9 steps to implementing a compliant cookie banner
Staying up to date with cookie compliancy can be hard work. Look away, and something’s changed whether it’s regulatory development like the upcoming ePrivacy Regulation; enforcement actions by data protection authorities (DPAs) across Europe; or a digital advertising landscape that is already being redrawn due to the phasing out of third-party cookies.
But one thing remains the same. Most cookies require user consent. According to the General Data Protection Regulation (GDPR) consent must be freely given, specific, informed and unambiguous. Valid consent also requires an active motion or declaration by the user. All of which impacts the design of a cookie banner.
To bring order to the chaos, Project Moore has created a Cookie Banner Smart Card that contains 9 steps you need to follow to implement a compliant cookie banner.
Step 1: Provide clear & comprehensive information
Tell the user all they need to know about the cookies you use and for what purpose. This needs to be done before cookies are set on the user device. You can sort the cookies by type (e.g. functional, analytical, marketing) as displayed in the Cookie Banner Smart Card, but more flexible categorizations (e.g. basic, personal and complete) are fine too. Whatever you choose, the user must be able to easily understand the consequences of any cookie consent choices made.
Step 2: Remember cookies are more than just cookies
Step 3: Sort out your first and third-party cookies
It’s important to know which is which. First party cookies can be set from the website (or domain) the user is visiting. Third party cookies are set from a different website (or domain) than the one the user is visiting (third-party). An example of the latter is a Meta Pixel implemented on the website the user is visiting, which transmits information directly to Meta.
Step 4: Find your functional cookies
As we said above, almost all of the time you must ask user consent for cookies. This is not the case, however, for ‘functional’ cookies. These could for example be cookies that are necessary to provide a service to the user, like a shopping cart in your web shop, or cookies that enable load-balancing or security measures.
Step 5: Check if your analytical cookies require consent
Analytical cookies are used to collect information about how your website is used or to conduct A/B tests. The information collected may help you to improve your websites and your services. Under current Dutch law, no consent is required for analytical cookies as long as they have little or no impact on user privacy. However, due to a lack of harmonization, consent may be required under local law in other EU Member States. If you are using cookies for more advanced analytical purposes – for example, because you are using them in combination with cookies for marketing purposes – you will probably not meet the conditions to use these cookies without user consent.
The most common web measuring tool is Google Analytics. Until recently, under Dutch law no consent was required for this tool – if it was installed in a privacy-friendly way. However, this will likely change following the Schrems II-decision. As a result of this case, DPAs in several countries have now ruled that the use of Google Analytics involves problematic transfers of personal data to the United States. As long as no sufficient data protection measures can be implemented, such data transfers are unlawful and Google Analytics can therefore no longer be used in these countries. This will probably lead to the Dutch DPA (Autoriteit Persoonsgegevens) concluding that such data transfers are unlawful, which would mean that Google Analytics in its current form can no longer be used. Follow us on LinkedIn or subscribe to our newsletter to stay up to date on the latest regulatory developments.
Step 6: Avoid dark patterns
There are several design decisions you can make to achieve this goal – but be wary of using dark patterns: interfaces and user experiences that lead users into making unintended, unwilling and potentially harmful decisions regarding the processing of their personal data. These recently came to light in the guidelines on dark patterns on social media platforms adopted by the European Data Protection Board (EDPB).
Step 7: Don’t use pre-ticked check boxes
Valid consent requires an active action by the user (also known as a positive opt-in). Therefore, you cannot use pre-ticked boxes or any other method of default consent (for more information, see the decision of the European Court of Justice in the Planet-49-case about pre-tricked boxes for consent). However, a pre-ticked box is allowed for strictly necessary cookies, as these don’t require user consent.
Step 8: Avoid notice-only approaches and cookie walls
Consent requires an active motion or declaration of the user, which is why you cannot use a notice only approach, where consent is assumed or implied from the mere use of the website. The user should also have the option to consent to the placement of the cookie, or not to consent. According to some DPAs, this means that you cannot use cookie walls either.
To what extent these practices will be allowed under the upcoming ePrivacy Regulation is not yet clear. But don’t worry, we’ll let you know of the latest regulatory developments via our LinkedIn page and our newsletter.
Step 9: Make it easy to withdraw consent
Please do not hesitate to contact us if you have any questions.