for specific cookie types that are used for different purposes.
- Informed – you must inform users about the use of cookies and explain the reasons behind it in clear and simple language. Users must understand what they’re agreeing to before giving out their consent.
- Unambiguous – the consent given by the user must involve an affirmative action to be considered valid. It means that assuming consent upon scrolling or by clicking the exit button on the banner is not allowed.
Keep in mind that under GDPR Article 7, you must be able to demonstrate proper consent. So, you must collect and store the consent choices of all users in one place.
Consent withdrawal under the GDPR
Under the GDPR Article 7, you must also provide users with an option to withdraw consent. It must be as easy to reject cookies as it was to accept them.
For example, you can add a “Reject cookies” button in your cookie banner. Alternatively, you can replace it with an “Accept necessary only” button. Here’s an example of how it would look:
“Accept necessary only” is a valid consent rejection button because strictly necessary cookies don’t require consent. That’s because they’re essential for the site to function.
What is CCPA cookie compliance?
According to CCPA 1798.140. (aj), cookies are a unique identifier and can be linked to a user. It means that cookies fall under the category of personal information and must comply with the CCPA.
Unlike the GDPR, CCPA doesn’t require user consent to use cookies (except for minors). Instead, websites must inform users about cookies on the website, usually through a cookie banner or popup.
It should also be easy to opt out of data collection. The CCPA requires inserting a “Do not sell or share my personal information” link where users can reject data collection. Here’s an example of what it looks like:
It should be somewhere where it’s visible to all users. For example, a cookie banner, the website banner, and the cookie policy.
Challenges with cookie compliance
Cookie compliance with data privacy laws can be a challenging task. Here are the main issues with compliance:
- Complex data privacy regulations. Laws from each region vary in terms of requirements. So, businesses that have users from different countries have to adapt the cookie banner to multiple audiences.
- Cookie management. Without much knowledge about cookies, it can be hard to know how to block them before getting consent or how to perform an audit.
- Consent management. Managing cookie consent manually can be difficult as it needs to be meticulously monitored and securely stored.
Luckily, all of these challenges can become easier if you get a consent management platform. For example, with TinyIMG, you can add a customizable cookie banner to your site in one click. It automatically collects user consent in one place and gives you a cookie scanner to manage your site cookies.
Frequently asked questions
Cookie compliance helps ensure that your website complies with the necessary data privacy laws, such as the GDPR or CCPA. It involves informing all of your website visitors about the use of cookies on your website, letting them manage cookie preferences, and obtaining their consent before collecting any data.
The website owner is responsible for ensuring it’s compliant with the necessary data privacy regulations. If a large business has acquired a Data Protection Officer (DPO), then the DPO is responsible for maintaining compliance. It involves obtaining user consent for non-essential cookies in a way where the user is clearly informed what they’re agreeing to.
To check if your website ensures cookie compliance, you have to audit what cookies are set on your website by setting consent preferences and reviewing if it works as intended. You can check what cookies are set by right-clicking anywhere on your website, going to Inspect > Application (or Storage) > Cookies.
For businesses that process EU citizen data, you can check if your site is compliant using a GDPR compliance checker.
However, the easiest way to ensure that your website is always cookie-compliant is to use a full-fledged consent management platform. For example, if you’re a Shopify user, TinyCookie can help you achieve compliance in just a few clicks. It provides you with a customizable cookie banner, tracks user consent, and respects Global Privacy Controls (GPC).
