Documentation
How Must I Manage Cookie Consent in Order to Be Compliant
Cookie usage and its related consent acquisition and management are governed by the ePrivacy Directive 2002/58/EC (or Cookie Law). It was established to put guidelines and expectations in place for electronic privacy, including email marketing and cookie usage, and still applies today. You can think of the Cookie Law as currently working alongside the GDPR.
Update May 2020: The The European Data Protection Board (EDPB) has updated their guidelines specifically related to recommended consent collection mechanisms. More on that here.
The Cookie Law requires users’ informed consent before storing cookies on a user’s device and/or tracking them. This means that if your site/app (or any third-party service used by your site/app) uses cookies, you must:
- inform users about your data collection activities;
- give them the option to choose whether it’s allowed or not;
- obtain informed consent prior to the installation of those cookies.
Here are some of the most common questions regarding cookie consent management and their answers.
What should cookie consent include?
The process of collecting cookie consent includes clearly and explicitly informing the user of the cookies you run on your site, their purposes, the user’s right to grant or refuse consent, and how they can exercise that right.
The cookie consent must be informed, explicit and given via an unambiguous opt-in action.
Specifically, you must:
- display a clearly visible cookie banner/ notice at the user’s first visit (you can read what the banner should contain here);
- provide a link in the banner to a more detailed cookie policy;
- block all non-exempt cookies and scripts from being run until after consent is received;
- collect consent via an explicit opt-in action.
Do I need to list the name of each cookie (including third-party cookies) used on our website?
No, the Cookie Law does not require that you list and name individual cookies. However, you are required to clearly state their categories and purpose.
The Cookie Law does not require that you list and name individual cookies. However, you are required to clearly state their categories and purpose.
This decision by the Authority is likely deliberate as to require this would mean that individual website/app owners would have to constantly monitor every single third-party cookie, looking for changes that are outside of their control. This would be both unreasonable and likely unhelpful to the average user.
What constitutes valid active consent?
Active consent refers to consent that is based on the user being clearly and sufficiently informed of the purpose, categories and use of the cookies being used by your website, and that is indicated by an explicit affirmative action.
Subject to the local authority, these active behaviors may include continued browsing, clicking, scrolling the page or some method that requires the user to actively proceed.
This is somewhat left up to your discretion as according to the general guidelines no specific mechanism (e.g. checkboxes) is mentioned as mandatory: provided that your method facilitates active consent, however, it’s worth noting here the because the ePrivacy is, in fact, a Directive, the specifics of how requirements should be met are heavily dependant on individual Member State law.
For this reason, we give you the option to easily enable or disable the Cookie Solution’s “scroll to consent” feature should the particular Member State law require it.
🔍 You can read more about active consent here.
Do I need to keep records of consent to cookies for each user?
The Cookie Law itself does not require that records of consent be kept, but instead indicates that you should be able to prove that consent occurred — even if that consent has been withdrawn. However it’s important to note that some EU Data Protection Authorities in alignment with the GDPR, now require that records of consent – rather than simply proof – be kept. If this applies to your particular situation, you will need to maintain valid records of consent.
🔍 You can read more about records vs proofs here.
Cookie consent example
Here’s an example of how cookie consent should be collected:
How iubenda can help you manage cookie consent
Our cookie management solution makes it easy to comply with the Cookie Law, allowing you to:
- inform users with a cookie banner that links to a comprehensive cookie policy (which is automatically linked to your privacy policy and integrates what’s necessary for Cookie Law compliance) and optional IAB consent management section;
- keep track of consent and save consent settings for each user for up to 12 months from the last site visit;
- prove consent to cookies; and
- preventively block scripts prior to consent (with asynchronous activation after the consent is obtained, for a smooth user experience).
The Cookie Solution allows you to collect consent via multiple mechanisms including continued browsing, scrolling, and/or specific clicking actions. Keep in mind though that allowed consenting actions may differ depending on the Member State law.