Ensuring EU GDPR compliant cookie consent on your website

Background

According to the Article 5(3) of the European Union ePrivacy directive website owners must adequately inform users and obtain their consent before setting cookies and any other technology falling within the scope of the directive.

Prior to the 1st of October 2019, it was not clearly defined by the EU authorities what is an acceptable form of consent and various kinds of solutions for cookie consent had emerged. A very common solution has been to set cookies immediately when the user visits the website and simply notify the user about the fact that the website uses cookies.

This is a form of implied consent and in fact a very problematic approach from legal perspective because of the following reasons:

  1. Cookies are usually set to the visitor’s browser automatically when landing on the website for the first time without any possibility of rejecting setting the cookies. This also leads to a situation that the user has no means of understanding which providers are going to set cookies, how they are going to be used, and what are the other terms of processing the user’s personal data.

  2. The cookie notice only informs the user about the use of cookies, and there is no way of rejecting the cookies if continuing to use the site apart from disabling cookies altogether, which is not a very viable option from user experience perspective. In other words, consent is practically enforced.

This issue with the unclarity related to the definition of an explicit consent was resolved with the Court of Justice of the European Union Judgment Case C-673/17, that clearly stated; The consent referred to in those provisions is not validly constituted if, in the form of cookies, the storage of information or access to information already stored in a website user’s terminal equipment is permitted by way of a pre-checked checkbox which the user must deselect to refuse his or her consent. This decision means that consent can’t be implied, enforced, or assumed based on the behavior of the user (e.g. visiting the site), but the user must be informed about the use of cookies, terms associated to this use and actively accept the use of cookies by checking a box or pressing an accept button, for example.

Implications to website owners

It is strongly recommended that if and when a website uses cookies, explicit and informed consent is acquired from the visitor BEFORE setting any cookies. In practice, this is often done by popping up a consent menu through which the visitor can either accept the cookies or change the cookie preferences. N.Rich recommends using a consent management platform, such as CookieFirst, or CookieBot that enable compliance in a simple and user-friendly way.

Here are examples of Cookie Management Platform (CMP) end-user facing functionality from CookieFirst.

Cookie consent banner

Adjusting cookie settings

Review specific cookies

Reviewing cookie policy

Implications to N.Rich setup

When using the “legacy” implied consent model, there is no possibility of verifying that an active informed consent was actually given by the user. This leads to a possible risk of cookies being set illegally without consent, which could result in disruptions in the use of the data and in the worst case to being found guilty of violating the GDPR and getting fined a maximum amount of 20 Million Euros. In order to avoid such risks, N.Rich recommends the following actions:

  1. Migrating to an informed, explicit cookie consent model by using a Cookie Managment Platform as soon as possible.

  2. While the “legacy” implied consent model is used, only N.Rich Cookieless Tag should be used. This tag does not set cookies, so it can be used safely even without consent from the end-user. Even with some downsides of using the Cookieless Tag, the benefits of ABM are far greater than delaying the launch because of a missing explicit consent process. The downside of using only the Cookieless Tag is that analytics and optimization functionalities of N.Rich won’t be able to identify a specific user, but all data is aggregated to account level.

  3. After upgrading to a CMP that supports receiving an explicit cookie-consent, N.Rich Cookieless Tag should still be used until the user explicitly accepts the cookies, and after the consent has been granted, N.Rich Standard Tag should be used, which will be taking advantage of cookies and enabling optimisation and analytics on person / cookie level.

How to implement N.Rich tags using a CMP and a Tag Manager

When using a CMP, a special first-party cookie that is set to the user denoting the cookie consent. The Tag Manager can typically access this cookie and it can be used as the basis of setting a rule about which tag to load. For example:

  • If cookie-consent = 1, fire N.Rich Standard Tag

  • If cookie-consent = 0 or not available, fire N.Rich Cookieless Tag

Since N.Rich Cookieless Tag is not using cookies, it is not dependent on the cookie-consent and it should be fired outside the scope of the CMP. However, if it is absolutely necessary from a technical perspective, N.Rich Cookieless Tag can be also included within the scope of the CMP in the “Necessary” category

N.Rich Standard tag should be placed in the marketing or advertising category of cookies within the CMP.