Table of Contents

How Must I Manage Consent to Cookies in Order to Be Compliant?

Cookie usage and it’s related consent acquisition are governed by the ePrivacy Directive 2002/58/EC (or Cookie Law) which was established to put guidelines and expectations in place for electronic privacy, including email marketing and cookie usage, and still applies today; you can think of the ePrivacy Directive as currently working alongside the GDPR in a sense.

The Cookie Law requires users’ informed consent before storing cookies on a user’s device and/or tracking them. This means that if your site/app (or any third-party service used by your site/app) uses cookies, you must inform users about your data collection activities and give them the option to choose whether it’s allowed or not; you must obtain informed consent prior to the installation of those cookies.

Here are some of the most common questions regarding cookie-consent management and their answers.

Do I need to list the name of each cookie (including third-party cookies) used on our website?

No, the Cookie Law does not require that you list and name individual cookies. However, you are required to clearly state their categories and purpose.

This decision by the Authority is likely deliberate as to require this would mean that individual website/app owners would have to constantly monitor every single third-party cookie, looking for changes that are outside of their control. This would be both unreasonable and likely unhelpful to the average user.

You can read more about this here or here (for even more in-depth information and legal sources).

Must I provide the mechanism for users to manage their cookies preferences (including withdrawal of consent) directly on my website?

No, the Cookie Law does not require that you provide users with the means to toggle cookie preferences directly on your site/app, only that you visibly provide the option for obtaining informed, active consent, provide a means for the withdrawal of consent and guarantee via prior blocking that no tracking is performed before consent is obtained. This means that the mechanism does not have to be hosted directly by you.

In most cases under member state law, browser settings are considered to be an acceptable means of managing and withdrawing consent (our solution goes a bit further than this by pointing to the browser options, third-party tools and by linking to the third party providers, who are ultimately responsible for managing the opt-out for their own tracking tools).

You can read more about the requirements here.

What constitutes valid “active consent”?

Active consent refers to consent that is based on the user being clearly and sufficiently informed of the purpose, categories and use of the cookies being used by your website, and that is indicated by an explicit affirmative action.

Subject to the local authority, these active behaviors may include continued browsing, clicking, scrolling the page or some method that requires the user to actively proceed.

This is somewhat left up to your discretion as according to the general guidelines no specific mechanism (e.g. checkboxes) is mentioned as mandatory: provided that your method facilitates active consent, however, it’s worth noting here the because the ePrivacy is, in fact, a Directive, the specifics of how requirements should be met are heavily dependant on individual Member State law.

For this reason, we give you the option to easily disable the Cookie Solution’s “scroll to consent” feature should the particular Member State law require it.

You can read more about active consent here.

Do I need to keep records of consent to cookies for each user?

The Cookie Law does not require that records of consent be kept but instead indicates that you should be able to prove that consent occurred — even if that consent has been withdrawn.

The simple way to do this would be to use a cookie solution that employs a prior blocking mechanism as under such circumstances, cookie installing scripts will only be run after consent is attained. In this way, the very fact that scripts were run may be used as sufficient proof of consent.

You can read more about the records here.

See also

Still have questions?

Visit our support forum Email us