Cookie Consent: Your Guide to Compliance

Privacy
Morgan Sullivan
February 25th, 2022 · 8 min read

At a glance

  • Regulating cookies and requiring cookie consent is an important part of modern privacy regulation.

  • Different privacy laws, like GDPR and CCPA, deal with cookies and cookie consent differently—but no matter the law, implementing consent management on your website is a best practice.

  • This guide will cover what it means to get cookie consent, how to comply with modern cookie laws i.e. consent banner requirements, plus a few cookie banner best practices—helping you respect user data rights without driving visitors away.

Table of contents

What are cookies?

Cookies are small text files placed in your browser by the websites you visit. They store data about the site and about you, including your location, preferences, and what you did while on the site.

Cookies can play an important role in how well a website functions, like remembering what’s in a user’s cart or their login information. These are the “strictly necessary” cookies you sometimes see in cookie consent banners.

However, as cookies can share information about past searches, they’re frequently used to inform targeted advertising campaigns, and the data they collect can be packaged and sold to whomever has the budget.

The data collected and shared by unessential cookies is an area of concern for privacy regulators worldwide. As a result, requirements for cookie placement and respecting cookie consent have become quite commonplace, most notably in Europe’s General Data Protection Regulation (GDPR) and the ePrivacy Directive.

What is cookie consent?

Cookie consent is when a website gets a user’s permission to place certain cookies in their browser. Cookie consent banners are one of the most common consent management methods, having become a ubiquitous part of web browsing in recent years.

Cookie banners come in many forms, but often appear as a bottom-of-the-screen pop-up–asking you to accept or reject all cookies, or change your preferences to accept some but not others.

Respecting cookie consent is an important part of privacy law compliance. It’s legally required by the GDPR and ePrivacy Directive, and considered a best practice under the California Consumer Privacy Act (CCPA).

Cookie consent requirements

With the fragmentation of privacy laws worldwide, cookie consent can feel tricky. Different laws require different levels of consent, and even well-established laws are always subject to revision and change.

One best practice is to always plan for the most comprehensive compliance scenario. For one, this signals to your users that you respect their privacy and value upholding their data rights–an act which can pay significant dividends in brand trust and consumer loyalty.

Second, it means you’re more likely to have your compliance bases covered if or when regulation grows more stringent in the future.

Cookie consent in Europe: GDPR and the ePrivacy Directive

GDPR is an opt-in consent regime, meaning users must agree to having their data collected before a site can legally place certain unessential tracking cookies.

Though the GDPR is most often cited as the driving force behind cookie consent management and cookie banners, Europe’s ePrivacy Directive (ePD) is actually the foundational legislation on this topic.

First passed in 2002, the ePD was updated in 2009 to include language around tracking and monitoring across websites and browsers i.e. cookie tracking. Colloquially known as the “cookie law,” this update created specific requirements about obtaining user consent for processing cookies.

The ePD is also where the legal distinction between ‘strictly necessary’ and ‘unnecessary’ cookies first appears.

Surprisingly, the GDPR refers to cookies only once, stating that because cookies can identify users, they count as personal data and are thus subject to the terms of the GDPR.

Despite limited mention of cookies, the GDPR’s language actually gives the concept of cookie consent more strength–in that it requires that companies obtain “unambiguous” consent for data collection. Intersoft Consulting offers a concise summary of how GDPR approaches consent:

Consent must be freely given, specific, informed and unambiguous. […] The element “free” implies a real choice by the data subject. Any element of inappropriate pressure or influence which could affect the outcome of that choice renders the consent invalid.

A lack of unambiguous consent, through use of dark patterns i.e. intentionally concealed or misleading consent options, led to massive fines for Facebook and Google in January 2022.

Cookie consent for CCPA

CCPA is an opt-out consent regime, meaning a site may place cookies without a user having previously agreed. However, there must be a clear option for opting out–often found as a “Do not sell my information link” in a website’s footer menu.

Ultimately, California’s privacy laws do not explicitly require consent for cookies. That said, implementing a consent manager, as well as a comprehensive privacy policy can check some important boxes under both the CCPA and the California Online Privacy Protection Act (CalOPPA).

Consent managers, like cookie banners, can help businesses comply with the CCPA’s opt-out requirement by providing an upfront way to say ‘No’ to the sale of personal data.

Lesser known than the CCPA, CalOPPA is another California privacy law that creates guidelines around cookies. Though, it’s important to note that CalOPPA also does not require cookie consent.

Rather, CalOPPA requires that businesses include, in their privacy policy, language around whether a site is using tracking cookies and how they respond to “Do not track” requests. Businesses are not required to respond to these requests, but they must state whether or not they do.

This said, many organizations under California privacy laws still choose to employ cookie banners to mitigate the risks associated with targeted advertising from third parties, as this is an activity that can potentially be considered as selling personal data.

Learn more about the differences between CCPA and CalOPPA with these resources:

CalOPPA and CCPA: A quick guide for online businesses

CCPA versus CalOPPA

Questions to consider for cookie compliance

When it comes to cookie consent (and really any privacy compliance measure), asking the right questions can save a lot of time, effort, and worry down the road. In the context of cookie consent, here are some important questions to consider:

  • What types of cookies are we using and why?

  • Are they strictly necessary?

  • Are we obtaining consent for unessential cookies?

  • Is there information on our cookie use in our company’s privacy policy?

  • Are there processes in place that can be used to audit our cookie use as global privacy regulation continues to shift?

Cookie type matters when it comes to compliance. Remember, cookies are just a small file that a website leaves in your browser–so that file can have a variety of purposes.

