Main content area

GDPR compliant consent management with Cookie Control

The General Data Protection Regulation (GDPR) is the data privacy regulation currently in force in the European Union and the UK. As surprising as this may sound, many website owners or administrators aren’t sure if their Cookie consent tool is GDPR compliant. In this blog post we'll provide a checklist to help you achieve GDPR compliance with CIVIC’s Cookie Control.

Websites must explicitly inform their visitors on why they’re collecting their personal data, how long they'll keep this data for, and which organisations they’ll share the data with. A descriptive summary of this information can be integrated within Cookie Control. However, full descriptions should be detailed in your Privacy Notice for full transparency for your visitors.

Please see below the basics of what you should focus on:

1. Can my website drop cookies before the visitor consents?

Yes, your website can drop cookies before the visitor consents, but these should only be the Necessary ones. The Necessary cookies are the ones needed for your website to function properly. No tracking, marketing or analytics or anything else. In this category the cookies dropped are the cookies which enable core functionality such as security, network management, and accessibility. Visitors can still disable these by changing their browser settings, but this may affect how the website functions.


2. When can my website drop the rest of the cookies?

All cookies apart from the Necessary cookies must be divided into cookie categories. These include: Analytics, Marketing, Social and so on. These categories are called Optional. The cookies under these categories can only be dropped after the user gives explicit consent. If consent is given, you can drop the Optional cookies they have consented to.


3. What is ‘explicit consent’?

In practice, 'explicit consent' means that the visitor has given a clear, unequivocal agreement for their data to be used in a specific way. This means that all your cookie categories, apart from the Necessary one, need to be presented as OFF by default and the visitor must explicitly set one or more of them ON and save the preference for the rest of your website cookies to be dropped.

4. Can I include an ‘Accept’ button?

Yes, it’s required by GDPR to use such a button. The relevant text should clearly explain what the visitor is consenting to if clicked. Another variation of the label could be ‘Accept Recommended Settings’.

To sum up, if this button’s clicked, the cookies of the Optional categories can be dropped if the text description clearly explains this. The relevant text on the Cookie Control panel must make it clear that by clicking the button, the user consents to the deployment of cookies. The ‘Accept’ button or its variation should be accompanied by a ‘Settings’ one to expand the user options as required by GDPR. The visitor must have a clear choice available to reject the drop of the Optional cookies and be able to modify the consent settings.


5. What happens if the website cookies are already dropped and the same visitor re-accesses the Cookie Control panel and saves changed consent preferences or ‘Rejects All’?

This is a valid case, and therefore the panel settings should be available to the user anytime as required by GDPR. No matter which cookie categories the visitor has already consented to, if the visitor re-accesses the settings and clicks on ‘Reject All’, all Optional cookies previously dropped must be immediately deleted. Only the Necessary ones can remain on the visitor’s browser. In case the visitor changes the preferences in the settings of Cookie Control, these changes must be reflected on the cookies dropped. If the visitor revokes consent for one or more Optional categories that there was previously consent for, then the cookies of these Optional categories must be deleted. The rest of them can remain.

6. Should I provide a Privacy Notice?

Yes, you should have one in place to inform your visitors about the use of cookies, and also if your website shares the data collected via cookies with third party organisations, such as advertising or analytics partners. Your Privacy Notice should also contain your organisation’s policy on personal data, how these are collected and how they’re safely stored and used. There should also be a link to your Privacy Policy page on the panel of Cookie Control so your visitors can make an informed decision.

For any change happening on the live version of your Privacy Policy, your visitors need to be reminded to provide consent again so that on their next visit they can be ready to interact with Cookie Control.


7. Can I hide the tool after the visitor interacts with it?

You shouldn't hide it completely because the visitor has the right to review the previous consent choices made and alter the choices at any point in time. You may provide a more discreet way to access Cookie Control but not hide it completely.


Here is where you can download Cookie Control and start setting it up! Our PRO support team is always there to assist and reply to your questions: