There are several different laws that regulate the usage of cookies and similar technologies like GDPR, Data Protection Act (in the UK), PECR (in the UK) or the EU e-privacy Directive. All of them have pretty similar best practices regarding cookies usage. Let's go through all of them:
- You can use strictly necessary cookies that are required for your website or service to work without the prior consent of users. Such cookies are usually called “strictly necessary” or “mandatory”.
However, not every kind of cookies is necessarily required for the website to operate. Cookies that are set by some analytics tools, advertising platforms or any other external services are usually not required for your website proper work, therefore they can’t be “mandatory”.
That is usually the hardest and the most painful step for implementation because most companies use all kinds of different data collecting services on their website.
- Data subjects should always have a right to withdraw “non-mandatory” cookies usage when they first land on your website.
- You should request explicit consent for all other cookies that are not mandatory.
That means that you can’t set these cookies if your website’s visitor explicitly gave you consent to set them. To keep it simple they need to enable these cookies by themselves in your cookie consent banner. No “all checkboxes are already checked”!
- You may use some sort of category to manage your cookies.
Something like “mandatory”, “analytics”, “advertising”, “other”, etc. That is not strictly required by GDPR, PECR or any other regulation, however, that really simplifies your work with cookies under these regulations and a user does not need to enable each cookie separately.
- Users should understand what kind of cookies they agree with.
You can use the WeControl cookie consent banner where you can see the “Accept All Cookies” and “Cookies settings” buttons, where you can either accept all cookies or choose what kind of cookies you would like to use.
Note: there are NO enabled toggle buttons in cookie settings, so a visitor should explicitly allow particular types of cookies.
Visitors usually click the “Accept All Cookies” button and keep browsing.
Cookies’ consent collection under GDPR may seem complicated however you just need to be as transparent as possible and follow the above mentioned best practices and that already will significantly lower your GDPR related risks.