• Leader in Consent Management Platform
• Leader in Cookie Tracking Software

We have stayed on top as the #1 Cookie Tracking Software in the market for the second quarter in a row! In 2022, we crossed 1.4+ million userbase, cementing our position as a market leader.

This is a great achievement, and we owe it all to you! We sincerely appreciate our customers and community who’ve shared their constructive feedback and experience with our product.

Why is this a big deal?

G2 is one of the most trusted peer-to-peer review marketplace for software and services. More than 60 million professionals annually use G2 to discover and review products.

Each quarter, G2 publishes Grid Reports that rank products based on a combination of scores in customer satisfaction, ease of use and market presence. This means CookieYes earned leadership ranking through scores based on unbiased reviews gathered from the G2 user community.

#1 Leader in consent management

CookieYes takes the spot as ‘Leader’, in not just one, but two categories in two consecutive quarters, Fall 2022 and Winter 2023. Products ranked as Leaders are rated highly by G2 users and have high satisfaction and market presence scores. To top it, we are the only software recognised as a ‘Leader’ in the Cookie Tracking Software category.

• #1 Consent Management Platform (CMP), from 120 competitors
• #1 in Cookie Tracking Software, from 52 competitors

That’s not all. CookieYes has also been named the Momentum Leader in two consecutive quarters for Fall 2022 and Winter 2023. Products ranked as Momentum Leaders show a high growth trajectory based on user satisfaction scores, employee growth, and digital presence.

• Momentum Leader in Consent Management Platform (CMP)
• Momentum Leader in Cookie Tracking Software

CookieYes is ranked #1 Easiest To Use Cookie Tracking Software. The highest usability scores by G2 reveal that CookieYes customers consider us one of the easiest-to-use CMP that more than meets their requirements. This is a testament to the functionality and design of our platform.

Set up in minutes

CookieYes also scored 9.3 on Ease of Setup, among Cookie Tracking Software. Our users benefit from the no-code implementation that can be achieved in just minutes. We provide up-to-date documentation with detailed instructions on how to get started with our platform and utilize our features for consent management.

Meet compliance requirements

CookieYes scored a 9.7 in Meets Requirements based on user reviews. This criterion indicates our product’s ability to meet customers’ business requirements. CookieYes ensures that websites meet all cookie consent requirements of privacy laws like the GDPR, CCPA and LGPD. This includes custom banners, automatic website scanners, cookie auto-blocking and consent logs.

Enjoy ease of use

CookieYes has been named the #1 Easiest to Use solution in Cookie Tracking Software, earning a score of 9.5 in this category. The CookieYes platform was designed with business owners, marketers and developers and marketers in mind. Regardless of your technical know-how, CookieYes makes it simple to manage cookie consent and privacy compliance.

Access top-rated support

We achieved a score of 9.8 for Quality of Support. Our technical support team is available via chat to help users with implementation and technical concerns they might have. We also provide pre-purchase support through live chat, so users can clear any questions they may have about the product!

Major product updates in 2022

We were constantly listening to our users and working to improve our product in the last year. Here’s a snapshot of the major product updates and feature releases.

New cookie banners

We released a new generation of cookie banners that are modern and optimised for a richer user experience. Along with the banner, our consent revisit button also got a brand-new design update. With our new banner, you get:

• Modern layout that matches your website design
• Improved usability and better end-user experience 
• Fully customizable and responsive design

Intuitive app dashboard 

While data privacy can be complicated, we are constantly working to make consent management easier for our users. With our updated dashboard design, you can efficiently see all the important information at a glance. You will have faster access to: 

• Banner status, regulation and targeted location
• Cookie scan summary 
• Consent insights from visitors 
• Recent consent logs 

Global Privacy Control

CCPA and CPRA require users to opt-out via a preference signal such as Global Privacy Control. GPC sends a signal to websites asking them not to sell or share the user’s data and to opt them out of advertising cookies. CookieYes has updated the CCPA template for GPC and easy opt-out. Users can include:

• Global Privacy Control signal
• ‘Do not sell my personal information’ checkbox 

Improved cookie scanner 

To foolproof your cookie audit, we have upgraded our scanning functionality to scan behind login, exclude or include URLs or initiate custom scans. For continued compliance and up-to-date inventory of cookies, we’ve added a scheduling feature. The updates include:

• Scan behind login to detect hidden cookies
• Full scan with exceptions for URLs
• Custom scan for specific URLs
• Schedule monthly scans for specified date and time

Easy auto-translation

We updated our language library to include 175+ languages and now support auto-translation for 31 languages. With our new interface for Languages, users can easily add multiple languages to display the banner and edit texts easily.

Subscription and billing

To help users have a frictionless experience, we have included subscription details and billing & invoices. Now you can access all your payment details in one place. 

The post CookieYes leads in consent management appeared first on CookieYes.

Already a GTM user?

Skip to

Checklist to comply with cookie laws when using GTM

 

If you are a CookieYes user

Skip to

read how CookieYes integrates with GTM

What is Google Tag Manager and how does it work?

Google Tag Manager (GTM) is a tag management system that allows you to effortlessly manage tags and trackers on your website without having to modify the code directly.

As you probably know, websites have many different types of code running on them. Sometimes that code can be used to track how visitors interact with the site—for example, by recording page views and clicks. GTM helps with this process by allowing you to add and manage these kinds of tags from a single dashboard.

You can add new tags or remove old ones, and then activate them on any site or app. You can also see which tags are firing on any given page and use its tracking feature to automatically add data points when certain actions occur on your site.

In short, Google Tag Manager lets you:

• create tags that collect data from your website visitors,
• use those tags to measure how customers are interacting with your site, and
• set up triggers so that certain actions automatically trigger new tags or updates to existing ones.

You can use Google Tag Manager to

• track page views on your site,
• track button/link clicks (signing up for a newsletter, filling out a form, external links, internal links),
• track conversions (making a purchase),
• collect information about users’ devices and browsers,
• collect information about user behavior (e.g. user scroll pattern), etc.

Does Google Tag Manager use cookies?

No, Google Tag Manager does not use cookies, by default. It enables tags for third-party scripts that may place cookies on the user’s device. GTM can read the value of first-party cookies set by your website but does not do anything with third-party cookies.

Although Google Tag Manager does not set any cookies, there is one case where they do. If you enable GTM’s Preview and Debug mode, it sets a few first-party cookies on the site being previewed. These cookies are necessary for the Preview mode to work—that is, to display what is happening on your website and which tags are firing. Only site admins or users who have enabled the preview and debug mode will receive these cookies; when you exit Preview and Debug mode, GTM deletes these cookies from your device.

Google Tag Manager and GDPR

Google Tag Manager is GDPR compliant and allows you to use tags across multiple domains with a single installation. It also gives you full control over the data that is being sent to your website, allowing you to have complete transparency over what data is being collected.

It may collect some aggregated data about tag firing to help monitor, provide diagnostics, and improve the quality of its systems. However, this data does not include any personally identifiable information. Other than HTTP request logs that expire in 14 days, and other non-personal diagnostics data, GTM does not collect, store or share any PII about visitors to its users. Neither does it use tracking technologies like cookies.

However, suppose you want to use Google Analytics or other tools on your website via GTM. You need to update your privacy policy accordingly and get consent if these tools collect the personal data of the visitors.

Consent management in Google Tag Manager

The Tag Manager includes several features that help to manage how tags behave in response to user consent states. Google Consent Mode lets you control how tags behave, including which ones fire on a page and which don’t, depending on whether the user has granted consent for your site. 

The Consent Initialization trigger in GTM makes sure that all consent settings are executed before tags fire in response to any other triggers. This trigger can be used in conjunction with a third-party provider that integrates with Tag Manager’s consent management capabilities. Each web container includes a Consent Initialization – All Pages trigger by default, which you can select to fire any tags that require it.

How to comply with cookie laws when using Google Tag Manager?

If you use Google Tag Manager on your website to deploy tags that use cookies, you can use this checklist to comply with privacy laws: 

• Keep a list of all third-party scripts/tags your GTM deploys.
• Perform a cookie scan to identify cookies set by your website.
• Check if they use cookies that track user data.
• If they do, add a cookie banner to your website to get user consent.
• Ensure you share necessary details about cookies used and what they do while asking for consent.
• Allow users to opt out (along with opt-in) of these cookies.
• Let users choose consent for cookies based on their category (e.g. if a user wants to disable analytics cookies and enable all others, there should be an option to do so.)
• Automatically block all third-party (and other non-essential) cookies when the user first arrives on your site, and only unblock cookies that they have given consent for.
• Allow users an option to withdraw consent later.
• Keep a log of all consent received to use as proof if requested.
• Share a detailed explanation of all cookies in a privacy or cookie policy and provides its link on the cookie banner and other important pages of your website.

CookieYes and Google Tag Manager: auto-block third-party cookies

Probably, the most important thing to consider in the checklist will be to auto-block all “third-party cookies” during a user’s first visit to your site. This can be done through a consent management platform (CMP). However, if you are using GTM, tags may fire before the CMP can block these cookies. Therefore, it is best to use a CMP that helps you take advantage of all the features of GTM without compromising your users’ privacy.

CookieYes is just the perfect solution for you.

CookieYes is a CMP for cookies that installs a cookie banner on your website and ensures the site does not store cookies until the user gives consent. It blocks all third-party cookies except for strictly necessary ones and acts as a middleman for websites that use Google Tag Manager. For example, suppose the user consents to allow all cookies except analytics cookies. In that case, CookieYes will change the tag trigger condition in GTM so that tags that set analytics cookies will not run.

In this way, CookieYes perfectly integrates with Google Tag Manager to give you and your users the best possible experience.

Read how you can implement Google Consent Mode with CookieYes and Google Tag Manager.

Frequently asked questions

Does Google Tag Manager set cookies?

Google Tag Manager does not set any cookies on its own. The only time a cookie is set is when you are using preview and debug mode, which just gives you a view of what tags are firing on each page. If you’re using third-party tags, they may set cookies on user devices if they have been configured to do so.

Does Google Tag Manager need cookie consent?

If you use Google Tag Manager to manage third-party tags, code snippets, or tracking pixels on your website, those tags may set third-party cookies. If this is the case, then you may need cookie consent to comply with GDPR.

Is Google Tag Manager a first-party cookie?

Google Tag Manager is not a first-party cookie. First-party cookies are those set by the same domain as the website in which they are being served, while third-party cookies are set by sites other than the one you’re currently on. Google Tag Manager does not set any cookies at all. The only exception is when you activate its Preview & Debug mode, which sets non-tracking cookies that are essential for the mode to work, and this mode is only visible to the GTM account admins.

Can Google Analytics track cookies?

Yes, Google Analytics can track cookies.

Google Analytics is a web analysis tool that allows website owners to monitor how people use their sites. It uses cookies to track users as they move from page to page on a site.

The Analytics cookie records information about users’ devices, such as their operating system, IP address, and location, as well as the date and time of their visit. It generates reports on pageviews, session durations, and bounce rates that will help you understand how engaging your web pages are. Google Analytics also includes information about the page they visited on your site and what search terms they used when arriving at your site through an organic search result or referral link from another site.

This is why GDPR compliance for Google Analytics is important.

The post Google Tag Manager and Cookies: How to Comply? appeared first on CookieYes.

WordPress doesn’t need any introduction. Being the platform for nearly half of the websites in the world, this content management system (CMS) is a well-known name on the internet verse. Cookies are a major part of any website, and WordPress is no exception. They help power the features on the website and ensure the user experience is up to par. However, using cookies without understanding what they do and proper management might cause some trouble. 

In this article, we look at how WordPress uses cookies and how you can manage them to comply with privacy laws like GDPR and CCPA.

What are WordPress cookies?

Cookies are small files that websites save on users’ computers or mobile devices that contain information about their visit. They make it easier for websites to remember things like user names or the items they have put in online shopping carts. Cookies also help websites optimize user experience, e.g., by remembering which pages users have visited or the setting they have saved. It is also used to display targeted advertisements across other websites.

Read more about internet cookies.

WordPress, like any other CMS, uses cookies to facilitate its features, such as authentication and comments. For example, WordPress uses cookies to determine whether or not you are logged in or not. Without these cookies, you can’t log in or users can post comments on your WordPress site.

What cookies does WordPress use?

WordPress uses two categories of cookies: user cookies and commenter cookies.

Users cookie

These are cookies used mainly for authentication purposes.

• WordPress_[hash]: This cookie is used to store your authentication details upon login and is limited to the admin area.
• wordpress_logged_in_[hash]: This cookie enables the interface to recognize you as a logged-in user and determine which account and preferences to use for various features.
• wp-settings-{time}-[UID]: This cookie facilitates customizing your view of the admin interface and the main site interface. The number UID is the individual user ID from the user database table. 

Commenters cookie

When visitors leave comments on your blog, WordPress stores a cookie on their computer. It allows them to post additional comments without re-entering their information. 

• comment_author_{HASH}: This cookie remembers the commenter’s name
• comment_author_email_{HASH}: This cookie remembers the commenter’s email address
• comment_author_url_{HASH}: This cookie remembers the commenter’s website URL.

The General Data Protection Regulation (GDPR) has affected how websites can use cookies. For WordPress sites, this also means that users commenting on your blog will see a checkbox asking them if they want WordPress to remember their details. To enable this, go to Settings > Discussion > Select “Show comments cookies opt-in checkbox.”

Third-party cookies

Other than these, your WordPress website may use cookies set by installed themes, plugins, or other third-party services like Google Analytics, YouTube, Facebook, Hotjar, etc. Such cookies may track user activity for purposes like improving browsing experiencing or collecting analytical data. 

Are WordPress cookies secure?

WordPress users’ cookies contain hashed data, which means your data (WordPress username and password) has been transformed with a mathematical formula to make it unreadable. This “hash” data is difficult to “unhash,” making it difficult for someone to obtain your personal data by reading the cookie data. 

Like the user’s cookie, the hash in the commenter’s cookie is also impossible to unhash, and therefore, the commenter’s data is secure. 

However, the same cannot be said for cookies set by third-party services, like installed plugins or themes. Due diligence is necessary to use such cookies. 

How to manage WordPress cookies?

The EU’s General Data Protection Regulation (GDPR) had a significant impact on the use of cookies because it is a blanket law affecting all websites anywhere in the world that handle personal data from people residing in the European Union. Since WordPress is the most-used content management system (CMS), the impact of cookie laws on WordPress websites is greater than any other platform.

You can manage WordPress cookies by following the requirements of privacy regulations. The steps to achieve compliance are:

• Check and identify cookies
• Obtain consent for tracking and third-party cookies
• Disclose cookie details in a cookie policy

How to check WordPress cookies? 

You can check WordPress cookies by using manual methods like checking the developer console of your browser. Another method is to check the address bar, where you will find the list of cookies set by your WordPress website.

However, these methods are time-consuming as well as limited. They will not let you know the purpose of cookies, who sets them, and for how long. All these can be, however, checked using a free cookie checker. They are faster and quicker and give you a complete report of cookies set by your WordPress website.

The cookie checker will give you an overview of cookies set by third-party cookies and those that track personal data.

How to obtain cookie consent on WordPress?

Now that you know the type of cookies set by your WordPress website, the next step is to set up a system to get consent for cookies. You can do this by adding a cookie banner to WordPress. 

The WordPress cookie banner must meet the following requirements as stated by privacy laws:

• Has clear and concise language about why they use cookies and what accepting them will mean
• Easily accessible and clear options for accepting and rejecting cookies
• Separate options for obtaining consent for each cookie category
• Block tracking and third-party cookies until users give consent to use them
• Include an option to withdraw consent, and this option should be easily accessible, available at any time
• Do not use deceptive design tricks such as non-obvious reject buttons or options that are too difficult to find to trick users into accepting cookies
• Record cookie consent in a log with details of their cookie preferences as proof of consent
• Link to privacy or cookie policy for detailed information on cookies used

You can add a cookie banner to your WordPress site with coding skills or through the use of a cookie banner generator, which will provide more convenience and efficiency.

CookieYes is a leading cookie consent solution trusted by over 1.5 million websites globally. 

It can be easily set up on your website using our WordPress plugin. The plugin meets these requirements, and you can get more by connecting it to our web application. Together they provide a complete cookie consent and compliance package designed specifically for WordPress, unlike any other solution. 

What’s more interesting is that our WordPress plugin/web app uses only a single cookie, and it doesn’t store any personally identifiable information of users. 

Watch how you can use the plugin and connect it to the web app:

Check out the plugin setup guide.

How to add a cookie policy to WordPress?

The next step after setting up the cookie consent tool is to add a cookie policy to WordPress. A cookie policy, like a privacy policy, is a legal document of a website that discloses what type of cookies it uses, why it uses these cookies, who sets them, and for how long, as well as how users can manage them, such as blocking or deleting them. 

You can either write a cookie policy from scratch or use a free cookie policy generator that is quicker and auto-updates your policy page as and when your WordPress site adds more cookies.

Watch how you can add a cookie policy to your WordPress website using CookieYes:

So, as you can see, cookies play a significant role in WordPress. As a result, it’s crucial to understand how they function and how they affect your website. While it’s not necessary to dig deep into the depths of cookies and identify every single one, it is important to understand the basics—and this article has hopefully done that for you.

Frequently asked questions

How to delete WordPress cookies?

Users can delete WordPress cookies from their browsers by using its settings.

