How to get your website GDPR compliant in six steps
1. Get user consent before setting any kind of cookie other than necessary cookies.
Before setting cookies on a visitors device, you need the web visitors consent (prior consent). Cookies need to be categorized, labeled and only set after consent is given. You can automate this process by using automatic cookie-control.
2. Make sure checkboxes are not pre-checked
Cookie categories that don’t handle personal data may be pre-checked. Cookies that do, must be actively opted into by the user to be compliant. Necessary cookies cannot be unchecked, because they are whitelisted and are necessary for the website to function properly.
On tuesday 1 October 2019 the Court of Justice of the EU (CJEU) stated in the planet49 ruling:
Pre-ticked boxes do not constitute valid consent
The initial action in the Planet49 case was started by a German consumer rights group. They stated that consent obtained through the use of pre-ticked boxes did not meet German legal requirements.
The case was first considered by the German competent court (Landgericht). It ruled that the mechanisms used to obtain the participant’s consent did not satisfy the requirements of German law. Planet49 then appealed to the German Higher Regional Court (Oberlandesgericht). The federation’s plea for an injunction was unfounded as the participants would realize that they could simply deselect the tick in the checkbox. However, the German Federal Court of Justice (Bundesgerichtshof) had doubts about the validity of the consent and information provided by Planet49. Therefore it decided to ask the CJEU for a preliminary ruling.
The CJEU reiterated: for consent to be valid it requires an unambiguous indication of the individual’s wishes. Either by a statement or a clear affirmative action. Therefore a pre-ticked checkbox used by Planet49 did not meet the standards required for valid consent. This in regard to both the General Data Protection Regulation and the ePrivacy Directive.
3. Your website must be accessible during the consent choices (No cookie wall)
Cookie walls work by denying entrance to a website for users unless they give full consent to all cookies.
4. Make sure the given consent can be easily changed or withdrawn.
Give your website visitor the option to change or withdraw consent. This option can be presented in your footer, or as part of your cookie declaration page.
5. Register given consent
GDPR states you have to register all consent your visitors have given you to set tracking cookies on their devices. According to the EDPB (European Data Protection Board) website owners are allowed to do this in any way they please. You need to be able to present this log in case of an audit.
Please make sure your log contains the following:
- Who? E.g. by logging the IP-address .
- When? By logging date and time.
- What? By logging the consent given (and for which category of cookies)
6. Inform your visitors about the cookies set by your website
Make sure to inform your website visitors about all cookies set by your website by publishing a cookie declaration. Information about cookies should be accurate and specific. List the cookies with origin, duration and purpose descriptions.
Categorize (necessary, preferences, statistics and marketing) your cookies and provide them with a purpose description.
Once a month Cookiebot will perform an automated cookie audit. It will scan your website for cookies and generate a cookie declaration. The declaration is available to your website users as part of the consent dialog’s details pane. You can publish it as a separate cookie declaration page.
The cookie declaration shows the user’s current consent state and offers the user the option to change or withdraw consent.
Have a look at the automated Cookie Declaration that Cookiebot generates.