Some reasons you may not be compliant
We recently shared cookie compliance advice for Irish organisations, how to comply and 5 reasons to get compliant but some organisations may assume they are compliant and they are not. Some other organisations are not cookie compliant because they have not got around to implementing a compliant approach. Are you one of the organisations that assumes they are compliant? Here are some things to look out for.
- You are replying on implicit consent. You are telling people that they agree by using the service or by continuing to browse your website. But that is not consent to the according to the GDPR standard which is the one relevant to consent for cookies. Not acceptable! Consent needs to be freely given and unambiguous and it requires a clear, affirmative action on the part of the user.
Example of implicit consent
Example of explicit consent
- You only have one button! Ok, so you have a button that the user can click to accept cookies but it’s the only button! What is more the button doesn’t do anything because more than likely you have already fired the cookie to the user’s browser. That’s not consent! You need to ensure that that you hold your fire for everything except strictly necessary cookies (we will get to them). Get the user’s consent – clearly, affirmatively – and then fire the cookie.
- You are nudging people towards accepting cookies. So, you have given your cookie banner a face-lift and you know have more than one button. But hold on, the Accept cookies button is TEN TIMES the size of the Reject button (which you have displayed in a color-and-contrast arrangement that has been scientifically proven as the combination that the user is least likely to click). They are wise to this. Equal consideration needs to be given to consent/refuse options.
- It is not easy for users to withdraw their consent. Some users who went looking for a way to withdraw their consent for cookies are still wandering the outer reaches of your website navigation, missing, presumed dead. It must be as easy to revoke consent as it is to give it. That means that you need to record consent, so you are able to revoke if the user asks you to. And it also means you need to keep that preference management interface within easy reach should they wish to adjust their preferences.
Other reasons you may not be compliant
- You are not being consistent. Your list of cookies is one thing, what you are actually tracking another entirely. It is really easy for the DPC to check this. Why risk it?
- You have a very broad definition of "strictly necessary". Some organisations think that what counts as a “strictly necessary cookie” is subjective, in other words it means whatever they think is strictly necessary. Not so. These are cookies that you simply can’t deliver the service without. In reality, strictly necessary cookies are likely to expire by the end of a user’s session. If yours’ don’t, then they are probably not strictly necessary!
- You have outlandish cookie expiration dates.We all expect to live longer thanks to the wonders of science, and everyone knows that when you get a customer you should try and keep them. But what genuine value is there in the ability to remarket to me for the next century? Not to mention the fact that you seem to think I will be browsing your site in 2120 using my 102-year-old laptop? Cookie lifespans should be proportional to their use! Use your common sense and keep them as short as possible.
Are you looking for advice on compliance? The deadline is fast approaching so contact us today.
Watch the recording of our joint webinar with OneTrust and download the deck here.