The topic of GDPR cookie rules can be quite complex, which is why we are breaking it down for you in this guide. All you need to do is follow the checklist below.
GDPR: An introduction
The landscape of EU data protection across the continent is built upon these “indivisible, universal values,” and are essentially made up of two different EU privacy laws: the ePrivacy Directive (ePD) and the General Data Protection Regulation (GDPR).
What is GDPR?
The General Data Protection Regulation (GDPR) is an EU-wide regulation that controls how companies and other organizations handle personal data.
What is the EU ePrivacy Directive (ePR)?
The ePrivacy Directive is an older legislation – a directive that mandates each EU member state to pass their own national laws in correspondence. It came into effect in 2002 and was amended in 2009. The ePrivacy Directive was created to harmonize the national protections of the fundamental rights of freedoms of the peoples of Europe, in particular the right to privacy and confidentiality, as well as the free movement of data.
What is personal data under GDPR?
Personal data is any information that relates or can in any way be related to an identified or identifiable living person (known in the law as a “data subject”).
- Home addresses
- Identification card numbers (such as social security, passport etc.)
- Location data (such as geolocation through a phone)
- IP addresses
- Search and browser history
- Health-related and biometric data
- Ethnic information
- Political convictions
- Religious beliefs
- Sexual orientation
Who is required to comply with the GDPR?
The GDPR has an extra-territorial scope, which means that it applies to any domain in the world, so long as they have visitors from the EU. Any website is required under the EU’s General Data Protection Regulation (GDPR) to let users inside the European Union/EEA control the activation of cookies and trackers that collect their personal data.
How can my website become compliant with the GDPR?
Under the EU’s GDPR, cookies on your website, which are not strictly necessary, that process personal data from individuals inside the EU are only allowed to be activated after the end-user has given their consent to do so. That means, any cookie on your website, that is not strictly necessary, and process personal data must be deactivated until the end-user accepts its activation.
GDPR: A Cookiebot CMP checklist
The checklist is not intended as legal advice - if in doubt about GDPR compliance in general, seek advice from a trusted legal source or your national Data Protection Authority. A list of all national Data Protection Authorities in the EU can be found here.
Step 1: Add your domain
- Log into the Cookiebot Manager and navigate to the Domains tab.
- Enter the domain name (excluding https://-part, for example: domain.com)
Step 2: Configure your banner type
In order to make sure the banner and consent method used on your website is GDPR compliant, you can follow the steps in this guide: Using a GDPR compliant banner
Geo location settings (optional)
If you want to target visitors from specific countries or regions in the world, Cookiebot CMP can in real-time determine which country the individual user comes from, and display the consent banner only to visitors from the selected countries and regions. For all other visitors your website will function unchanged. You can limit the banner to EU-users only. See: Display the cookie consent banner to EU users only).
Step 3: Configure your Privacy trigger
Withdrawing consent should be as easy as giving it. You can also simply enable the Privacy trigger on your website and have this option easily and visibly available for your users at all time: The Cookiebot CMP Privacy trigger.
Step 4: Configure your Cookie Declaration
Step 5: Get your scripts
- Navigate to the "Your scripts" pane
- Choose the correct blocking mode you want to use: automatic cookie blocking or manual cookie blocking.*
- Follow the instructions to insert your banner and cookie declaration on your website.
If you intend to implement Cookiebot CMP by other means than manually adding the script(s) to your template, please refer to our implementation section in the Help Center.
*Under GDPR, you must get a consent from your website users before you set any cookies that contain personal data other than those that are strictly necessary for the website to function. This means you have to hold back all those cookies and online trackers containing personal data that are not strictly necessary, until the user agrees to them by giving an appropriate consent. And if the user does not want for his/her personal data to be used that way and doesn’t give a consent, then you need to continue holding back everything but strictly necessary cookies.
Step 6: Check your scan report
Any issues with blocking cookies will also be highlighted in your monthly scan report. We advise to check the scan report each month for the 3 following issues:
Step 7: Share information about who the data controller is and about the DPO
What is required?
The Article 29 Data Protection Working Party (WP29) has issued Guidelines on transparency under Regulation 2016/679 (wp260rev.01). According to this, and Article 13 of the GDPR, it should be clear to the website user - at the time when the user is asked for consent regarding the use of his personal data - who the data controller is and how the data controller can be contacted. Most often, the data controller will be the company behind the website.
If the company makes use of a representative, this info should also be included. If the company has a Data Protection Officer (DPO) this and contact information should also be included.
How can I implement it?
Danish (DA): "Få mere at vide om, hvem vi er, hvordan du kan kontakte os, og hvordan vi behandler persondata i vores Privatlivspolitik."
German (DE): "Erfahren Sie in unserer Datenschutzrichtlinie mehr darüber, wer wir sind, wie Sie uns kontaktieren können und wie wir personenbezogene Daten verarbeiten."
French (FR): "En savoir plus sur qui nous sommes, comment vous pouvez nous contacter et comment nous traitons les données personnelles veuillez voir notre Politique confidentialité."
Italian (IT): "Scopra di più su chi siamo, come può contattarci e come trattiamo i dati personali nella nostra Informativa sulla privacy."
Spanish (ES): "Obtenga más información sobre quiénes somos, cómo puede contactarnos y cómo procesamos los datos personales en nuestra Política de privacidad."
Please note that if you have enabled Cross-domain Consent Sharing on multiple domains, then the same banner text will be displayed on all the domains. It may therefore be necessary to include multiple links to the different places where the relevant information about the data controller(s), representatives (if relevant) and DPOs (if relevant) can be found.