To delete WordPress cookies in Chrome:

• Click on the three dots in the top right corner and click Settings.
• Select Privacy and security and click Cookies and other site data.
• Click See all site data and permissions.
• Search for the WordPress website and click the dropdown to delete the cookies.

For Firefox,

• Click the menu in the top right corner and select Settings.
• Select Privacy & Security and go to the Cookies and Site Data.
• Click Manage Data. 
• Search for the WordPress site whose cookies you want to delete. 
• Click Remove All Shown to delete all cookies for the website.
• To remove selected items, select an entry and click Remove Selected.
• Click Save Changes. Click OK in the dialog box to confirm.

For Safari,

• Click on “Safari” next to the Apple logo in the top left and select Preferences.
• Click the Privacy tab and select Manage website data under Cookies and website data.
• Search for the WordPress website whose cookies you want to delete.
• Select the website from the result and select either Remove to delete the cookies.

How are cookies stored in WordPress?

Cookies used on your WordPress website are stored in the users’ browsers in a local file. These cookies have IDs assigned that identify sessions or remember user preferences on your website. 

Does WordPress need cookie consent?

Yes, your WordPress website likely requires consent to use cookies. Other than the default cookies set by WordPress.org, the plugins and themes installed on the site may use cookies that track user activity. Using such cookies on your website, per GDPR and CCPA, requires explicit and informed consent from users to be used on the site.

The post WordPress Cookies: Everything You Need To Know appeared first on CookieYes.

GDPR, short for General Data Protection Regulation, is a privacy law designed to protect the personal data of European Union residents and give them rights over their data. The GDPR became applicable on 25 May 2018 and put in place a regulatory framework for organizations of all sizes. 

Checklist for WordPress GDPR compliance

Here’s a quick overview of what you need to do. You can find a detailed explanation of each step in the article.

Why should my WordPress website comply with GDPR?

GDPR applies to all organisations that process the personal data of EU residents. It is also applicable to organizations outside the EU that offer products and services to customers in the EU. 

So what is personal data and how do you, as a website owner, process it?

• Personal data is any information relating to an individual that can directly or indirectly identify them including name, email address, location, IP address, cookies, social security number, photos, genetic data and even political opinions. 
• Process is to use personal data in any way, including collecting, storing, retrieving, disclosing or sharing, or destroying personal data. 

In short, if you have a personal blog, newsletter, eCommerce store or just about any WordPress website and if you have visitors from the EU, you process their personal data and you should gear up to be GDPR compliant. 

Want to grasp GDPR in a little detail? We have you covered.

How to make your WordPress GDPR Compliant?

You need to first ensure that your WordPress is updated to version 4.9.6 or higher to utilise the built-in data privacy features mentioned in the steps below.

Step 1. Use GDPR-compliant plugins and tools

With more than 55,000+ plugins, WordPress has a huge repository of tools for website publishers. While most of the popular plugins have implemented GDPR compliance, not all of them have. Keep in mind that you:

• Use plugins or themes that are GDPR-compliant including your web hosting provider.

• Assess their data collection and storage practices described in their respective privacy policies.
• Ensure that they store data in EEA or have an adequate level of protection for transferring personal data outside EEA such as Standard Contractual Clauses (SCCs) approved by the European Commission.
• If you use SaaS applications on your WordPress, don’t forget to review the privacy policy and data-processing agreement of these service providers.

Step 2. Review plugin data collection practices 

You should first audit your website for all the data that you collect and store through your website. Some of these include: 

• Contact forms
• Comments and social media plugins
• Analytics and traffic plugins
• IP addresses, cookies and location information
• Security tools and plugins

Most of the top-rated WordPress plugins are GDPR-ready, but here are some of the common aspects that you still need to review and update for foolproof compliance. 

Google Analytics

If you use Google Analytics for your WordPress website, you need to do the following to be GDPR compliant:

• Anonymize the data before Google Analytics stores them. If you use the Site Kit plugin by Google, it automatically anonymizes IP addresses upon activation of the Google Analytics module. 

• Set data retention settings for Google Analytics. This will help you to set the amount of time before the data is automatically deleted from GA. You can access these settings under Admin → Property →  Tracking Info → Data Retention.

• If you use Google Analytics plugin for WordPress like MonsterInsights, you can install and activate the EU Compliance Addon that will automatically turn the Anonymize IP Addresses option on.

Website forms

If you collect user data through various forms on WordPress, then you are required to get the user’s explicit consent. If you have multiple forms for multiple purposes on your site, then you have to ask for consent for the different purposes separately.

Contact form plugins that are like Contact Form 7, WP Forms and Gravity Forms GDPR are GDPR ready. This means you can easily find GDPR-compliant consent features in their Settings.

• To get opt-in consent from users, you can simply add a checkbox that a user has to click before they sign up or register through a form on your website. 
• Link your privacy policy, terms and conditions along with the explanation. 

Here’s the opt-in form for our monthly Privacy Digest. You can sign up here and get checklists like this in your inbox!

Stay in the know on privacy

Name

Email

I agree to receive newsletters from CookieYes and accept the privacy policy.*

Subscribe

Unsubscribe anytime using the link on the newsletter.

• If a user is subscribed to a newsletter or email marketing campaign, provide an unsubscribe option within the emails. 
• While it isn’t a requirement, you may enable double opt-in for your email campaigns. This means that subscribers will receive an email asking for their confirmation before you send them any emails.
• You can also add an opt-in checkbox for your comment forms. Head to Settings → Discussion → Other comment settings → Show comments cookies opt-in checkbox, allowing comment author cookies to be set

eCommerce plugins

If you are running an eCommerce website you are collecting and storing a lot of personal data like phone numbers, shipping addresses, and payment details that can be prone to cyber-attacks like phishing and skimming. Hence choosing GDPR-compliant eCommerce plugins on WordPress should be of high priority to you.

• If you use WooCommerce, you can access the built-in privacy features.  Head to WooCommerce → Settings → Accounts and Privacy to enable the options for personal data retention, personal data removal, and privacy policy links. 

• If you use payment gateways, ensure that they have strict GDPR-compliant policies. Some of the popular plugins are Stripe and PayPal.

Third-party API

If you are using third-party APIs on your website, remember that they collect and store user data. For instance, if you use Google Fonts API ensure that you host it locally in your CDN so that no personal data is sent to Google’s servers.

You need to vet each service and its privacy policy before implementing a third-party API on your website.

Step 3. Add an updated privacy policy

GDPR requires that you inform users about the personal data you collect, your purpose for collecting and how you ensure that the data is protected. While you may already have a privacy policy, for GDPR compliance, your policy should be comprehensive and have full disclosure about all the data your website collects, stores, processes, and uses.

WordPress has a built-in privacy policy template that you can use for your policy page. You can access it from Settings → Privacy. Keep in mind that this is a template and you should add further information about your data collection practices. 

Your policy should be written in clear and plain language and should be easily accessible on your site. It should include sections on:

• The information you collect from all the sources
• How and why the information is collected
• Cookies used on your site and their purposes
• How and where is the data stored
• The information you share with third-parties
• Describe the users’ rights under GDPR and other applicable laws
• How can users contact you for data access requests
• Any other relevant information and policy updates 

An even easier way to create a privacy policy is to use a free privacy policy generator. You can just answer the simple questionnaire and generate your policy in minutes. 

Step 4. Display a cookie consent banner

When we talked about reviewing all data you collect, you may have missed out on cookies on WordPress! All the plugins and tools on your website set cookies to collect personal data about your visitors. Similar to adding opt-in consent in contact forms, you are required to disclose your use of cookies and obtain consent from your site visitors. 

You can use top-rated plugins like the free GDPR Cookie Consent Plugin by CookieYes. With this plugin you can fulfil GDPR cookie consent requirements easily :

• Obtain user consent before setting any cookies except strictly necessary cookies.
• Give users the ability to give consent only for specific cookie categories. 
• Provide information about cookies and their purposes.
• Document cookie consent for proof of compliance.
• Give users an easy option to withdraw their consent.

Using the CookieYes plugin, you will also be able to generate a detailed cookie policy for your website. You can then add it to your privacy policy page or publish it as a separate cookie policy page.

Step 5. Encrypt your website with HTTPS

If you still haven’t moved from HTTP to HTTPS, it’s time to do so. GDPR requires that websites implement measures to mitigate any data security risks such as encryption. To encrypt your WordPress website, you need to enable HTTPS protocol. For this, you just need to get an SSL certificate and activate it. 

You can check for free SSL certificates from your current WordPress hosting provider or you can get them from any of the popular hosting companies like Bluehost, SiteGround, WPEngine, Cloudflare etc.

