Well, it is now time to re-evaluate your solution, because the game has changed. The ePrivacy Directive which gave us the cookie law is currently being looked at in a public consultation, but that is not really the issue.
The fact is that the GDPR, which is now law but subject to a two-year grace period before enforcement, has already tightened up the rules as well as increased the penalties for getting it wrong.
There may be a while to go yet, and we may see some guidance from regulators, but I think they will have other issues on their collective agendas. So it is really important to start thinking about the changes you will need to make now, especially for companies that have a lot of websites.
So what does GDPR mean for cookie consent?
Cookies can be personal data. The GDPR explicitly states that online identifiers, even if they are pseudonymous, even if they do not directly identify an individual, will be personal data if there is potential for an individual to be identified or singled out. Any persistent cookie that is unique to the device by virtue of its attributes or stored values fits the criteria for personal data. That means most cookies, and certainly the most useful ones for site owners. This is the basis for cookie consent being about GDPR compliance now, as well as the existing cookie laws. For more of the details on this argument, see the blog post on the Cookie Law website.
Implied consent is no longer going to be compliant. There are several reasons for this. Mainly its because the GDPR requires the user to make an ‘affirmative action’ to signal their consent. Simply visiting a site for the first time would not qualify.
Advice to adjust browser settings won’t be enough. The GDPR says it must be as easy to withdraw consent as give it. Telling people to block cookies if they don’t consent would not meet this criteria – it is both difficult and ineffective against non-cookie based tracking.
‘By using this site, you accept cookies’ statements will not be compliant. If there is no genuine and free choice, then there is no valid consent. Also people who don’t consent also cannot suffer detriment, which means you have to provide some service to those who don’t accept those terms.
Sites will need an always available opt-out. Even after getting valid consent, there must be a route for people to change their mind. Again this comes down to the requirement that withdrawing consent must be as easy as giving it.
Soft opt-in is likely the best consent model. This means giving an opportunity to take action before cookies are set on a first visit to a site. As long as there is then a fair notice, continuing to browse can in most circumstances be valid consent via affirmative action. Although see above about a persistent opt-out route. This however may not be sufficient for sites that contain health related content, or other sites where the browsing history may reveal sensitive personal data about the visitor.
You need a response to Do Not Track browser requests. A DNT:1 signal is a valid browser setting communicating a visitor preference. It could also be seen as an exercise of the right to object to profiling.
Consent will need to be specific to different cookie purposes. Sites that use different types of cookies with different processing purposes will need valid consent mechanisms for each purpose. This means granular levels of control, with separate consents for tracking and analytics cookies for example.
Most sites right now would fail on many of these criteria. But you will only need to fail on one of them to risk getting a fine under the GDPR. It’s time to take action.