Cookie Consent Management enables organizations to effectively capture consent before storing cookies and other similar tracking technologies such as beacons, pixels, local storage, and more on data subject’s devices.
Cookies collect data to identify website users and build their profiles.
This data is then sold on to several third parties, including ad networks, social media companies, and analytics providers.
Most global privacy laws now require the data subject’s consent before installing cookies and similar tracking technologies on their devices.
Cookie Consent under GDPR and e-Privacy Directive
The GDPR and e-Privacy Directive require organizations not to load any non-essential cookies on web pages unless they have a cookie consent banner on their website and data subjects have consented to the use of those cookies.
A GDPR and e-Privacy Directive compliant cookie consent banner must:
Have clear and comprehensive information about cookies:
The cookie consent banner must contain plain and understandable information about the cookies that an organization intends to use. The information must include at the least
The information on general purposes of cookies,
The data subject’s ability to withdraw and change consent along with the method of doing so,
The data controller’s name and identity,
The data processors’ name and identities,
A complete list of recipients or categories of recipients who will obtain personal data through the processing of cookies, and
All relevant Information on individual cookie properties
Data subject’s ability to withdraw and change the consent:
The cookie consent banner must give equal prominences to accept and reject options. The data subject must be allowed to withdraw consent or change consent at any time, without any detriment in a user-friendly and easy mechanism.
Selection and deselection of individual cookies categories:
The cookie consent banner must allow the selection and deselection of respective cookie categories based on their purposes. This requires organizations to have separate opt-in and opt-outs for different categories of cookies based on their purposes.
No pre-selected checkboxes or cookie walls:
The cookie consent banner must not have pre-selected preferences by default for non-essential cookies. Similarly, an organization must not access a service or functionality of a website conditional on the data subject’s consent to the collection and processing of non-essential cookies.
Cookie Consent under CCPA
The CCPA requires organizations to not load any non-essential cookies before displaying relevant information to users about cookies.
A CCPA compliant cookie consent banner must include the following:
Notice of the right to opt-out of the sale of personal data
Under the CCPA, organizations must allow data subjects to opt-out of the sale of their personal data via cookies by displaying a clear message and prominent link titled “Do Not Sell My Personal Information,” enabling data subjects to opt-out of the sale of their personal data.
Besides, organizations must allow consumers to opt-out of the sale or sharing of personal information and limit the use of their sensitive personal information (under the new law, California Privacy Rights Act). Therefore, organizations must not load any non-essential cookies before notifying data subjects adequately, providing them an opt-out option, and letting them acknowledge the notification.
Moreover, the CCPA requires organizations to obtain the data subject’s consent to sell personal data belonging to minors. Where an organization has actual knowledge that the data subject is less than 16 years of age, it must rely on the explicit opt-in consent for the sale of their personal data and obtain consent from data subjects if they are at least 13 years of age and less than 16 years of age and from parents or guardians of data subjects where they are less than 13 years of age.
GDPR (opt-in consent regime) and CCPA (opt-out consent regime) are not the only examples of data protection laws that require cookie consent notices. Many countries have drafted their laws based on the framework set up by GDPR and CCPA, and therefore, cookie consent notices are required by most global privacy regulations.
A summary of cookie consent banner requirements under opt-in and opt-out consent regimes.