With so much of our lives now happening online, governments around the world are tightening regulations around internet privacy to protect users’ personal data from being stored, used, or sold without their permission.
While these laws and rules all differ by jurisdiction, one of their commonalities is in the treatment of cookies—packets of data stored on a user’s device to remember login credentials, track their behavior, and personalize the web browsing experience.
For businesses doing business in a regulated region, or doing business online with residents of that region, it’s important to comply with these regulations. That includes obtaining consent to use cookies on your website. Failure to do so could leave your business facing negative legal and business consequences.
The following is a quick primer on the basics of cookie consent from our marketing and web experts—but remember that privacy law continues to change, and it’s important to obtain qualified legal advice if you have specific questions about how this information applies to your business.
What Is Cookie Consent?
Cookie consent is the process through which a website asks for explicit permission from a visitor to collect, use, and store their personal data as it relates to their use of that website. The visitor then has the opportunity to reject that request, or approve some or all data collection efforts.
READ: Our primer on GDPR and CCPA data regulations
According to the European Union’s General Data Protection Regulation (GDPR), consent is defined as “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
There are generally three accepted ways to obtain cookie consent from web visitors:
- Browser Prompt: Upon a user’s initial visit to your website, browsers can present them with a prompt, giving them the option to quickly accept or decline cookies. This method ensures that users actively engage in the decision-making process.
- Notice Display: A website can prominently display a notice, such as a banner located in the header or footer, informing visitors about its use of cookies. This notice should also include a link to more comprehensive information, such as your privacy policy.
- Redirect to Cookie Preferences Page: Websites can redirect users to a dedicated page where they can select which types of cookies they wish to permit. This approach empowers users to tailor their cookie preferences, according to their preferences and requirements.
The exact method of cookie consent required depends on the specific law a business is trying to comply with. GDPR is commonly considered to be among the most restrictive set of internet privacy rules, while U.S. privacy laws, such as the California Consumer Privacy Act (CCPA) offer more flexibility for businesses and organizations.
For example, GDPR law requires every website or app owner to obtain content (opt in) for tracking or advertising-related cookies, or block them from running on a user’s personal device. “Strictly necessary cookies,” which do not track or collect personal data but are necessary for your website to function, are exempt from the law’s consent requirement.
California’s CCPA (and other U.S. laws patterned after it) allows website owners to run cookies without consent, but they must inform users through a display or pop-up banner. If your business collects and sells personal data to third parties, it must give users the right to opt out of that collection. You must also obtain explicit opt-in consent if your business collects and uses the personal information of users under 16.
Essential Elements of Cookie Consent
To obtain valid user consent you must first provide disclosures about your data policies, as well as specific options for users to opt in or out of.
Cookie consent must:
- Provide clear and concise information: Explain what cookies are, why you use them, and the types of data your site collects.
- Break down your cookie categories: Session cookies, user-input cookies and authentication cookies are just a few of the cookie types your site might seek consent for.
- Itemize consent options: Provide options beyond just "accept all" or "reject all." Allow users to customize their consent for different cookie categories.
- Avoid pre-checked boxes: Nudging users toward consent is considered non-compliant under some laws.
Does Your Site Need Cookie Consent?
If your website uses cookies to track user behavior and preferences, you should be acquiring customer consent. This includes cookies used for:
- Analytics
- Advertising
- Personalization features
- Social media integrations
- And more
While it may seem easier to simply abandon cookies altogether, the truth is they’ve become a key tool for providing the personalized digital experiences many users now expect online.
Cookies provide a “memory” for when visitors return to specific pages, such as their shopping cart or a login screen. But they can also be used to collect personally identifying information, such as their browsing habits, location and more. This is why governments are increasingly focused on their regulation.
Popular Cookie Consent Tools
Tracking and gathering cookie consent can be a time-consuming process, with potentially big legal and reputational risks if you get it wrong, which is why many businesses are now turning to cookie consent management platforms (CMPs) to streamline the process.
CMPs are specialized platforms and plug-ins that can be added to an existing website or app to handle cookie consent and other data processing activities. They facilitate compliance by asking users for their consent preferences, managing consent records, and ensuring transparency.
Some popular CMP options include:
- Osano Consent Manager: This cloud-based system provides a cookie scanner and consent pop-up tailored for GDPR, CCPA, and LGPD compliance.
- InMobi Choice CMP: A consent and compliance service offered by a cloud platform specializing in consumer sampling and modeling.
- Piwik Pro Consent Manager: This platform offers features like consumer tracking, market analysis, and cookie consent verification to ensure compliance with GDPR, CCPA, and LGPD.
- CookieYes: Known as a straightforward choice, CookieYes integrates with major content management systems to provide straightforward cookie consent.
- Cookiebot: This hosted platform offers cookie consent banners in 46 languages for truly international service.
- TrustArc Cookie Consent Manager: As a hosted service, it adjusts to the visitor's location and browser settings for enhanced user experience and compliance.
If your website is powered by WordPress, you can also choose from a menu of free and paid plugin services that will manage cookie consent.
The Dangers of Cookie Consent Non-Compliance
For smaller businesses serving a localized clientele, there is realistically a small risk of legal consequences through privacy laws like GDPR or CCPA. However, as businesses increase in size and begin serving users from different geographies, or even internationally, there can be real dangers to ignoring cookie consent issues.
CCPA violations, for example, can result in civil lawsuits with damages going up to $7,500 per consumer, while GDPR empowers EU data authorities to impose fines of up to $22.1 million, or 4 percent of a company’s worldwide revenue, depending on the specific GDPR provision violated. While GDPR enforcement may seem unlikely outside the EU, large U.S. companies including Marriott and PwC have already been fined for non-compliance.
GDPR, CCPA, and other privacy laws reserve the right to levy financial penalties, but there can also be a hidden cost to collecting consumer data without consent: broken trust. Two-thirds of customers say they will not continue purchasing products or services unless they trust a brand. One way to build that trust is to be transparent in thorough in communicating how you will collect their data.
Cookie Consent Management Is a Must
Gaining detailed consent for cookies on your website is just good business. Proper cookie consent management protects you from fines that could cripple your company. Being transparent and thorough with your data collection policies also builds trust with visitors, the people who will buy your products and services—and that’s the sweetest part of all.
If you need help building a website that is compliant with the laws of your business location and your targeted customers, contact our web design and development experts today.
Need help with cookie compliance?
Our digital experts can help you map out the right solutions for your website.