The old cookie banner is no longer cutting it.
Don't forget to also check out our blog article on Consent Management and how you should make transparency and consent a pillar of the relationship with your customer.
GDPR arrived on 25 May 2018 and is enforced in the UK by the Information Commissioner's Office (ICO).
It led to a wholesale change in how we deal with our customer's data and one of the most visible measures for website visitors was the Cookie notification bar popping up on many sites.
The cookie notification made you aware that 'cookies' were being used to enhance your experience on that site. However, in most cases your only option was to accept it and, if you were lucky, get some instructions on how to 'switch cookies off' in your browser.
This was all a little vague.
So much so that in May of this year (2020) the European Data Protection Board updated their guidelines on consent under Regulation 2016/679. This update is important as it aims to remove any ambiguity on the official position regarding several aspects of cookie usage.
Among these updates, it was made clear that the EDPB no longer accepts consent to cookies and data collection is given simply by scrolling on or continuing to use the website. Consent must explicit, freely given through positive action and recorded.
To comply with GDPR, there are essentially 7 conditions the consent needs to adhere to:
Opt-in first
Before anything happens, even before the first cookie is placed, the consent must be received. No data must be collected before opt-in. This means there has to be a technical link between cookie placement and data collection so that when the user does not give consent, this activity can't take place.
Explicit
A visitor to your website must actively agree to the collection of data. A pre-ticked box is not enough and deeming to have given consent simply 'by further surfing' is classed as implicit and therefor not valid.
Granular
The consent must be service- or cookie specific. In other words, the site visitor must be given the option to discover at a granular level which data type collection and which 3rd party service they are giving or withdrawing consent for.
Informed
Consent is only given when the site visitor is aware of all instances of data collection and processing, and has made an informed decision to give consent.
Freedom
Freedom to accept or reject data processing is only true freedom if the user is able to access the site regardless of the choice they make. It is this voluntary nature that is most likely to be so narrowly interpreted by the courts. Barring someone from a site because they won't give consent for data processing is unlikely to go down well.
Documented
According to Art. 7 Par-1 of the GDPR, where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
So you, as the website owner, are subject to the burden of proof, and in the event of a warning or inspection by the ICO, must be able to provide the complete consent history.
Easy in, easy out.
The site visitor has to be able to withdraw consent as easily as they provided it, and without justification. 'Easily' means that the mechanism for going back into the consent management platform should not be hard to find.
Consent Management Platform
Consent Management
By far the best way to ensure you are staying on the right side of the privacy laws is to install a Content Management Platform on your website.
Here at Island Web Design we offer all our clients a CMP by a company called Usercentrics.
Usercentrics is a market leader in the field of Consent Management Platforms and their solutions are very reasonably priced. Check their pricing here.
That said, Island Web Design is pleased to be able to offer all its clients the Standard Package completely FREE OF CHARGE and offer a heavy discount on their Business package. Check the details below:
Standard Package
£FREE
per month
- No setup fee
- Up to 20,000 sessions per month
- 1 Domain, 2 languages (EN +1)
- Collect Consent Explicitly
- Granular listing of all technologies
- Administration & storage of consent
- Basic customisation
Business Package
£25
per month
- No setup fee
- Up to 20,000 sessions per month
- 1 Domain, up to 35 languages
- Collect Consent Explicitly
- Granular listing of all technologies
- Administration & storage of consent
- Fully customisable
- Reporting Features
- Tag logger
How does the Consent Management Platform work and how do I get it on my website?
The CMP works as follows:
- After installation, it identifies all the data collection and tracking technology currently on your website and creates a list of them, classifying them as it goes.
- A new floating widget and cookie consent banner is added to your website. By default, tracking scripts and third-party embedded code will not load for site visitors. This means visitors won’t be tracked by analytics such as Google Analytics, and services that perform tracking like YouTube, Facebook and SoundCloud won’t fully load until the user enables them.
- Now it is ready to obtain consent from visitors to load tracking technologies (or not...).
- It continues to be present so visitors can change their settings as they wish, while at the same time looking out for new tracking technologies being added to the site so that it can include them in its granular listing.
by