Step 6. Ensure data portability

GDPR requires that any business that collects user’s data should also provide the user with the ability to download it or transfer the data elsewhere. WordPress has an option that allows you to export and erase users’ data from your database. You can access the setting from Tools → Export Personal Data or Erase Personal Data

After entering the relevant details, an automated email will be sent to the user to confirm their request. Once the request is confirmed, you can generate a zip file of the user’s personal data. WordPress will also send that user an email with a link to download the generated zip. 

Step 7. Hire a lawyer 

If you are a small website, personal blog or just starting out with your online store, you can get on the right track with the steps listed above. However, if your website receives considerable traffic and you collect a large amount of user data, we recommend that you hire a lawyer and get professional advice for compliance. This way, you can safeguard your business from legal hassles in the future.

If your core activity involves processing a large amount of data, for instance, you are an HR website for job-seekers in the EU, then you may need to appoint a Data Protection Officer (DPO) for GDPR. You can consult with your lawyer and determine whether you need a DPO. 

What happens if my WordPress website isn’t compliant?

You could face an administrative audit by your respective data protection authority and if non-compliance is established, it may result in GDPR fines. Serious infringements can get you a maximum fine of up to €20 million or 4% of annual global turnover! 

In practice, the fines will depend on the severity of the infringement, the size of your business and the existing GDPR-compliant measures you have put in place. This means if you are GDPR-ready, you are not likely to face any monetary penalties. 

A few further steps for WordPress GDPR compliance

Now that you have the basics covered for your website, you can take some additional steps to be thorough with your compliance efforts.

Notify about policy updates

If you make any updates to your privacy policy, you need to notify users about the changes. Maintain an email list of all users and send privacy update emails to keep them informed.

Prepare for data breach notifications 

GDPR requires businesses to inform relevant authorities within 72 hours of the incident and if the breach is high-risk, you are required to notify your affected users. Your breach notification letter should include information such as the nature of the breach, contact details of the data protection officer and measures taken by you to address the breach.

Maintain a data retention policy

GDPR does not allow businesses to keep users’ personal data for longer than they need it. This means you need to create a data retention policy for all the data you collect. You can check your plugin settings to see if they have data retention schedules. For instance, in WooCommerce, you can delete user data after a set amount of time. You can access this under WooCommerce → Settings → Accounts & Privacy → Personal data retention.

FAQ on WordPress GDPR compliance

Is WordPress GDPR compliant?

Yes, the core software of WordPress versions 4.9.6 and higher is GDPR compliant. These newer versions include several GDPR enhancement features such as a privacy policy template, comments checkbox and other settings to ensure that WordPress is GDPR compliant.

What is WP GDPR?

WP GDPR or WordPress GDPR refers to fine-tuning your WordPress site for GDPR compliance. The goal is to ensure that all the WordPress features, plugins and additional tools that you use on your website are privacy-friendly and comply with the regulations set by the GDPR.

Does my WordPress site need a privacy policy?

Yes. Your WordPress site needs a privacy policy page. You are legally required to inform your website visitors about the personal data you collect, your purpose for collecting and how you are ensuring that their personal data is protected. 

WordPress has an in-built privacy policy template that you can use to get started on your policy. You can head to Settings → Privacy → Create a new privacy policy page. 

Does WordPress collect personal data?

Yes, like any website your WordPress website also collects personal data from your website visitors and users. For example, if someone leaves a comment on your blog or sign-ups for your newsletter, you are collecting their personal data such as name and email address. You may use analytics tools to improve your user experience, cookies for retargeting ads, payment information for online transactions and so on. In short, you are collecting a lot of user data to enable certain services and features and improve your website. 

How do WordPress sites collect user information?

Your WordPress website might be collecting user’s information in a lot of ways such as:

• Website forms (contact forms, newsletter signups etc.)
• Comments
• Through cookies, IP addresses and geolocation 
• Payment gateways
• Social media likes and shares
• Analytics and tracking tools

The post 7 ways to achieve WordPress GDPR compliance appeared first on CookieYes.

Effective from: January 1, 2023

Official text: Virginia Consumer Data Protection Act

What is VCDPA?

The Virginia Consumer Data Protection Act (VCDPA) is a law that protects the privacy of consumers by limiting how companies can use or disclose their personal information. It applies to any business that has customers in Virginia or that collects, uses, stores, or sells the personal information of individuals who reside in Virginia.

The VCDPA was signed into law by Gov. Ralph Northam on March 2, 2021. It will be enforced by the Attorney General.

7 Steps for VCDPA Compliance

Who does VCDPA apply to?

The Virginia Consumer Data Protection Act applies to an entity (controller/processor) that conducts business in Virginia or produces products or services targeted to residents of the state, who controls or processes:

• personal data of at least 100,000 consumers or
• personal data of at least 25,000 consumers and earns over 50% of gross revenue from the sale of personal data.

Exemptions to this are:

• the Commonwealth or its political subdivisions;
• financial institutions subject to Gramm-Leach-Bliley Act;
• covered entities or business associates governed by the privacy, security and breach notification rules issued by the United States Department of Health and Human Services;
• nonprofit organizations; or
• institutions of higher education.

What is personal data in the VCDPA?

Personal data, as defined by the VCDPA, refers to any information that can identify a specific individual. This can include names, photos, addresses, and phone numbers. It also includes data that can be used to locate or contact that person.

However, personal data does not include anonymized data or publicly available information. Anonymized data is information that has been scrubbed of all identifying characteristics so that it no longer identifies an individual. Publicly available information is something that anyone can access via public records or other methods of publication.

​​Under the VCDPA, sensitive personal data is defined as any of the following:

• Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
• the processing of genetic or biometrics to uniquely identify a natural person;
• the personal data collected from a known child; or
• precise geolocation data.

What are the principles of data processing in VCDPA?

Here are the responsibilities and other requirements expected of controllers and processors of data:

Purpose limitation

Personal data should only be collected to an adequate level, relevant to the purpose for which it is being processed. Personal data should not be collected if it is not both necessary and compatible with the disclosed purpose unless the consumer has given consent.

Best security practices

Implement appropriate administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. Such practices should be appropriate to the volume and nature of data being handled by the controller.

Non-discrimination

Controllers must process data to the extent permitted by state and federal laws that prohibit unlawful discrimination against consumers. We don’t discriminate against consumers for exercising any of the consumer rights in state law, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer.

Consent

A controller must acquire a consumer’s consent before it can process sensitive data about the consumer or before it can process data about a child, according to Children’s Online Privacy Protection Act.

Privacy notice

Controllers must provide consumers with a clear and meaningful privacy notice that includes: 

• the categories of personal data the controller processes, 
• why the controller processes personal data, 
• how consumers may exercise their consumer rights under the Act, which includes how a consumer may appeal a controller’s response to the consumer’s request for access, 
• what categories of third parties the controller shares personal data with, what categories of personal data it shares with third parties, and
• means for consumers to exercise their consumer rights, including the right to opt-out of processing by third parties.

Impact assessment

As a controller, you are required to conduct an assessment of any processing activities involving personal data that present a reasonably foreseen risk of unfair or deceptive treatment of or unlawful disparate impact on consumers. This includes any processing activities involving sensitive data.

Data protection assessments must weigh benefits to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of consumers associated with the processing of personal data. The use of de-identified data and consumers’ expectations, as well as the context of the processing and relationship between the controller and consumer whose personal data is processed, should be considered.

What are the data rights under VCDPA?

Here are the rights granted by the Act to Virginia consumers:

• Right to know and access: Consumers have a right to know whether their data is being processed, and to access their own data.
• Right to correct: Consumers have a right to request that the data an organization holds about them be corrected if it is inaccurate.
• Right to delete: Consumers have a right to request that their personal data be deleted.
• Right to port: Consumers have a right to get a copy of their personal data in a portable and easily transferable format so that they can transfer it to other controllers without any hindrance. This right is particularly relevant when the processing is done by automated means.
• Right to opt-out: Consumers have a right to opt out of the processing of their personal data for purposes such as:
  • targeted advertising: it is the practice of showing specific ads on nonaffiliated websites and online applications based on the consumer’s activities across time and various sites;
  • the sale of personal data: it is the exchange of personal data between a controller and a third party for money; and
  • profiling used in decision-making: it means any form of automated processing that analyzes, evaluates or predicts a natural person’s personal aspects by using personal data.

A controller should respond to a consumer’s request within 45 days of receipt of the request unless an extension is granted. The controller must inform the consumer if an extension will be requested and for what reason it is being requested, as well as instructions on how to file an appeal if the request is declined.

If a consumer requests information, it should be provided free of charge up to twice a year. If the request is unreasonable or repetitive, then the controller can charge administrative costs. The controller has the burden of demonstrating that the request is unreasonable or repetitive.

Controllers shall establish one or more secure and reliable means for consumers to submit requests to exercise their consumer rights. This means must take into account how consumers normally interact with the controller while providing a secure way to communicate such requests. Controllers are not allowed to require a consumer to create a new account for submitting the requests.

7 Steps to VCDPA compliance

• Define your purpose for data collection and processing. 
• Obtain consent from consumers to collect their sensitive personal data. 
• Allow users to opt out of data collection at any time.
• Allow users to exercise their rights to access, correct or delete their data, as well as to transfer their data.  Implement a clear and simple process for doing so.
• Add or update privacy notices to disclose your data collection and processing practices.
• Implement best security practices to protect personal data.
• Conduct data protection impact assessment for high-risk data processing activities 

What are the penalties and fines under VCDPA?

The Attorney General must give controllers 30 days’ notice of any violations they believe are occurring. If the controller fixes those problems within that time, then it won’t be sued for statutory damages. If they continue to violate the law, the Attorney General can sue for up to $7,500 per violation.

CCPA vs CPRA vs VCDPA [Infographic]

Frequently asked questions

Who is subject to the VCDPA?

Entities that conduct business in Virginia or provide products or services to Virginia residents by collecting their personal data are subject to VCDPA. They should meet the following thresholds:

• collect and process personal data of at least 100,000 consumers or
• collect and process personal data of at least 25,000 consumers and earns over 50% of gross revenue from the sale of personal data.

When was VCDPA passed?

The VCDPA was signed into law by Gov. Ralph Northam on March 2, 2021. This makes Virginia the second US state to pass a comprehensive data protection law after California’s CCPA.

The post Virginia’s Consumer Data Protection Act (VCDPA) appeared first on CookieYes.

In this blog post, we’ll discuss why it’s so important for your e-commerce website to have a privacy policy, and how to create one that fits your needs perfectly.

Do e-commerce sites need a Privacy Policy?

Privacy Policies are necessary for e-commerce sites because they let you tell people what you’re doing with their data and how they can opt out of it.

As an online business owner, consumers must have trust in your site. If they don’t know how you’re using their information and what choices they have, they might not feel safe using your website or buying from you.

A Privacy Policy is a contract between you and your website visitors. It tells them what you will do with their information, and how long you will keep it, and gives them the option to opt out of the collection and use of their personal data. For example, if you are selling products on your site, a Privacy Policy will tell people how they can opt out of receiving marketing communications from you. This is especially important if you are using cookies or other tracking mechanisms on your site.

In addition to telling people what information you collect about them (and why), a good Privacy Policy will also tell people what they can do if they want to change their preferences or stop using your service altogether. In addition, it should include information about how to contact you in case customers have any concerns about how you handle their personal data.

Related reading: Privacy Policy Template for GDPR and CCPA

How to create a Privacy Policy for an e-commerce website?

How to write an e-commerce privacy policy depends on the services and products you sell. However, all privacy policies should include the following information that is necessary to comply with privacy laws:

• What type of data your store collects and why
• How you collect and use this data
• Who has access to data and with whom do you share it
• If and how do you use cookies and other trackers
• What rights and data control do customers have and how they can exercise it
• How can customers opt out of data collection and use by your store
• For how long do you store personal data and how do you protect them
• How can customers contact you for questions and concerns

Let’s look into the details of all these sections:

Data collection and use

An e-commerce store may have to collect a lot of personal information from customers. Depending on the kind of business you have, this can include anything from name and address to credit card details. In addition, you may also collect personal information such as gender or age. Such information could be used for targeted marketing campaigns or other purposes such as customizing content for your customers based on their preferences.

The next thing you should address is how you collect information, who has access to it, and how you are going to use it. The more specific you are, the better. For example, if your business collects information via cookies or web beacons (which are small files that are placed on a user’s device), be sure to mention that in your policy. If you use third-party services like Google Analytics, AdSense, Hotjar, YouTube, or MailChimp, make sure they’re mentioned in your policy as well.

Asos’ privacy policy lists the what and why of their data collection practices with a neat table that is easy to understand. 

Almost all e-commerce stores have thor won mobile applications that allow customers to shop from their mobile devices. If you have one, you can explain what data the app collects in your privacy policy, as KFC Italia does.

If you have social media accounts for your online store, consider mentioning them in your privacy policy. Shein, a clothing online store, links to the privacy policies of all the social networks they are on in their privacy policy.

Data access and sharing

As an e-commerce site, you may be using many third-party services and sharing customer information with them. You’ll need to include a section that outlines how you share information with third parties. E.g., if you’re an e-commerce site that uses an order management system to process orders, you should explain that you’ll be sharing customer information with the provider of this service so they can do their job.

In other words, it’s not enough just to say that you won’t share data with anyone else—you need to specify who the exception is and why they are receiving the information.

It can also include how customers can opt out of third-party data collection and sharing.

Glossier’s privacy policy explains who may have access to customer information and also links to companies or services for additional details.

Similarly, LARQ’s privacy policy explains how and why they share customer information.

Use of cookies and other trackers

This section is where you get into the details of how your website uses cookies to track users, including information gathered by the cookie and how long it remains on their device. You’ll want to make sure you have a good reason for doing this—and that your readers understand why it’s important. You can add a separate Cookie Policy page to explain cookies used on the site if you use them a lot.

Related article: Cookie Policy Template

International data transfer

If you’re collecting and storing data about your customers outside of the country where they live, then you need to include language about international data transfer in your privacy policy. It is because many countries have laws around how companies can use and store customer data and how they must notify customers when they collect information.

eBay perhaps has one of the best-designed privacy notices. The international data transfer section explains how it handles data transfer to different eBay Inc. corporate family members and regions outside EEA.

Data rights and control

Customers must have control over their data and be able to manage it accordingly. This includes the ability to exercise their rights granted by privacy laws, such as access and update their data, as well as opt out of sharing or collecting it. The privacy policy should include details of how customers can request to access, update or delete their data. It should also explain how they can opt out of data collection or sharing.

Bliss’s privacy policy lists the CCPA rights that their customers have and how to exercise them, which includes contact information.

Data of minors

In many countries, including the United States and the European Union, there are laws in place that protect the privacy of minors. To comply with these laws, you should include a section in your privacy policy that will cover information about how you collect data from minors, what kind of information it includes and how you use it. It’s also important to clarify whether you intend on sharing this data with third parties.

You should also mention if there are any exceptions to the rule. For example, if you need the permission of their parents or guardians before collecting any information from them. Also, make sure to state whether or not they can request the removal of their personal data at any time.

Data storage and security

Data storage and security are significant concerns for e-commerce sites. Since they collect sensitive information from their customers, they need to ensure that the data is not lost or stolen. Your privacy policy must explain how you store and secure your customer’s personal information. The privacy policy address questions about how your company protects itself from hacking attacks or other types of cybercrime. You should explain what security measures are in place to prevent these attacks from happening and what happens if something does happen, including whether you will notify affected users.

In addition to explaining how your company stores and protects its customers’ data, your privacy policy should also state how long customer data will be kept by your company. If applicable, include details about which countries’ laws apply in case there are conflicts between them.

Walmart’s privacy policy links to their Privacy & Online Safety Tips for explaining all the measures they have in place to protect personal information. It also explains their information retention principles.

The consumer electronics store, BestBuy’s privacy policy lists the steps they have taken to protect its customers’ personal information.

Contact information

Contact information is a must-have in any privacy policy. You should list the names and contact information of the people responsible for handling your company’s privacy practices, as well as their roles in the company.

This section will also include a link to your website’s contact page so that customers can get in touch with you if they have any questions or concerns.

Etsy’s privacy policy provides the contact information of its support team and data protection officer. In addition to that, they also added addresses to their offices and details of the Data Protection Commission under their jurisdiction.

Overall, this article has provided you with a basic understanding of what a privacy policy is and how it can help your e-commerce store provide the most secure experience possible to your users. You’ve also learned about some of the common features that are included in a privacy policy.

There’s no doubt that a well-written and thoughtful privacy policy will keep your users informed and safe. It’s important to remember that many other factors go into making a great e-commerce site, but you should not overlook this one element.

Frequently asked questions

How do I set up a privacy policy on my website?

You can set up a privacy policy for your website in minutes, and for free using CookieYes.

All you need to do is enter some basic information about your business, like how you handle your customers’ personal information. Once you’re done with that, we’ll generate your privacy policy as text and HTML. You can paste that into your website and publish it to make the policy page live.

You can create a privacy policy for any type of e-commerce store running on any CMS, such as WordPress, Shopify, Squarespace, or Wix.

Can I write my own privacy policy?

Yes, you can write your own privacy policy.

If you do decide to write your own privacy policy, we recommend that you consult with an attorney to ensure that it is well-written and legally compliant. It’s important to remember that the way you handle your website’s data collection and retention can have legal implications, so you want to make sure you’re operating in compliance with federal laws.

Do I need a privacy policy on my website?

Yes, you need a privacy policy on your website.

If you collect personal data from your visitors—like their names, email addresses, phone numbers, or any other personally identifiable information—then you should have a privacy policy.

