Iubenda logo
Start generating

Documentation

Table of Contents

Cookies and the GDPR: What’s Really Required?

Update May 2020: The European Data Protection Board (EDPB) has updated its guidelines specifically related to recommended consent collection mechanisms. More on that here.

When you think about data law and privacy legislations, cookies easily come to mind as they’re directly related to both. This often leads to the common misconception that the Cookie Law (ePrivacy directive) has been repealed by the General Data Protection Regulation (GDPR), which in fact, it has not. Instead, you can think of the ePrivacy Directive and GDPR as working together and complementing each other.

Manage cookie consent with the Privacy Controls and Cookie Solution

Easy to run, fast and customizable

Generate a cookie banner
  • The Cookie Law was not repealed by the GDPR and still applies.
  • The Cookie Law actually applies not only to cookies but more broadly speaking to any other type of technology that stores or accesses information on a user’s device (e.g. pixels tags, device fingerprinting, unique identifiers etc.). For simplicity, all such technologies, including cookies, are commonly defined as trackers. However, in this guide, the terms cookie(s) and tracker(s) will be used interchangeably.
  • The Cookie Law requires users’ informed consent before storing or accessing information on user’s devices.
  • Consent to cookies must be freely given, specific, informed, and based on an explicit affirmative action; many EU Data Protection Authorities have released guidance on cookies and similar technologies that include advice and recommendations on valid methods to obtain consent.
  • While the Cookie Law does not explicitly require that records of consent be kept, in most cases cookies do process personal data, which is why the record-keeping requirements stemming from the GDPR apply. Hence the vast majority of Data Protection Authorities (also referred to as DPAs) across the EU have aligned their cookie rules to GDPR requirements.
  • The Cookie Law does not require that you list cookies one by one, only that you state their type, usage and purpose.
  • If you use third-party cookies both you and the third-party are responsible for ensuring users are clearly informed and obtaining consent. As part of this obligation, you should always make sure to provide information about any such third-party and link to their respective privacy and/or cookie policies.

The ePrivacy Directive 2002/58/EC (or Cookie Law) was established to put guidelines in place for the protection of electronic privacy, including email marketing and cookie usage, and it still applies today. As mentioned above, you can think of the ePrivacy Directive as currently “complementing” the GDPR in a sense, rather than being repealed by it.

Meet legal cookie requirements the easy way

  • Custom clauses icon

    Create your free cookie banner

  • Webserver module icon

    Manage cookie consent (Google Partner CMP)

  • Clauses icon

    Store your users’ preferences

Try it now

Generate your cookie banner in minutes

Desktop Cookie banner image

Strictly speaking, if you use cookies you need to consider Cookie Law compliance before you look to the GDPR. That’s because the Cookie Law is what is called in legal jargon a “lex specialis” which means that it takes precedence over the GDPR.

Generally, directives set certain agreed-upon goals and guidelines in place with Member States being mandated to implement these directives into national legislation. Regulations, on the other hand, are legally binding across all Member States from the moment they are put into effect and they are enforced according to union-wide established rules.

💡 To learn more about which EU cookie consent rules apply on a per-country basis, check out our Cookie Consent Cheatsheet here.

With that said, the ePrivacy Directive is, in fact, going to be repealed soon by the ePrivacy Regulation. The ePrivacy Regulation is expected to be finalized in the near future and will work alongside the GDPR to regulate the requirements for the use of cookies, electronic communications, and related data/privacy protection.

The Cookie Law actually applies not only to cookies but more broadly speaking to any other type of technology that stores or accesses information on a user’s device (e.g. pixels tags, device fingerprinting, unique identifiers, etc.). For simplicity, all such technologies, including cookies, are commonly defined as trackers*.

Moreover, the Cookie Law is, so to speak, technology-neutral, which means that it covers not only website and browser environment but also other types of technology, including apps on smartphones, tablets, smart TVs, or other devices.