Cookies can be used to remember login information, cart preferences, time spent on site, pages clicked on, and even where a user goes after leaving a site. Cookies can also be used to transmit all of that data to third parties.

Due to this massive variation in purpose, different cookies are treated differently in the eyes of the law, so understanding the variations is crucial.

Essential vs non-essential cookies

Essential cookies are those that directly impact the core functionality of a site. One example of essential cookies are those that remember what’s in a user’s cart, which is instrumental to the core functionality of an e-commerce site. Cookies used to improve user experience do not count as essential.

Non-essential cookies are those used for just about everything else, including tracking site usage, remarketing, and personal data collection.

First-party vs third-party cookies

First party cookies are set directly by the website itself. These cookies help site owners collect and remember log-in information, language preferences, and items in your cart.

Without first party cookies, a site would be unable to store your login information, meaning you’d have to login fresh every time you close your browser and then return to the site.

Third-party cookies are set by external domains, meaning they aren’t placed by the website you’re currently visiting. Targeted advertising is the most common use case for third-party cookies, which is why you’ll often immediately start seeing ads for a product you recently browsed.

Cookie banners are one of the most common forms of consent management, often popping up immediately after users enter a site.

These pop-up cookie banners can include information on why the cookie is being placed and what data is being processed. They also give users a few options in terms of how to proceed: accept all, reject all, or update your preferences i.e. choose which cookies to accept/reject.

One common gripe with the EU’s regulatory stance on cookies is that cookie banners can throttle a site’s performance and provide poor user experience.

However, companies can choose to make the process simple by providing a clear option for one-click cookie rejection, or opting for a lightweight cookie banner that offers more flexibility in terms of its style and placement.

How to implement cookie consent that won’t drive away your users

The way you implement cookie consent affects both compliance and user experience. We’ve all arrived on a site only to be bombarded by an unclear cookie banner and endless pop-ups.

This level of interruption throttles site speed and degrades a user’s experience, lowering the chances that user will ever return. So setting up cookie consent in a way that ensures compliance, while maintaining good user experience is crucial.

1. Find a lightweight, flexible consent manager

Implementing a consent manager with a lightweight script is essential for maintaining ideal load-speed across your website. Site speed is not just a vanity metric, it directly impacts the way users interact with your pages. In fact, according to Akamai:

A two-second delay in page speed can increase bounce rates by 103%.

Outside of maintaining site speed, you also want to find a consent manager that offers flexible options in terms of styling, content, and placement. Every website is styled and organized differently, so you need a cookie consent manager that:

  • can be matched to your branding

  • allows for bespoke content that can be tailored to regulatory requirements

  • can be placed in the least intrusive spot possible

2. Use clear language and provide clear options

Modern privacy laws take clear language, upfront options, and overall ease of use very seriously–so don’t try to play games with your cookie banner, or it could end up costing you later (quite literally).

  1. Clarify the purpose of your banner upfront. Make it clear that this banner is how users can adjust their cookie preferences, and that this isn’t an advertisement.

  2. Include clear “Accept all” and “Reject all” buttons. Several companies in the past year have been dinged by regulators for only including an “Accept all” button–making users click several menus deeper in order to reject cookie placement.

  3. Don’t pre-check consent boxes under a GDPR regime hoping a user will simply close out. This can be considered a dark pattern, which can also result in fines.

  4. Provide granular consent options. Often found after clicking the “change my preferences” button, this is where a user can choose what cookies they want to accept. Maybe they are OK with you collecting data about how they use your site, but aren’t OK with you passing that data to a third party. By giving users the option to choose what tracking they’ll allow, you increase the possibility they’ll consent to cookies that are still helpful to your business.

3. Place your banner carefully

When it comes to banner placement, user experience is the name of the game. You’re looking for a spot that will be readily accessible, but will also be the least disruptive while a user is browsing.

Don’t use your cookie banner to block users from your site i.e. making it so large they can’t browse without closing out, or are forced to click ‘Accept.’ This is illegal under GDPR and could land you in trouble. More than that, it’s extremely disruptive to users and may permanently drive them away.

In an ideal world, you would opt for a consent manager that doesn’t require home page placement. If you don’t start tracking users and collecting data immediately upon entrance to your site, why bombard them the moment they arrive.

Flexible placement options can be one of your biggest assets in terms of maintaining good UX throughout the cookie consent process.


About Transcend

Our mission is to make it simple for companies to give their users control of their data by encoding privacy across their tech stack.

Automate data subject request workflows with Privacy Requests, ensure nothing is tracked without user consent with Transcend Consent, or seamlessly generate Records of Processing Activity (ROPA) for GDPR compliance with Data Mapping.

Looking to evaluate your current privacy program and discover any hidden costs? Explore our privacy request cost calculator.

More articles from Transcend

Apple’s account deletion requirement in 2023

Any app in Apple’s App Store that requires account creation must provide an end-to-end pathway for in-app account deletion. 

February 18th, 2022 · 7 min read

3 Benefits of Automating Data Subject Access Requests

Automating data subject access request (DSAR) fulfillment is a best practice for businesses who want to scale their privacy program, while ensuring compliance with modern privacy laws.

February 9th, 2022 · 5 min read

Privacy XFN

Sign up for Transcend's weekly privacy newsletter.

San Francisco, California Copyright © 2023 Transcend, Inc.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Link to $https://twitter.com/transcend_ioLink to $https://www.linkedin.com/company/transcend-io/Link to $https://github.com/transcend-io