If you collect non-personally identifiable information, you may still want to include a privacy policy though, since it can help provide transparency for your user.

Does Shopify give you a privacy policy?

You can use Shopify’s privacy policy generator, no matter whether or not you sign up for a Shopify account. It will send you a link to copy the generated privacy policy. However, you still need to add a lot of details based on how your website handles data after the policy is generated. With CookieYes, you do not have to worry about these things, as it has options for you to add all necessary details and as a result, you get a comprehensive privacy policy for your website.

The post Privacy Policy Template for E-commerce Websites appeared first on CookieYes.

Effective from: January 1, 2004

Official text: Personal Information Protection and Electronic Documents Act

What is PIPEDA?

PIPEDA is a federal law that governs the collection, use and disclosure of personal information by organisations and recognises the privacy rights of individuals with respect to their personal information. PIPEDA came into force two decades ago in 2000.

5 Steps for PIPEDA Compliance

Who does PIPEDA apply to? 

PIPEDA applies to private-sector organizations across Canada that collect, use or disclose personal information for ”commercial activity”.  It applies only to a commercial activity which is defined as any transaction, act, or conduct of “commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists”. 

You are exempted from PIPEDA if you are any of the following:

• A federal government organization listed under the Privacy Act 
• A provincial and territorial government.
• A non-profit organization, political party, political association, or charity group.
• A hospital, school, university, or municipality.

Businesses may also be exempt if they are subject to provincial privacy legislation similar to PIPEDA, such as the provincial privacy laws of Quebec, Alberta and British Columbia.

Where does PIPEDA apply?

• PIPEDA applies to organizations within Canada, except in some provinces where there are similar Data Protection laws such as Quebec, British Columbia, and Alberta. 
• PIPEDA applies to all federally regulated businesses in Canada such as banks, telephone companies, shipping companies, and railways even in provinces which have enacted similar privacy legislations.
• Businesses are required to protect the personal information that is “collected, used, or disclosed internationally”. Organizations that transfer data across provincial and national borders are subject to PIPEDA, regardless of their provincial privacy laws.

What is personal data in the PIPEDA?

Personal Information Protection and Electronic Documents Act (PIPEDA) defines personal information as “information about an identifiable individual.” Under PIPEDA the following can be considered personal information:

• Age, name, social security numbers, Race, national, or ethnic origin
• Medical, education or employment history
• Biometric information such as fingerprints, DNA
• Social insurance number or driver’s license.
• Employee files, credit records, loan records, medical records, financial information

PIPEDA does not define what constitutes sensitive personal information, it notes that any personal information may be sensitive depending on the context.

What are the principles of data processing in PIPEDA?

PIPEDA outlines 10 information principles for the collection, use, and disclosure of personal information and user’s rights. 

• Accountability: Businesses are responsible for the personal information they hold and need to appoint an individual to ensure the organization is compliant with the 10 principles.
• Identifying purposes: Organizations are required to state the purposes for data collection before or at the time of data collection.
• Consent: To collect, use or disclose personal information, organizations need to obtain consent from users. 
• Limiting collection: Organizations are required to collect only the necessary amount of information in a fair and lawful manner. 
• Limiting use, disclosure, and retention: Organizations need to use personal information only for the purposes they stated during collection unless the users give additional consent.
• Accuracy: Organizations should keep users’ personal information accurate, complete, and up to date.
• Safeguards: Organizations should implement safety measures to protect personal data.
• Openness: Organizations should inform users about their policies and practices in a plain and transparent manner. 
• Individual access: Organizations need to respect their users’ right to access, review, and correct personal information.
• Challenging compliance: Individuals have the right to challenge an organization’s compliance with the designated individual such as the compliance officer of the organization.

Meaningful consent under PIPEDA

Office of the Privacy Commissioner of Canada (OPCC) issued seven guiding principles for meaningful consent, based on PIPEDA and the Personal Information Privacy Acts (PIPA) of Alberta and British Columbia.

How to achieve PIPEDA’s meaningful consent with CookieYes

If you own a business website, here’s how you can obtain meaningful consent under PIPEDA and achieve compliance with the help of CookieYes CMP (Consent Management Platform). 

7 guiding principles for meaningful consent

01 Emphasize key elements.  For consent to be valid or meaningful, businesses must inform individuals of their privacy practices in an easy-to-understand manner. You can implement a cookie banner with brief information on your data collection through cookies.

02 Allow individuals to control the level of detail they get and when

Information should be provided in a manageable and easily accessible way.  Businesses should “layer” information in ways that enable individuals to control how much detail they want and when. With CookieYes cookie banner, you can display cookie information in layers, with the detailed cookie list and category information in the second layer.

03 Provide individuals with clear options to say “yes” or “no.”  Businesses should ask for consent for only what is necessary to provide the product or service and consumers should be given a choice that is clear and easily accessible.  Display a cookie banner with ‘Accept’ and ‘Reject’ buttons so users have an active choice.

04 Be innovative and creative.  Businesses should design or adopt innovative consent processes that can be displayed “just-in-time”, interactive and device-appropriate. With CookieYes, you can display a fully customizable, mobile-responsive cookie banner.

05 Consider the consumer’s perspective.  Consent processes should be user-friendly and customized for your target audience’s understanding. This includes clear explanations, language suitable to a diverse audience and displaying information in an accessible way. With CookieYes, you can link the privacy and cookie policy on your banner for easy access to detailed policy pages.

06 Make consent a dynamic and ongoing process.  Informed consent should be an ongoing process that changes as circumstances change. For this, businesses should provide users with the ability to change or withdraw their consent at any time. For cookie consent, you can implement a consent revisit button on your website.

07 Be accountable. Businesses should be prepared to demonstrate their compliance when asked and should provide proof of valid and meaningful consent. With Consent Log, you can access the historical record of all cookie consents obtained from your website.

How does PIPEDA provide individual rights?

Under PIPEDA’s principle of individual access, customers have the right to access information from organizations. Individuals can:

• PIPEDA provides that, on the request from an individual, an organization must disclose the existence, use, and disclosure of his or her personal information and grant the individual access to that.
• Organizations should inform individuals of the purpose for collecting any information, at the time or before the time of collection, in writing or orally. 
• While PIPEDA does not grant the right to erasure, organizations are required to destroy, erase or anonymise information that is no longer needed to fulfil the purposes for which it was collected.
• PIPEDA allows individuals to withdraw consent at any time but should inform individuals of the implications of withdrawing consent.

What is the penalty for a violation under PIPEDA?

A PIPEDA violation is any violation of Division 1 of the Act (Protection of Personal Information) or any violation of Division 1.1 (Breaches of Security Safeguards) that includes a violation of the data breach notification rule, or the failure to comply with the 10 principles of PIPEDA.

• PIPEDA provides the option for monetary penalties on organizations for committing an offence under PIPEDA. 
• Organizations that commit offences may be subject to fines of up to $100,000. PIPEDA does not establish a private right of action, however, failure to comply may result in civil actions, class actions, or private rights of action

5 steps to PIPEDA compliance

01 Obtain consent 

As per the principles of identifying purposes and consent, businesses have to obtain consent for the use and disclosure of personal information. Businesses can implement either explicit or implicit and the appropriate form of consent is to be defined based on the sensitivity of the personal information and the reasonable expectations of the data subject.

Cookies are one of the most common ways in which businesses collect and share personal data online. To inform users and obtain their consent, you can implement a simple cookie consent banner and record all your user consents for proof of compliance. CookieYes CMP will help you add a cookie banner on your website in just 3 steps!

02 Update privacy policy

To fulfil the principle of identifying purposes and openness, businesses should disclose how they collect, use, share, secure and process users’ personal data. An up-to-date and detailed privacy policy can outline this and help you achieve compliance. The policy should include all information about personally identifiable information, along with the organization’s PIPEDA practices and how individuals can request access to their data. You can easily generate a privacy policy with our FREE privacy policy generator. 

03 Implement security safeguards

Businesses should implement physical, organizational, and technical methods to safeguard personal information. It should be ensured that the data is protected from cybersecurity breaches such as unauthorized access, theft, or duplication of data. Encrypting data at entry and exit points, and restricting physical and remote access to data are important security measures that should be in place. While PIPEDA does not have specific guidelines on how organizations should implement safeguards, you can refer to the NIST framework for guidance. 

04 Notify during a data breach 

Under the PIPEDA’s data breach notification rule, businesses are required to notify the Office of the Privacy Commission (OPC) if there’s any breach of security safeguards that poses a “real risk of significant harm” to an individual. The PIPEDA breach notification rule requires businesses to notify affected individuals in a manner which makes clear the risk of harm and the steps they should take to mitigate the risk. Businesses should also maintain records of all data breaches of security safeguards irrespective of the scope of the breach or the sensitivity of the personal information involved and even if the breach doesn’t pose significant harm to individuals. 