*However, in this guide, the terms cookie(s) and tracker(s) will be used interchangeably.

The Cookie Law requires users’ informed consent before storing or accessing information on user’s devices.

This means that if you use cookies you must:

  • inform your users that your site/app (or any third-party service used by your site/app) uses cookies;
  • explain, in a clear and comprehensive manner, how cookies work and what you use them for;
  • obtain informed consent prior to the storing of those cookies on the user’s device.

In practice, you’ll need to show a cookie banner (also called cookie notice) upon the user’s first visit, implement a cookie policy and allow the user to provide consent – unless your website uses solely exempt cookies, which is highly unlikely. Prior to consent, no cookies — except for those exempt — should run or be installed.

You’ll need to show a cookie banner upon the user’s first visit, implement a cookie policy and allow the user to provide consent. Prior to consent, no cookies — except for exempt cookies — should be run or installed

The cookie notice must:

  • inform users that your site/app (or any third-party service used by your site/app) uses cookies;
  • clearly state which action will signify consent;
  • be sufficiently conspicuous so as to make it noticeable;
  • link to a cookie policy or make details of cookies’ purposes, usage, and related third-party activities available to the user.

Bear in mind that those mentioned above are basic minimum requirements. Cookie banner content requirements may vary from country to country depending on the respective DPA’s views.

basic cookie banner requirements under the gdpr and eprivacy

The cookie policy must:

  • indicate the type of cookies installed (first-party cookies vs third-party cookies* );
  • indicate all third-parties that install, manage, or access cookies via your site/app, with a link to their respective policies, and any opt-out forms (where available);
  • describe – in detail – the purposes for which cookies are used;
  • be available in all languages in which the service is provided.
💡 What’s the difference between “first-party” and “third-party” cookies?

First-party cookies are those managed directly by you, the owner of the site/app, on the contrary, third-party cookies are managed by third parties and enable services provided by them. Typically, third-party cookies are present when your site/app uses third-party services to incorporate for example images, social media plugins, or advertising.

In compliance with the general principles of privacy legislation, which prevent the processing before consent, the Cookie Law does not allow the storing of information or the accessing to information stored on user devices before obtaining user consent. In practice, this means that you may have to employ a form of script blocking prior to user consent.

Consent to cookies

Consent to cookies freely given, specific, informed, and explicit, which means that it must be provided via a clear affirmative (opt-in) action. Therefore, if you use mechanisms such as checkboxes, they must not be pre-checked.

The Working Party document on the Cookie Law states:

To ensure that a consent mechanism for cookies satisfies the conditions in each Member State such consent mechanism should include each of the main elements specific information, prior consent, indication of wishes expressed by user’s active behaviour and an ability to choose freely.

Many EU Data Protection Authorities have released guidance on cookies and similar technologies that include advice and recommendations on valid methods to obtain consent.

The Italian DPA has updated guidelines on the use of cookies and other trackers. The guidelines were adopted back in June 2021. You can read the summary here.

Caution

The European Data Protection Board (EDPB) has updated their guidelines on consent: Guidelines 05/2020 on consent under Regulation 2016/679. This update is important as it aims to remove any ambiguity on the official position regarding several aspects of cookie usage. Perhaps most significantly, these latest guidelines clearly state that Cookie Walls are prohibited and that the EDPB does not consider consent via scrolling or continued browsing to be valid.

📌To learn more about which EU cookie consent rules apply on a per-country basis, check out our Cookie Consent Cheatsheet here.

In regards to the refusal of consent or opting-out after consent has been given, the law states that users must be “given the possibility” to refuse or withdraw their consent. The Working Party document further elaborates on this point by stating that in regards to withdrawing or refusing consent, you must provide:

  • information on how users can withdraw consent and the action required to do so;
  • a means by which the user can choose to accept or decline cookies.

This means or mechanism may not have to be hosted directly by you. In some cases under member state law, browser settings are considered to be an acceptable means of withdrawing consent.

The particular consent collection mechanisms considered to be valid may vary by member state

Listing cookies one by one (is it actually required?)

In general, the directive does not specifically require that you list cookies one by one. Instead, you are explicitly required to clearly state their type, purpose, and if they are third-party cookies, you must also indicate the third party who is managing them and link to the relevant third-party privacy/cookie policy.

This decision by the Authority is likely deliberate, as to require listing cookies one by one would mean that individual website/app owners would bear the burden of constantly watching over every single third-party cookie, looking for changes that are outside of their control; this would be largely unreasonable, inefficient and likely unhelpful to users.

To further expand on this point, here’s an excerpt from the ICO’s Cookie Guide:

It could be an option to provide long lists of all cookies implemented, but for most users a broader explanation of the way cookies operate and of the categories of cookies used will be helpful. A description of the types of things analytical cookies are used for on the site will be more likely to satisfy the requirements than simply listing all the cookies you use with basic references to their function.

This sentiment is even further elaborated upon by the Italian Data Protection Authority (the Garante Privacy) which expressly states:

There are several reasons why it would appear impossible to require a publisher to provide information on and obtain consent for the installation of cookies on his own website also with regard to those installed by “third parties”.

In the first place, a publisher would be required to always be equipped with the tools and the legal and business skills to take upon himself the obligations of third parties – thus, the publisher would be required to check, from time to time, that what is declared by the third parties corresponds to the purposes they are actually aiming at via their cookies. This is a daunting task because a publisher often has no direct contacts with all the third parties installing cookies via his website, nor does he/she know the logic underlying the respective processing.

Furthermore, it is not seldom the case that licensees step in between a publisher and the said third parties, which makes it ultimately highly difficult for the publisher to keep track of the activities of all the stakeholders.

Secondly, third parties’ cookies might be modified by the third parties with time, and it would prove rather dysfunctional to require publishers to keep track also of these subsequent changes.

Furthermore, one should also consider that publishers – a category including natural persons and SMEs – are often the “weaker” party in this context. Conversely, third parties are usually large companies of substantial economic import that work as a rule with several publishers, so that one publisher may often have to do with a considerable number of third parties.

For all of the above reasons, this DPA is of the opinion that publishers may not be required to include, on the home page of their websites, also the notices relating to the cookies installed by third parties via the publishers’ websites.

You can read more about this here.

The law states that the consent collected must be freely given by the user in order for it to be considered valid. Using coercive methods to obtain consent can make the consent collected invalid. The law does make some concessions (within reason) in cases where the actual ability to provide particular site services is directly affected by the consent or lack thereof.

The Working Party document states:

Websites should not make conditional “general access” to the site on acceptance of all cookies but can only limit certain content if the user does not consent to cookies.

Therefore, while certain content (within legitimate reason) can be restricted based on cookie preferences, users’ ability to generally access your site must not be coerced or conditional upon their consent.

In this respect, bear in mind that, in their guidelines and recommendations, the EDPB, as well as several EU DPAs, have explicitly prohibited the use of the so-called “cookie walls” based on a “take it or leave it approach” that requires users to necessarily provide their consent to access an online service’s content. Cookie walls are considered invalid since the user has no genuine choice.

Update The Italian DPA (Garante Privacy) stated in its latest Guidelines on cookies and other tracking tools that it currently prohibits the use of the cookie wall unless the website gives the user an equivalent alternative to access the content or services without providing consent to cookies or other tracking mechanisms, which will need to be assessed case-by-case. 

We are following the developments on the matter since the Garante published a press release to say that it’s analysing this solution as implemented by some Italian publishers. 

iubenda will, as always, be following this evolving case and keep you updated with any new decisions.

