Cookie usage and its related consent acquisition and management are governed by the ePrivacy Directive 2002/58/EC (or Cookie Law). It was established to put guidelines and expectations in place for electronic privacy, including email marketing and cookie usage, and still applies today. You can think of the Cookie Law as currently working alongside the GDPR.
Update May 2020: The The European Data Protection Board (EDPB) has updated their guidelines specifically related to recommended consent collection mechanisms. More on that here.
The Cookie Law requires users’ informed consent before storing cookies on a user’s device and/or tracking them. This means that if your site/app (or any third-party service used by your site/app) uses cookies, you must:
Here are some of the most common questions regarding cookie consent management and their answers.
The process of collecting cookie consent includes clearly and explicitly informing the user of the cookies you run on your site, their purposes, the user’s right to grant or refuse consent, and how they can exercise that right.
The cookie consent must be informed, explicit and given via an unambiguous opt-in action.
Specifically, you must:
No, the Cookie Law does not require that you list and name individual cookies. However, you are required to clearly state their categories and purpose.
The Cookie Law does not require that you list and name individual cookies. However, you are required to clearly state their categories and purpose.
This decision by the Authority is likely deliberate as to require this would mean that individual website/app owners would have to constantly monitor every single third-party cookie, looking for changes that are outside of their control. This would be both unreasonable and likely unhelpful to the average user.
Active consent refers to consent that is based on the user being clearly and sufficiently informed of the purpose, categories and use of the cookies being used by your website, and that is indicated by an explicit affirmative action.
Subject to the local authority, these active behaviors may include continued browsing, clicking, scrolling the page or some method that requires the user to actively proceed.
This is somewhat left up to your discretion as according to the general guidelines no specific mechanism (e.g. checkboxes) is mentioned as mandatory: provided that your method facilitates active consent, however, it’s worth noting here the because the ePrivacy is, in fact, a Directive, the specifics of how requirements should be met are heavily dependant on individual Member State law.
For this reason, we give you the option to easily enable or disable the Cookie Solution’s “scroll to consent” feature should the particular Member State law require it.
💡 You can read more about active consent here.
The Cookie Law itself does not require that records of consent be kept, but instead indicates that you should be able to prove that consent occurred — even if that consent has been withdrawn. However it’s important to note that some EU Data Protection Authorities in alignment with the GDPR, now require that records of consent – rather than simply proof – be kept. If this applies to your particular situation, you will need to maintain valid records of consent.
💡 You can read more about records vs proofs here.
Here’s an example of how cookie consent should be collected:
Our cookie management solution makes it easy to comply with the Cookie Law, allowing you to:
The Cookie Solution allows you to collect consent via multiple mechanisms including continued browsing, scrolling, and/or specific clicking actions. Keep in mind though that allowed consenting actions may differ depending on the Member State law.