05 Provide individual access

To fulfil the obligations of individual access under PIPEDA, an organization must reply to a request for access to personal information in writing within 30 days of receipt of the request. Businesses have to confirm an individual’s request, explain how personal data is used and provide a list of anyone with who the information has been shared with. In addition, organizations must also comply with an individual’s request to challenge the accuracy and completeness of the information and amend it.

FAQ on PIPEDA

When did PIPEDA come into effect?

PIPEDA came into force on 1 January 2001 and came into full effect on 1 January 2004. 

Does PIPEDA apply to all provinces?

PIPEDA is a federal law that applies to all provinces and territories in Canada. However, Alberta, British Columbia and Quebec have their own private-sector privacy laws that are deemed substantially similar to PIPEDA. Private-sector organizations that are subject to these provincial privacy laws are generally exempt from PIPEDA with respect to the collection, use or disclosure of personal information that occurs within that province.

Who is the regulator of PIPEDA?

The Office of the Privacy Commissioner (OPC), Canada is the federal supervisory authority under PIPEDA.  Each province and territory can also designate its own supervisory authority under the Act. OPC has the investigatory powers and handles complaints lodged by individuals.

What data is exempt from PIPEDA?

• Personal data is handled by federal government organizations listed under the Privacy Act.
• It does not apply to provincial or territorial governments and their agents.
• Business contact information such as an employee’s name, title, business address, telephone number or email address collected, in relation to their employment or profession.
• An individual’s collection, use or disclosure of personal information is strictly for personal purposes.
• Personal data that is collected by an organization solely for journalistic, artistic or literary purposes.

What is the purpose of PIPEDA?

PIPEDA regulates how businesses collect, use or disclose personal information and recognizes the right of the individual to have his or her personal information protected. It is a federal law that applies to organizations in the private sector across Canada.  PIPEDA shares this purpose with provincial laws like the Alberta Personal Information Protection Act (PIPA) and the British Columbia Personal Information Protection Act (PIPA).

Does PIPEDA apply to businesses outside Canada? 

PIPEDA can apply to organizations outside Canada regardless of where the business is located. As per a ruling by the Canadian court, PIPEDA can apply to conduct that has a “real and substantial” connection to Canada. 

The factors that can determine if a business has a substantial connection to Canada include whether a business markets its products or services to Canadians, whether it processes the personal information of Canadians, and whether any misuse or disclosure of personal information would have an impact on Canadians.

The post Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) appeared first on CookieYes.

The ePrivacy Regulation will set data protection standards for all electronic communications such as text messages, emails, WhatsApp messages, and any other form of digital communication. This would include contents of calls, metadata (such as location tracking), and cookies (online trackers). In this blog, you will also find a checklist to comply with the cookie rules proposed by the Regulation so that you can be ready when it comes into force.

Effective from: 2023 (expected)

Official text: EU Council mandate

What is the ePrivacy Regulation?

ePrivacy Regulation is a new European Union (EU) regulation that replaces the ePrivacy Directive, which was drafted in 2002. It was supposed to come into force on May 25, 2018, the same day as the GDPR. However, it was delayed a few times. Once it comes into effect, it will provide stronger privacy protections for electronic communications (including emails and chat) while also ensuring that companies have easy access to clear and consistent rules across Europe.

In the last few years, technological and economic developments have changed the way consumers communicate. They are increasingly using new internet-based services like Voice over IP, instant messaging, and web-based e-mail services. The Directive does not cover these Over-the-Top communications services (“OTTs”). As a result, there is a need for this new regulation to ensure that users have control over their information.

The new effective date of the Regulation is unknown as the draft is still subject to dialogues between various European bodies. However, once agreed, it will come into force in two years from the twentieth day following its publication. The Regulation is not expected to come into force before 2023.

Like the GDPR, the ePrivacy Regulation will be enforced by EU member state councils.

Skip to: How to comply with EU Cookie Law (ePrivacy Regulation)

Who does the ePrivacy Regulation apply to?

The European Union’s ePrivacy Regulation will apply to any business or individual who transmits information by “electronic communication services” within the EU. This includes not only emails but also text messages, chat apps like WhatsApp, and videoconferencing tools like Skype or Zoom.

The Regulation will also have extraterritorial reach to non-EU organizations that process EU residents’ data.

What is personal data in the ePrivacy Regulation?

Personal data are in any information related to a natural person or “data subject” that can identify them, directly or indirectly (e.g. name, address, email address). This definition also includes indirect identifiers such as device ID numbers, IP addresses, mobile location IDs, cookies, and other tracking technologies.

The Regulation specifically mentions:

• electronic communications content and metadata carried out in connection with the provision and use of electronic communications services;
• end users’ terminal equipment information;
• the offering of a publicly available directory of end-users of electronic communications services; and/or
• the sending of direct marketing communications to end-users.

The ePrivacy Regulation applies to all electronic communications services and networks that are accessible by the public and that provide publicly available electronic communications services (such as email, instant messaging, and social media platforms). For example, an unauthorized email sent for direct marketing comes under the jurisdiction of the ePrivacy Regulation. Another example is search engine services that store or access cookies on the user’s device. 

It does not apply to information processed by services or networks used for purely internal communications purposes between public institutions, courts, financial institutions, and employment administrations. However, the Regulation applies to electronic communications data if it is transferred from such a closed group network to a public electronic communications network.

ePrivacy Regulation on cookies (EU Cookie Law)

All provisions of the ePrivacy Directive, for cookies, also known as EU cookie law, will apply under the ePrivacy Regulation as well. However, the ePrivacy Regulation’s draft introduces a few new changes. Let’s look at them in detail:

Cookie walls

Cookie walls, which block users from accessing a website if they refuse to accept the use of cookies, may be acceptable under certain circumstances. If a website provides user-friendly equivalent cookie-less service that does not require consent, then the website can use cookie walls. If there is no alternative way for visitors to access content on a website without accepting cookies, then blocking them from accessing the site is unfair—especially if there is no information about what types of data these cookies collect and how they will be used.

For example, a paywall gives the user different options to access the website content. One is a free subscription, where they just have to consent and access the site’s limited services. Other are paid subscriptions, where they can access full services without consent if they make a payment. The website must inform the users in clear and plain language about the purpose of cookies and the consequences of accepting them.

Whitelisting service providers

To prevent users from getting fatigued by consent requests, they should be able to white list the cookies they want to accept in their browser settings. Service providers must make it easy for users to set up and amend their whitelists, and withdraw consent at any time. However, consent directly given by users overrides any software settings.

Cookies for audience measurement 

Consent is not necessary if the cookies are necessary for audience measurement (analytics), as long as the measurement is being done by the provider of the service requested by the end-user or by a third party on behalf of the service provider or jointly.

Consent exemption remains the same for cookies (as described in the ePrivacy Directive) that are used for security, preventing fraud, detecting incidents, or updating software (for security or fixing vulnerabilities).

How to comply with the EU cookie law? [Checklist]

Here’s a checklist for complying with the EU cookie law on your website:

• Use a cookie banner to inform about cookies and get consent
• Add user-friendly options to accept, reject, or choose cookie preferences
• Allow users to withdraw consent at any time
• Do not set cookies before receiving consent for it
• Use cookie walls cautiously; give an equivalent option to access the site without having users accept cookies
• Do not use cookies for other purposes not related to the original purpose for which consent was obtained
• Add a privacy or cookie policy to disclose details about cookies and how to manage them

What are the fines and penalties under the ePrivacy Regulation?

​​The draft ePrivacy Regulation’s fines are very similar to GDPR’s:

• Less serious violations: up to 2% of annual global turnover, or up to €10 million (approx. $11.8 million), whichever is greater.
• More serious violations: up to 4% of annual global turnover, or up to €20 million (approx. $23.6 million), whichever is greater.

Those who suffered damages from the violations can claim compensation.

How does the ePrivacy Regulation differ from GDPR?

The ePrivacy Regulation is a broader law than the GDPR, applying not only to online communications but also to other electronic communications such as text messages and phone calls.

One key difference between the two laws is that while the GDPR focuses primarily on data protection, the ePrivacy Regulation focuses primarily on privacy.

Here’s a quick look at the differences between the two regulations:

Let us look at in detail the four key factors for the comparison, such as the objective, scope, data covered, and cookies.

1. Objective 

The objective of GDPR is to protect the rights and freedom of individuals within the EU and their right to privacy of their personal data. 

Whereas, the ePrivacy Regulation is lex specialis to GDPR, covering the confidentiality of electronic communications, be it services or services offered over a network. Electronic communication will include services like messaging and video calling applications, metadata, Internet of Things (IoT) devices, along with emails and SMS messages.

2. Scope

This is often confusing for organizations as to when and why GDPR or ePrivacy Regulation applies to them.