Exemptions to the consent requirement

The Cookie Law envisages two exemptions to the consent requirement, namely:

  • the communication exemption which applies to cookies and other trackers whose sole purpose is for carrying out the transmission of a communication over a network (e.g. to identify the communication endpoints; to allow data items to be exchanged in their intended order; to detect transmission errors or data loss);

Example: you use a load balancing cookie to distribute network traffic across different servers. The cookie’s sole purpose is identifying one of the servers (i.e. a communication endpoint) and as such, it falls under the communication exemption.

  • the strictly necessary exemption which applies to cookies and other trackers essential to provide an ‘information society service’ (i.e. a service delivered over the internet, such as a site or an app) requested by the user.

Example: your e-commerce site uses a session cookie that allows users to “hold” items in their cart while they’re using the site or for the duration of a session. In this scenario, the cookie is necessary for the functioning of the purchasing service that was explicitly requested by the user when they indicate that they would like to add the item to the cart. Similarly, cookies used to remember a user’s language preferences can fall within the necessary exemption.

It’s critical to note that even where these exceptions to the consent requirement apply, you’ll still need to inform the user of your use of cookies and similar technologies via a cookie policy. The banner is not necessarily required in these specific instances if the cookie policy is easily accessible and visible from every page of the site.

Are cookies and other trackers used for analytics purposes likely to meet an exemption?

There is not a straight answer. Indeed, EU Data Protection Authorities have different interpretations on this. For example, according to UK ICO’s guidelines the analytics cookies do not fall within the strictly necessary exemption and consequently always require consent. The Belgian and Irish DPAs have similar opinions. On the contrary, in the French, German, Dutch, and Italian DPAs’ views analytics cookies can fall within the strictly necessary exemption in so far as specific circumstances are met (e.g. they are first-party cookies, opt-out are anonymized, cross-tracking is not enabled). To conclude, you should carefully check what rules apply to analytics cookies in your country of reference.

After having shown the cookie banner at the user’s first visit, you don’t have to repeat showing the banner at every visit of that user. However, you should consider giving users the option to resurface the banner should they need to change their preferences. 

If the user has not given consent or has given consent only for the use of certain cookies, the banner shall not be re-presented except in the following specific cases:

  • when one or more conditions of the processing significantly change, e.g. ‘third parties;
  • when it is impossible for the provider to know whether a technical cookie has already been placed on the user’s device (e.g., when the user deletes cookies);
  • when at least six months have elapsed since the previous presentation of the banner.

There are many reasons why you may need to provide users with the option to withdraw consent. Some Data Protection Authorities require that users have easy access to updating their preferences. For example, the Italian DPA (the Garante) suggests providing an icon always visible during navigation that summarises the user’s choices. For further information on this and to see what other DPAs require, check out our GDPR Cookie Consent Cheatsheet. It’s worth highlighting that this is also a point of focus for privacy NGOs such as Noyb, which requires that users are given a way to withdraw consent. 

Make sure you are giving your users the possibility to reopen your cookie banner by enabling the privacy widget in your Privacy Controls and Cookie Solution.



You should also take into consideration that there are a number of reasons and circumstances that may trigger the need to ask visitors to “reconsent” and consequently resurface the banner.


A practical example is when you are using a new non-exempt third-party cookie. In such a situation you will need to obtain fresh consent since the consent previously gathered from the user would apply only to those third-parties that you declared at the original time of collection.

In order to help you with this requirement, we give you the possibility to easily refresh the consent collection at each cookie policy update.

Note that some EU DPAs have specified what can be considered a reasonable period of time for cookie consent validity (for example according to the French DPA, 6 months is considered a reasonable period of time). Our Privacy Controls and Cookie Solution enables you to easily set this time frame. To learn more about cookie consent validity timelines, see our Cookie Consent Cheatsheet.

Records of consent

While the Cookie Law does not explicitly require that records of consent be kept as cookies do process personal data, GDPR consent-related principles, including those regarding proof of consent, generally apply.

The Cookie and Consent Preference Log is now available in our Privacy Controls and Cookie Solution. Simply integrate this feature with one click, and you can easily store and manage GDPR proofs of your users’ consent.

