What if my company is not in the EU?
GDPR aims to protect the personal data of EU citizens and residents. Therefore GDPR applies if your companies are outside the EU and collects data from EU residents visiting your company's website. Unless you manage to block access to your website from EU users, you have to collect and store valid consent to comply with GDPR.
What if my website does not set cookies?
If your website does not set any cookies, you are not collecting any personal data from your users. In this case, you do not need to collect consent. However, this rarely applies, and unless your website only uses "technical necessary" cookies, you would need a consent solution to collect valid consent from your users.
Does my website need to hold back all cookies before consent?
Yes. It is not allowed to set any non-necessary cookies before consent. For that reason, cookies need to be blocked before a user gives consent.
Which pop-up designs are compliant?
To live up to the new guidelines from the danish DPA (Datatilsynet), you will have to choose one of the following templates: Overlay v2 or Overlay v3. You can preview them here. "Overlay V2" is the most updated consent pop-up design version, fitted for the most strict interpretation of the regulations and laws covering cookie consents on websites. It also complies with the latest availability standards.
What does GDPR say about cookies?
GDPR does not directly mention cookies or websites but talks about personal data processing. Since most cookies collect personal data for processing, their use is subject to the GDPR.
GDPR specifies the need for informed consent: consent must be given by a clear affirmative act establishing a;
...indication of the data subject's agreement to the processing of personal data relating to the user.
Is my website cookie compliant?
To be compliant, you need to pass the following six tests:
Do you have a consent/cookie pop-up?
Is it possible to decline cookies?
Does your website block cookies until the user gives consent?
Is it possible to change consent?
Do you have a complete list of data processors?
*If you fail one or more of the above, you are not compliant with GDPR and ePrivacy.
Do I have to have two buttons on the pop-up (accept & decline)?
Yes. GDPR stays that consent must be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous agreement to the processing of personal data. A free choice implies the ability to choose 'yes' or 'no' to cookies collecting personal data, which is reflected in the 'accept' or 'decline button.
Where does Cookie Information store data?
Cookie Information stores consent data in the servers hosted by Microsoft Azure.
Where are Cookie Information's servers?
Cookie Information's servers are stored in The Netherlands, EU.
What sub-processors does Cookie Information use?
None. A sub-processor is any other business or contractor that the personal data of users may go through. We do not collect or store any personal data to run and provide our services.
Can my website still track users?
Yes, if you asked for valid consent from your users and they accepted cookies.
No, when a user declines cookies on your website, all non-technical necessary cookies should be held back. That would result in you not collecting any personal data so that you are compliant with GDPR.
Data transfers to the US are no longer valid under the Privacy Shield - Schrems II ruling.
16/07/2020, the Court of Justice of the European Union (CJEU) has ruled to invalidate the Privacy Shield agreement.
This ruling means that all transfers of personal data to the US that before relying on Privacy Shield are non-compliant.
There has not been given any grace period, but we will not expect any immediate action. However, from this point, data controllers will need to find another legal basis for the transfer.
Secondly, the CJEU validated the use of standard contractual clauses (SCC), which is one of the other ways data controllers can obtain a legal basis for data transfers.
The above, however, gives data controllers additional work and, in some cases, a false sense of security as this requires the data controller to assess data protection levels of the transfer to the US.
What are the next steps?
Find out what cookies share data outside of the EU.
Data controllers must assess and see if the vendor in the US maintains a level of protection that is essentially equivalent to the one guaranteed by the GDPR. In a country for which the CJEU has assessed that the data protection levels are not adequate.
Once you found them, contact the cookie vendors and ask them to switch to SCC use.
It would be beneficial for data controllers to seek the options of SCC, as this can be a valid and more straightforward task for your legal team.
If not standard contractual clauses, then what
If SCCs are not possible, here are the following approaches:
The data processer stops the data transfer and lets the data stay within the EU.
The data controller collects consent from the end-user to transfer the data to the US
The data controller stops the data transfer by switching to another vendor.
How can Cookie Information help
Cookie Information gives to overview of the website's data transfer. By accessing the compliance dashboard, you can monitor data transfer for your website. Looking at the data provided by the compliance dashboard will be the stepping stone for anyone who wants to deal with the situation outlined above.
Easily visualize to what countries cookies on all of your domains send data and locate potential privacy risks. The Compliance Dashboard updates daily and gives you an accurate insight into your website's cookies.
If you are already a client and are curious about obtaining the professional compliance dashboard, please write to us at firstname.lastname@example.org.
Google's EU user consent policy
Google has published an updated EU user consent policy which includes strict and prompt suspension of Google accounts due to non-compliance.
Google started enforcing the new policy on May 11, 2022, and we see audits being carried in scale.
Following services are subject to Google's EU user consent policy
Google Ad Manager
YouTube API Services