Dutch DPA: mass violation of GDPR
1. Get user consent before setting any kind of cookies other than the strictly necessary.
Before setting any kind of cookie other than the strictly necessary on the visitors device you need the visitors consent (prior consent). You need to categorize all your cookies, label them and make sure they are not loaded before consent has been given. You can automate this process by using automatic cookie-control.
2. Make sure checkboxes are not pre-checked
Cookie categories that don’t handle personal data may be pre-checked, whereas those that do, must be actively opted into by the user to be compliant. Necessary cookies cannot be unchecked, because they are whitelisted and are necessary for the website to function properly.
On tuesday 1 October 2019 the Court of Justice of the EU stated in the planet49 ruling:
Pre-ticked boxes do not constitute valid consent
The initial action in the Planet49 case was brought by a German consumer rights group on the basis that the consent obtained through the use of pre-ticked boxes did not meet German legal requirements.
The case was first considered by the German competent court of lower instance (Landgericht) which ruled that the mechanisms used to obtain the participant’s consent did not satisfy the requirements of German law. Planet49 then appealed to the German Higher Regional Court (Oberlandesgericht), that held that the Federation’s plea for an injunction was unfounded as the participants would realise that they could simply deselect the tick in the Checkbox. However, the German Federal Court of Justice (Bundesgerichtshof) had doubts about the validity of the consent and the information provided by Planet49, so it decided to ask the CJEU for a preliminary ruling.
Unsurprisingly, the CJEU reiterated that for the consent to be valid it requires an unambiguous indication of the individual’s wishes by either a statement or a clear affirmative action. Therefore, the pre-ticked box used by Planet49 did not meet the standards required for valid consent (under both the General Data Protection Regulation and the ePrivacy Directive) as there was no active action taken by the participant.
3. Your website must be accessible during the consent choices (aka NO cookiewall)
In essence, a cookie wall is a particular kind of cookie consent banner that might look like the benign ones you normally see on the Internet, only a cookie wall leaves no option for the user to select or de-select certain categories of cookies, like marketing cookies that typically harbor myriads of private data trackers from ad tech companies.
Cookie walls work by denying entrance to a website for users unless they give full consent to all cookies.
4. Make sure the given consent can be easily changed or withdrawn.
The user has access to their state of consent on the website and can at any time change their mind about the consent and choose to withdraw it. In other words: make sure it is just as easy to give the consent as it is to withdraw it.
5. Register given consent
GDPR states you have to register all consent your visitors have given you to set tracking cookies on their devices. According to the EDPB (European Data Protection Board) website owners are allowed to do this in any way they please as long as they register and maintain this log (and can use this in case of an audit).
Please make sure your log contains the following:
- Who? E.g. by logging the IP-address .
- When? By logging date and time.
- What? By logging the consent given (and for which category of cookies)
6. Inform your visitors about the cookies set by your website
Make sure to inform your website visitors about all cookies set by your site by publishing a cookie-policy. This information about the cookies should be accurate and specific, and should be presented in a clear and plain language, all requirements of the GDPR. List the cookies with origin, duration and purpose descriptions.
Categorize (necessary, preferences, statistics and marketing) your cookies and provide them with a purpose description.
Once a month Cookiebot will perform an automated cookie audit by scanning your website for cookies and generate a cookie declaration with descriptions on every cookie found on your website. The declaration is available to your website users as part of the consent dialog's details pane and as a separate cookie report.