How iubenda can help you manage cookie consent

 

Our comprehensive cookie management solution simplifies compliance with provisions of the EU Cookie Law. As an IAB verified Consent Management Platform (CMP) our Privacy Controls and Cookie Solution allows you to meet industry standards and pass consent preferences to advertisers in a compliant way.

💡WordPress user? See our EU cookie law plugin
Not using WordPress? Continue reading below

Our solution works for all websites and apps, and allows you to:

  • easily inform users via cookie banner and a dedicated cookie policy page (which is automatically linked to your privacy policy and integrates what’s necessary for Cookie Law compliance);
  • obtain and save cookie consent settings;
  • collect granular, per purpose consent;
  • preventively block scripts prior to consent;
  • apply IAB’s TCF with a single click;
  • store proofs of users’ preferences via the Cookie and Consent Preference Log.

Our Privacy Controls and Cookie Solution adequately informs the user of:

  • potential cookies, their purpose and how they’re used;
  • third-party cookies, their purpose (and directly links to the relevant third-party policies);
  • their (various) options in regards to opting-in/providing consent and opting-out/withdrawing consent;
  • which action will signify consent;
  • how they can manage their cookie preferences.

It gives you further options to:

  • Choose between “with prior consent” (script blocking prior to user consent and reactivation after consent) or “no prior consent” (no prior script blocking); using the “with prior consent” option ensures that before providing consent, the user can open the cookie policy and opt-out of any of the tracking scripts by using the opt-out tools provided by each third party. Remember script blocking prior to consent is required in some regions including the EU.
  • Add explicit “Accept” and “Reject” buttons as required under some member state laws.
  • Customize the location and look of your cookie notice, e.g. changing banner colors to match your website, applying your logo, and custom branding.
  • Keep track of and save consent settings for each user for up to 12 months from the last site visit, as legally required.
  • Easily embed into your site. Choose between directly pasting the embed code into the head section of your site’s pages or using a plugin (currently we have plugins available for WordPress, Joomla!, PrestaShop and Magento).

Manage cookie consent with the Privacy Controls and Cookie Solution

Easy to run, fast and customizable

Generate a cookie banner

FAQs: 

What are cookies?

Cookies are small text files that are stored on a user’s device (such as a computer or smartphone) when they visit a website. These files contain data that helps the website remember information about the user, such as their preferences and browsing history.

What is cookie consent?

Cookie consent refers to the act of obtaining permission from website visitors before placing cookies on their devices. It is a legal requirement in many jurisdictions to obtain explicit consent from users for the use of cookies.

Do I need a cookie policy on my website?

Yes, it is advisable to have a cookie policy on your website if you use cookies. A cookie policy is a document that explains to users how your website uses cookies, what types of cookies are used, and how users can manage their cookie preferences. It helps fulfill legal requirements and provides transparency to your website visitors.

What are the requirements for cookie consent?

The specific requirements for cookie consent may vary depending on the applicable laws in your jurisdiction. However, some common elements of cookie consent include:

  • Obtaining explicit consent from users before placing non-essential cookies.
  • Providing clear and understandable information about the purpose of cookies.
  • Giving users the option to accept or reject cookies, including specific cookie categories.
  • Allowing users to easily change their cookie preferences or withdraw consent at any time.

What are cookie consent popups?

Cookie consent popups are a common method used by websites to obtain user consent for the use of cookies. When a user visits a website for the first time, a popup or banner appears, typically at the bottom or top of the page, informing the user about the use of cookies and giving them options to accept or reject them.

Can you provide examples of cookie consent?

Examples of cookie consent implementation can vary based on design and functionality, but some common examples include:

  • A banner at the top of a website that notifies users about the use of cookies and provides a link to the cookie policy.
  • A popup window that appears when a user lands on a website, giving them options to accept or reject cookies.
  • A cookie consent widget integrated into the website’s footer or sidebar, allowing users to manage their preferences at any time.

See also