Knowing what exactly you need to have to meet the basic requirements can be confusing, so here is a stress-free list of the minimum amount of features you need, plus what they mean, for cookie consent. Don't forget we can take this task off your hands with our consent packages.
You must show the cookie banner at the user's first visit, this must:
- Briefly explain the purpose of the installment of cookies that the site uses
- Clearly state which action will signify consent
- Be sufficiently conspicuous so as to make it noticeable
Above: Cookie Banner as displayed on Motivation Digital's website.
- Indicate the type of the cookies installed - statistical, advertising etc.
- Describe in detail the purpose of installation cookies
- Indicate all third-parties that install or that could install cookies, with a link to their respective policies, and any opt-out forms (where available)
- Be available in all languages in which the service is provided
Allow the user to provide consent
- Consent to cookies must be informed and explicit and can be provided by a clear affirmative (opt-in) action. Therefore, if you use mechanisms such as checkboxes, they must NOT be pre-checked.
- Subject to the local authority, these active behaviors may include continued browsing, clicking, scrolling the page, or some method that requires the user to actively proceed; this is somewhat left up to your discretion. Some website/app owners may favor a click-to-consent method over scrolling/continued browsing methods as the former is less likely to be performed by user error.
Before consent granted, no cookies (except for exempt cookies) can be installed
- Blocking cookies before consent:
- In compliance with the general principles of privacy legislation, which prevent the processing before consent, the cookie law does not allow the installation of cookies before obtaining user consent. In practice, this means that you may have to employ a form of script blocking prior to user consent
- ePrivacy is a Directive, so the specifics of how requirements should be met, heavily depends on each individual Member State Law
Listing Third-Party Cookies
- The directive does not explicitly say you need to list and name individual third-party cookies, but you do need to state what type they are and what their purpose is
"Freely Given" Consent
- Consent must be freely given by the user in order to be deemed valid
- In cases where coercive methods are used, consent is deemed invalid
- There are few exemptions where if the cookies are necessary to the functionality of the website or services affected
Exemptions to the consent requirement
- Some cookies are exempt from the consent requirement, so are not subject to preventative blocking - you are still required to inform users of these cookies
- Technical cookies - that are strictly necessary for the provision of service are exempt
- These include preference cookies, session cookies, load balancing
- Statistical Cookies that are managed by you, not third-parties, are exempt as long as they are not used for profiling
- Anonymised Statistical Third-Party Cookies - e.g Google Analytics