How must I manage cookie consent in order to be compliant

Cookie usage and its related consent acquisition and management are not governed by the GDPR, they are instead governed by the ePrivacy Directive 2002/58/EC (or Cookie Law). It was established to put guidelines and expectations in place for electronic privacy, including email marketing and cookie usage, and still applies today. You can think of the Cookie Law as currently working alongside the GDPR in a sense.

The Cookie Law requires users’ informed consent before storing cookies on a user’s device and/or tracking them. This means that if your site/app (or any third-party service used by your site/app) uses cookies, you must:

• inform users about your data collection activities;
• give them the option to choose whether it’s allowed or not;
• obtain informed consent prior to the installation of those cookies.

Here are some of the most common questions regarding cookie consent management and their answers.

Do I need to list the name of each cookie (including third-party cookies) used on our website?

No, the Cookie Law does not require that you list and name individual cookies. However, you are required to clearly state their categories and purpose.

The Cookie Law does not require that you list and name individual cookies. However, you are required to clearly state their categories and purpose.

This decision by the Authority is likely deliberate as to require this would mean that individual website/app owners would have to constantly monitor every single third-party cookie, looking for changes that are outside of their control. This would be both unreasonable and likely unhelpful to the average user.

You can read more about this here or here (for even more in-depth information and legal sources).

Must I provide the mechanism for users to manage their cookies preferences (including withdrawal of consent) directly on my website?

No, the Cookie Law does not require that you provide users with the means to toggle cookie preferences directly on your site/app, only that you visibly provide the option for obtaining informed, active consent, provide a means for the withdrawal of consent and guarantee via prior blocking that no tracking is performed before consent is obtained. This means that the mechanism does not have to be hosted directly by you.

The Cookie Law does not require that you provide users with the means to toggle cookie preferences directly on your site/app.

In most cases under member state law, browser settings are considered to be an acceptable means of managing and withdrawing consent. Our cookie management solution goes a bit further than this by pointing to the browser options, third-party tools and by linking to the third party providers, who are ultimately responsible for managing the opt-out for their own tracking tools.

You can read more about the requirements here.

What constitutes valid active consent?

Active consent refers to consent that is based on the user being clearly and sufficiently informed of the purpose, categories and use of the cookies being used by your website, and that is indicated by an explicit affirmative action.

Subject to the local authority, these active behaviors may include continued browsing, clicking, scrolling the page or some method that requires the user to actively proceed.

This is somewhat left up to your discretion as according to the general guidelines no specific mechanism (e.g. checkboxes) is mentioned as mandatory: provided that your method facilitates active consent, however, it’s worth noting here the because the ePrivacy is, in fact, a Directive, the specifics of how requirements should be met are heavily dependant on individual Member State law.

For this reason, we give you the option to easily disable the Cookie Solution’s “scroll to consent” feature should the particular Member State law require it.

You can read more about active consent here.

Do I need to keep records of consent to cookies for each user?

The Cookie Law does not require that records of consent be kept, but instead indicates that you should be able to prove that consent occurred — even if that consent has been withdrawn.

The Cookie Law does not require that records of consent be kept, but instead indicates that you should be able to prove that consent occurred.

The simple way to do this would be to use a cookie solution that employs a prior blocking mechanism as under such circumstances, cookie installing scripts will only be run after consent is attained. In this way, the very fact that scripts were run may be used as sufficient proof of consent.

You can read more about the records here.

How iubenda can help you manage cookie consent

Our cookie management solution makes it easy to comply with the Cookie Law, allowing you to:

• inform users with a cookie banner that links to a comprehensive cookie policy (which is automatically linked to your privacy policy and integrates what’s necessary for Cookie Law compliance) and optional IAB consent management section;
• keep track of consent and save consent settings for each user for up to 12 months from the last site visit;
• prove consent to cookies; and
• preventively block scripts prior to consent (with asynchronous activation after the consent is obtained, for a smooth user experience).

The Cookie Solution allows you to collect consent via multiple mechanisms including continued browsing, scrolling, and/or specific clicking actions. Keep in mind though that allowed consenting actions may differ depending on the Member State law.

See also

• Cookies and the GDPR: What’s Really Required?
• iubenda Cookie Solution – Introduction and Getting Started
• How to Customize the Look and Behavior of the Cookie Banner
• Introduction to the Prior Blocking of Cookie Scripts