Cookie Consent Compliance

Cookie Consent Compliance: Frequently Asked Questions

Below are answers to some of the most popular cookie consent questions that we’ve received from customers.

What is cookie consent?

Cookie Consent is designed to provide website visitors with choice and control over their consent to use cookies and other tracking technologies when visiting websites. The capability is delivered using cookie consent code and is required as part of compliance with the ePrivacy directive, GDPR, the forthcoming ePrivacy Regulation and other privacy regulations.

What is a cookie consent banner?

The cookie consent banner (aka cookie consent bar or cookie popup) appears at the top of a website and notifies visitors, via a cookie consent message, about the use of cookies.

What is a GDPR compliant cookie consent solution?

In order to be compliant with GDPR (aka cookie consent DSGVO or RGPD), a website should:

  • Inform the user how their personal data is being used prior to storing it on the device (by displaying cookie consent text).
  • Enable consent to use cookies via an explicit affirmative action.
  • Be able to prove that consent has occurred.
  • Provide a means for the withdrawal of consent and guarantee via prior blocking that no tracking is performed before consent is obtained.
  • State the category of each cookie on the website.

Website operators can consider using the TrustArc Cookie Consent Manager to support GDPR requirements around cookie consent.

What are "just in time" notices?

One well-recognized privacy transparency best practice is telling people at the time that personal information is collected from them, whether online, via a mobile device, over the phone, or in a public place, of what personal information is collected from them and how it will be used and shared. The U.S. Federal Trade Commission (FTC) has described these as just in time notices, also known as “contextual notice” or point of "contact notice."

Do I need a GDPR compliant cookie consent solution if I only use Google analytics on my website?

Per the Google Analytics support website, “When using Google Analytics Advertising Features, you must also comply with the European Union User Consent Policy.”

If you have enabled Advertising features in Google Analytics, then consent from the EU citizen is a requirement.

What is a website tracker?

Website trackers collect information about which websites you're visiting, as well as information about your devices. Although cookies and other types of trackers have a number of positive aspects, such as remembering logins and letting users resume where they left off in a previous session, they can be invasive. In addition to cookies, other types of website trackers include; website beacons, server logs and browser fingerprinting. Website operators can conduct a “cookie audit” to identify tracking technologies on websites by using the TrustArc Website Monitoring Manager.

How do cookies and other website trackers affect privacy compliance?

Under GDPR, “all EU member states must treat cookies and other technical identifiers as personal data.” Website owners and operators must explicitly educate users on how they plan to use their personal data (aka cookie consent), on an opt-in basis. Also, organizations cannot restrict website usability or services based on whether or not consent was granted.

What is a Tag Management System?

Tag management system, offered by vendors such as Adobe, Tealium, Signal, Ensighten, Google and others, is designed to help manage the lifecycle of website trackers. When integrated with products, like the TrustArc Cookie Consent Manager, tag management systems can support the strictest level of cookie consent — a "zero-cookie load". This means that you will be able to suspend cookies and other personal data processing actions from loading onto your website prior to obtaining the data subject's consent.

What is the GDPR?

The General Data Protection Regulation (EU) 2016/679 ("GDPR") is a European Union (EU) law that deals with data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU.

How does the GDPR define personal data?

General Data Protection Regulation (GDPR) is designed to protect “natural persons” visiting websites “with regard to the processing of personal data and on the free movement of such data.” The GDPR has significantly broadened the concept of “personal data” for privacy purposes, including technical identifiers, location data, IP address, photos and other information that directly or indirectly can identify a distinct person, regardless of context.

What does the GDPR say about cookies and online tracking?

Per GDPR, the setting of tracking cookies can only occur once the user has provided their consent.

What does the GDPR say about cookies opt in and opt out?

GDPR Article 4(11) is clear about for opt-in consent. Specifically, it states:"any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed; …Silence, pre-ticked boxes or inactivity should therefore not constitute consent."

Opt-out is implied in the regulation. If the user does not explicitly opt in, they are opting out.

What is a GDPR compliant cookie policy?

In order to be compliant with GDPR, a website should:

  • Inform the user how their personal data is being used prior to storing it on the device.
  • Enable consent to use cookies via an explicit affirmative action.
  • Be able to prove that consent has occurred
  • Provide a means for the withdrawal of consent and guarantee via prior blocking that no tracking is performed before consent is obtained.
  • State the category and purpose of each cookie on the website.

