The necessary information to be provided to a user includes the cookies used and their purposes, whether any third party cookies are to be used, the expiry date of each cookie and information about how to accept all, some or no cookies and how to change preferences in the future.
One of the important changes is regarding consent. Cookie policies must meet the standard required by the GDPR, which defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she by statement or by a clear affirmative action signifies agreement to the processing of personal data relating to him or her.”
This requirement means that consent mechanisms such as (a) stating that by continuing to use the website, the user will have consented to cookies, (b) relying on pre-existing browser settings, (c) using a pre-ticked consent box or (d) relying on silence or inactivity, will not be valid.
Similarly, the use of a cookie wall – which bans access to a website until cookies are accepted – does not amount to a valid consent. A user must still be able to access the website, even if they do not consent to cookies (but you can, of course say that, if certain cookies are not accepted, functionality may be affected).
It is important to note that the consent to the placement of cookies must be obtained before the cookie is placed and before information stored on the user’s device is collected.
Users must be given control over whether they accept non-essential cookies and they should not be placed on the landing pages, until the user has consented to them. Any consent mechanism must also include the means by which the user can withdraw consent at any time.
Website owners must be able to demonstrate that consent was given.
Websites should also give the option for users to accept or reject particular types of cookies, rather than all cookies.
• Audit the cookies used on your website and categorise them
• Are they first or third party cookies
• Are they persistent or sessional
• Ensure you have a mechanism for users to change preferences and withdraw consent
• Keep a record of consent (including who consented, when, what information they were given, how they consented and if consent has been withdrawn).