The General Data Protection Regulation (GDPR) is a data protection legislation that protects the privacy rights of EU citizens. While the term “cookies” isn’t commonly referred to in the legislation, cookie consent is still crucial for compliance because they collect personal data.
Continue reading to learn all the compliance requirements for a GDPR cookie consent with examples and common mistakes to avoid.
Include a customizable cookie banner to Shopify in one click
Try TinyCookie freeWhat is GDPR cookie consent?
GDPR cookie consent is the GDPR requirement for websites to acquire active user consent before deploying cookies on their browsers. It only applies to non-essential cookies that process personal data.
It’s important to mention that the GDPR is also complemented by the ePrivacy Directive – another EU law in terms of governing the use of cookies. This law, also referred to as the EU cookie law, doesn’t allow websites to deploy cookies on user devices until active consent is acquired.
Both regulations define consent in the same manner, with the following requirements according to GDPR Art. 4(11):
- Clear affirmative action. Users must give a clear statement or affirmative action that clearly states their consent.
- Freely given. Consent must be acquired by giving the users a free choice. This means not using pre-selected cookie types or placing a cookie wall to prevent access in case of cookie rejection.
- Specific. Users must understand exactly what they’re agreeing to – the scope and the purpose of it – meaning the explanations cannot be broad or vague.
- Informed. Users must fully understand the context and implications of why they’re asked for consent.
- Unambiguous. Consent is valid if the user clearly performs an affirmative action. This means that exiting the cookie consent banner doesn’t count as giving consent.
How to comply with GDPR using cookie consent
The first step to comply with the GDPR is to set up a cookie consent tool. Depending on the platform you’ve built your site on, choose a high-quality cookie consent management platform.
For example, Shopify users can benefit from the fully customizable TinyCookie consent banner app.
Let’s take a look at a general step-by-step guide on how to set up a cookie consent banner.
1. Install the app to your website.
2. Follow the provided setup instructions and activate or embed the app to your site.
3. Open the app and customize your cookie banner, including the layout, placement, content, and design so it would fit your website and become GDPR compliance.
It’s as simple as that – the cookie banner will be visible on your site once you open the website.
Add a cookie consent banner to your Shopify website
Try TinyCookieRequirements for GDPR cookie compliance
Adding a cookie banner on your website doesn’t automatically ensure compliance. Follow this GDPR checklist for cookie consent to know what to include in your banner:
- Inform users. You must include information about the types of cookies used on your website. The information has to be presented in plain and simple language so that users know what they’re agreeing to.
- Add a cookie consent option. Consent must be given using a clear affirmative action that signifies acceptance of cookie usage, like the “Accept” button.
- Allow cookie management. Users must have the option to choose what exact types of cookies they consent to and which they don’t.
- Include a consent withdrawal option. You must provide users with an option to withdraw consent as easily as it was to give it according to GDPR Art. 7. Avoid making consent withdrawal a multiple-step process.
- Collect user consent. Websites must collect user consent in one place for legal reasons, so they would be able to demonstrate proof of compliance.
- Avoid cookie walls. Refrain from blocking access for users who didn’t grant consent – the GDPR may not view it as “freely given” consent if access is conditional.
- Link to the cookie policy. You should place a cookie policy hyperlink on your cookie banner so users can easily access it and fully understand your activities.
Don’t forget to also add a callback widget at the corner of your site so users can easily revoke consent if they wish.
Examples of GDPR cookie consent
Almost any website you visit has a cookie consent banner, but not all of them are GDPR compliant. Let’s take a look at a few cookie consent examples.
H&M cookie banner
H&M has a GDPR-compliant cookie banner in place, providing clear information on what the user is agreeing to. They explain what cookies they use, including first and third-party cookies, and how they benefit the user.
Plus, there’s a link to the cookie policy so users can easily access full information about the cookies on this website.
This cookie consent banner has all the required buttons – you may accept all cookies or reject all except the required cookies. Plus, you can even click on “cookie settings” and select specific cookie types to agree to.
Next
The Next shop is another great cookie banner example. The text is plain, simple, and short. It explains what the cookies are used for and a link to the privacy policy that has a cookie section included.
Since the banner is placed in the middle of the window, it instantly grabs attention. You get three large buttons of the same prominence, whether you want to accept, reject, or manage cookies.
Healthline cookie wall example
The Healthline blog also has a cookie consent banner in place but it works as a cookie wall. You can’t locate the “disallow all” button unless you click the “Manage settings” button.
However, even if you reject cookies after clicking the “Manage settings” button, you won’t be able to access the full site. Instead, you’ll be met with a message welcoming you to the ad and tracking-free version of Healthline.
This version explains that you cannot gain access to the website unless you agree to cookie usage. You only get to view the 10 most popular articles from Healthline.
GDPR cookie policy
Under the GDPR, a cookie policy is a must-have legal document for any website that uses cookies. While it may seem overwhelming to write one, it’s easier when you know what exactly must be included.
Here are the main things you should mention in a cookie policy:
- Definition of a cookie. Users need to know what cookies are before agreeing to them, so providing a clear definition is a must.
- List of used cookies. Make sure you mention all types of cookies that you use, including essential, functional, advertising, or performance, and explain each of their purposes.
- Legal basis. You must provide a lawful legal basis for data processing. GDPR Art. 6 lists 6 lawful bases, including consent, the performance of a contract, legal obligation, vital interests, performance of a public interest task, legitimate controller, or third-party interests.
- List third-party services. If you share or sell the personal data of your users to third parties, you must disclose this and mention who those parties are.
- Information about cookie management. The GDPR allows users to change their cookie choice at any time. So, you must provide clear instructions on how to manage cookie consent and withdraw it.
- Contact information. Provide the users with contact information of your company or the responsible team, like a phone number or email address. This will make it easier for users to find you when they want to exercise their rights.
If you’re not sure whether you can write a good cookie policy, you can take advantage of external resources. For example, even if you’re not a Shopify user, you can use their free privacy policy generator that includes a cookie section.
Common mistakes to avoid
Many businesses adopt a cookie consent banner but don’t ensure proper GDPR compliance. Here are some common mistakes you should avoid:
- Do not consider closing the banner as automatic consent. Under the GDPR, closing the banner wouldn’t be considered freely given consent because it’s unambiguous. Instead, you can either count it as consent rejection or simply remove the closing button and make it mandatory to choose between the provided options.
- Do not hide the reject button. The GDPR Art. 7(3) states that rejecting consent should be as easy as giving it. So, make sure you don’t hide the button or pre-select all cookie types in management settings.
- Do not place a cookie wall. Avoid blocking access to your website with a cookie wall because, under the GDPR, it’s considered conditional consent.
- Do not postpone cookie policy updates. If your data processing practices change, update the cookie policy as soon as possible to avoid any complaints and legal trouble.
Frequently asked questions
GDPR fines can go up to €20 million (roughly $22 million), or 4% of the firm’s global annual revenue from the previous financial year, whichever is higher. However, if the company doesn’t comply even after receiving large fines, authorities can temporarily or permanently ban data processing activities, which could lead to ceasing operations.
Yes, a cookie policy is a must under the GDPR and it should be easily accessible to any user. The policy must mention what information your website collects and the legal basis for it.
The GDPR requires acquiring consent for the use of cookies that are non-essential and processes the personal data of users. For example, these can be personalization cookies that remember your preferences, analytics cookies for analyzing how the user behaves on websites, or marketing cookies for advertising.
You should review your cookie and privacy policy at least once per year and update it when necessary so it corresponds to your current data processing activities. If you’re releasing a new service or functionality or start sharing data with other processors, you should always check the cookie policy again.