What is the ePrivacy regulation?

Regulation on Privacy and Electronic Communications ("ePrivacy Regulation") has been proposed by the European Commission to replace the current ePrivacy Directive. The new ePrivacy Regulation would be effective in all EU Member States upon finalization and will not require separate implementing legislation by each EU member state. It is anticipated that the ePrivacy Regulation may come into effect in 2019.

What is the difference between the ePrivacy Regulation and the GDPR?

ePrivacy Regulation will apply to any entity that processes electronic communications data and any provider of electronic communications services ("ECS"). "Electronic communications data" includes information concerning the end-user processed for the purpose of transmitting, distributing, or enabling the exchange of content, as well as information regarding content transmitted or exchanged. ECS would include email, internet access services, SMS, VoIP, Internet of Things devices and public and semi-private Wi-Fi “hotspots”, among other things.

ePrivacy differs from GDPR in the following ways:

Specifically focused on electronic communications

While the GDPR is the general regulation for personal data stored or used by a company, ePrivacy is a law specifically governing electronic communications. So, when a data privacy issue is raised regarding communications, ePrivacy will be used by regulators for enforcement. The two laws are meant to complement one another.

Includes non-personal data

GDPR is entirely-focused on the protection of personal data. The ePrivacy regulation is more expansive in its definition of data protection as it is focused more broadly on the confidentiality of communications, "which may also contain non-personal data and data related to a legal person," the proposal states.

Derived from different areas of EU law

The GDPR is based on Article 8 of the European Charter of Human Rights which says: "Everyone has the right to respect for his private and family life, his home and his correspondence" - i.e., a data subject has rights and is informed about what processing is being carried out on his or her personal data.

ePrivacy reflects Article 7 of the Charter of Fundamental Rights, which states: "Everyone has the right to respect for his or her private and family life, home and communications." - i.e., the data subject is aware of and can make choices in the context of communications that impact him or her. Also, the user may be either an individual or legal entity (vs. an individual-only with GDPR).

What is the ePrivacy directive?

The ePrivacy Directive (aka the EU Cookie Law) was issued in 2002, and concerned the processing of personal data and the protection of privacy in the electronic communications sector.

What is the difference between the ePrivacy regulation and the ePrivacy directive?

Regulation on Privacy and Electronic Communications ("ePrivacy Regulation") has been proposed by the European Commission to replace the current ePrivacy Directive. The new ePrivacy Regulation would be effective in all EU Member States upon finalization and will not require separate implementing legislation by each EU member state, as was the case with the ePrivacy Directive. Put another way, regulations are legally binding across the EU and directives are designed to be incorporated into individual country’s laws, leaving open the possibility for different interpretations of the directive.

It is anticipated that the ePrivacy Regulation may come into effect in 2019.

What is the EU cookie law?

The "EU Cookie Law" is another name for EU Directive 2009/136/EC. In it, the European Parliament mandated that all countries within the EU need to establish laws requiring websites to obtain informed consent before they can store or retrieve information on a visitor's device.

TrustArc Solutions

TrustArc Cookie Consent Manager provides a powerful, flexible, proven solution to address cookie compliance under the GDPR, CCPA, ePrivacy, and other regulations. Cookie Consent Manager is hosted on reliable and proven TrustArc technology infrastructure and is used by companies of all sizes around the world. The solution is available in both self service and managed service options to meet a range of customer needs.

TrustArc Website Monitoring Manager scans your websites to identify privacy compliance risks, conduct cookie audits and manage trackers for cookie consent and other compliance requirements.

Cookie Consent Manager and Website Monitoring Manager are part of the TrustArc Platform which provides support for global privacy regulations. The platform is SaaS based and features capabilities to manage data inventory mapping, assessments, risk analysis, cookie and marketing consent, individual rights / DSAR, website scanning, and compliance reporting. Start with the modules needed and expand at any time.

Powerful Technology + Proven Methodology + Deep Expertise

The TrustArc Platform powers all solutions, combining:
9+ years of high scale operating experience
1,000s of successful customer engagements
20+ years of privacy industry experience

What plan is best for my business?