Data privacy laws such as Europe’s General Data Privacy Regulation (“GDPR”) have changed the way that companies collect, transfer and store data. Even though GDPR has been in effect for more than two years, a number of myths about cookie usage persist, which can expose companies to the risk of financial penalties for GDPR noncompliance. Companies need to implement compliant consent collection mechanisms (and no, that does not mean using a cookie wall) to ensure they are mitigating those risks. Below we outline some of the existing myths regarding cookie collection (note that the below relates to GDPR compliance, which differs from rules under different data privacy laws such as the California Consumer Privacy Act (“CCPA”), which is an “opt-out” regulation).
Myth 1: I can just assume my website visitors agree to cookie collection.
Fact: GPDR requires explicit, rather than implied, consent. In practice, your users must take a clear and positive action to consent to non-essential cookies, meaning that
- your website(s) and app(s) must tell visitors clearly what cookies will be set and what they do – including any third-party cookies;
- pre-ticked boxes or any equivalents cannot be used for non-essential cookies;
- your visitors must be able to restrict data collection for individual cookies; and
- non-essential cookies must be set to “off” on landing pages prior to obtaining the visitor’s consent.
Consent is not required for cookies that are defined as “strictly necessary”, meaning those that are essential to providing the service requested by the visitor or for maintaining website functionality. Those that are simply helpful or convenient, but not essential, or that are only essential for your own purposes, will still require explicit consent.
Myth 2: Analytics cookies are important, which makes them strictly necessary, so we do not need consent
Fact: Analytics cookies can provide you with useful information, and many companies depend on the information they provide to make strategic business decisions. However, they are not part of the functionality that the visitor requests when they use your online service, because if you didn’t have analytics running, the visitor could still be able to access your service. They’re non-essential, and you have to gain explicit consent prior to turning on these cookies.
Myth 3: We can use a cookie wall to restrict access to our site and force our users to consent.
Myth 4: We do not need to get consent because we have a legitimate interest to set cookies
Fact: You may have a legitimate interest in collecting data by setting these cookies, however consent is always required for non-essential cookies, such as those used for the purposes of marketing and advertising.
Myth 5: Regulators want online services to stop using cookies and similar technologies
Fact: Regulators are attempting to balance the need for innovation with enforcing people’s legal rights. Cookies and similar technologies are powerful tools that make the online world more efficient, and businesses utilize them to provide their customers with a better experience. Companies aren’t going to stop using cookies any time soon, so they will need to ensure that their cookie usage is in compliance with GDPR (and other global data privacy laws).
Cookie compliance will be an increasing regulatory priority for authorities in the future, and it’s hard for companies of all sizes to keep up. Clym can help! We offer a cost-effective, scalable, easy-to-implement platform that can help get your website compliant with CCPA, GDPR, and other data privacy laws from a global perspective. Contact us today, or book a demo with one of our team members to learn how we can help.