The GDPR applies to entities in the world that collect and process personal data (that can be used to identify an individual, directly or indirectly) of individuals within the EU territory. 

However, the ePrivacy Regulation applies to entities that provide: 

• an electronic communications service.
• service over an electronic communications network.
• services or networks that are publicly available.
• services and network in the EU.

3. Data covered

The GDPR protects personal data that can identify an individual within the EU, directly or indirectly. E.g. name, email address, mailing address, location details, phone number, and social media credentials. 

Now here is where the ePrivacy Regulation differs from the GDPR. It covers all this data, but those that are collected via a “publicly available” electronic communication service or network. Therefore, the GDPR exempts data processing from compliance if:

• it does not involve any personal data (e.g. publicly available phone number or IP address of an electronic communication machine such as a digital copier).
• the data falls outside the material scope of the GDPR.
• it falls outside the territorial scope of the GDPR.

4. Cookies

Personal data collected and accessed via cookie identifiers fall under the material scope of both GDPR and ePrivacy Regulation.

The GDPR mentions cookies only once compared with the ePrivacy Regulation, also known as the EU Cookie Law, which has dedicated clauses for cookies.

Both regulations require website operators to obtain consent from visitors to store cookies on their devices. The difference is that the GDPR generalizes cookie identifiers as part of its personal data definition.  The conditions for valid consent are the same in both laws.

So, what is the difference? Cookie walls.

The GDPR does not specifically mention it, but cookie walls are illegal and rob the users of a free and genuine choice to consent as per the law requirements. The ePrivacy Regulation, as we discussed, prohibits its user but allows it if it provides an equivalent service that does not require consent. 

Frequently asked questions

Is the ePrivacy Regulation in force?

No, the ePrivacy Regulation is not in force yet. It is not expected to come into effect before 2023.

What is the ePrivacy law relationship with the GDPR?

The ePrivacy law is a separate piece of legislation that is related to the GDPR. It was created as a response to concerns about how data privacy is handled by online services. The ePrivacy law is not directly connected with the GDPR, but it does include similar provisions for how cookies are used on devices.

Will the UK adopt the ePrivacy Regulation?

Yes, the UK will adopt the ePrivacy Regulation. The UK left the EU in January 2021 and since then, PECR (Privacy and Electronic Communications Regulations 2003) is the UK’s national implementation of the European ePrivacy Directive. 

What does the ePrivacy Directive apply to?

The ePrivacy Directive applies to all websites that collect or process personal data for electronic communication. In other words, it covers any website that collects personal data through cookies or any other form of web tracking.

Will the ePrivacy Regulation replace the GDPR?

No, the ePrivacy Regulation will not replace the GDPR. It will be used in conjunction with the GDPR.  The GDPR is a set of rules that apply to the processing of the personal data of EU residents. The ePrivacy Regulation, on the other hand, focuses on the confidentiality of electronic communications of EU residents.

The post ePrivacy Regulation: What Is It & How Does It Affect Cookies? appeared first on CookieYes.

First of all, let’s have a basic understanding of what legitimate interest is.

What is GDPR’s legitimate interest?

Legitimate interest is one of the lawful bases for processing personal data. Under the GDPR, you can process personal data if you have a legitimate interest to do so.  

This legal basis is only available in certain circumstances. If your organization relies on legitimate interests as its lawful basis, you must be able to show an appropriate reason for processing the data. However, there are some limits: the purpose must be necessary and there must be no other reasonable way of achieving it.

Your legitimate interest requires a careful assessment of the circumstances surrounding the processing of personal data. This includes the nature of your relationship with the individual whose information you wish to use, e.g. if the individual uses a service provided by you.

When does Legitimate Interest apply and how to demonstrate it?

You can determine if your purpose is in legitimate interests by assessing whether your purpose for processing is a legitimate one. You should consider:

• The benefits of processing the data.
• Whether the processing is necessary for achieving those benefits. If so, whether there are alternative means available to achieve them without having to process personal data in any way at all (e.g., through anonymization or pseudonymization).
• The nature of the personal data being processed, including how sensitive it is and any reasonable expectations users, may have about how it will be used by you or third parties in conjunction with their services or products (e.g. medical records).
• The likely impact on users from your processing could cause them harm or distress if not handled appropriately (e.g. financial data).

ICO recommends this as a three-part test, called Legitimate Interest Assessment (LIA):

1. The purpose test: determine if your purpose for processing data is legitimate.
2. The necessity test: make sure that processing is necessary for the said purpose.
3. The balance test: make sure that the individual’s rights or interests don’t override your legitimate interest.

Using this test, you can identify if your use of legitimate interest is valid.

You can use ICO’s LIA template (click to download) to do your assessment.

What is not legitimate interest under GDPR?

The GDPR has a limited amount of information about what does not constitute a legitimate interest. However, any purpose that the user wouldn’t expect you to process does not fall under a legitimate interest basis.

For example, if a user orders a product from your website as a guest without signing up for an account, you have the right to process their data such as their email address and payment details. However, you cannot use their contact details to send them emails about special offers or promotions. That is not something they shared with you voluntarily.

The ICO suggests using a checklist (which includes the LIA). If one or more do not apply to the way of your processing, then you cannot use legitimate interest to process data. 

What are examples of legitimate interests?

Examples of legitimate interests include:

Direct marketing

The GDPR’s effect on marketing is huge. However, marketers are still puzzled about the right approach.

Recital 47 of GDPR states that:

“The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”

Organizations may send information that they think users will find relevant or interesting. However, it must be clear to the user that they can opt out at any time. E.g. If you’re a SaaS company and you want to send your customers an email about upcoming special offers. This could be seen as a legitimate interest as it benefits them and doesn’t affect their rights or freedom.

Here are the marketing methods that are likely to fall under legitimate interest:

Network and information security

You may use legitimate interest as a defense when you have taken reasonable steps to protect your users’ personal data. E.g. You are running a website that collects sensitive information. You must maintain reasonable security measures to prevent unauthorized access or use of that data. As long as you do so, then security can be used as evidence that your data processing has a legitimate interest.

Fraud detection and crime prevention

If you have a business that handles sensitive data, like credit card numbers, some laws require you to verify the identity of your customers. In this case, you can use legitimate interest to analyze customer data for signs of fraud or criminal activity.

Processing employee or client data

There are many situations where processing employee or client data is a legitimate interest. One example of this would be when you’re using an app like payroll software to process the payroll of your employees. In this case, the processing of personal data is necessary for the legitimate interest of paying your employees properly and keeping their records up-to-date.

Another example would be when you’re running background checks on potential employees that have applied for jobs at your company. This is also considered a legitimate interest because it helps protect your company from hiring someone who might not be qualified for the position.

What does legitimate interest mean for cookies?

In the early days of the internet, cookies were used to improve a website’s usability. They made it easier for users to log in and allowed them to save their preferences. Over time, cookies have become more entrenched in how we use the internet.

So, can a website use legitimate interest to set cookies? Some sites claim that they have a legitimate purpose in collecting personal data from users and bypass having to get cookie consent. The question is: do they? The answer lies in the texts of these laws themselves.

Website cookies often have marketing purposes. Even if Recital 47 explicitly states that legitimate interests can be claimed for processing personal data for direct marketing purposes; Recital 70 states that users have the right to object to data processing for direct marketing purposes. In that regard, users must have the choice to reject cookies if they want. That basically means that legitimate interest may not be a viable option here.

What about other types of cookies that aren’t related to marketing? 

The ePrivacy Directive and GDPR are two legal documents that control the use of cookies within the EU. The ePrivacy Directive directly controls cookie usage, whereas the GDPR limits the data processed via cookies. Both of them are used in conjunction to protect the personal data of EU residents. Therefore, even if cookies can be used without consent as a legitimate interest under GDPR, the ePrivacy Directive poses a huge contradiction here. One of the Directive’s mandatory requirements for websites is to get explicit consent from users to store cookies that are not strictly necessary or technical. Some cookies track user behavior. While this may eventually be useful for improving a website’s services, it may also interfere with their privacy, which is not necessary or expected by users.

Therefore, a legitimate interest cannot be used as a legal basis for processing personal data using cookies.

Legitimate interest vs consent

Consent and legitimate interest are two different concepts that both relate to the processing of the personal data of users. Legitimate Interest is an exception to the need for consent under the GDPR.

Consent is a more stringent requirement for businesses because it requires that a user affirmatively agrees to the use of their personal data. Legitimate interest, on the other hand, can be used by businesses without consent from users if they can demonstrate that the use of this information is necessary for the proper functioning of their business.

In other words, legitimate interest is when you have a legitimate reason to process someone’s personal data. Consent is when they give you permission to do so.

When using legitimate interests as a legal basis for processing personal data, it’s important that these are specific and focused on what benefits the organization or its customers or users. E.g. improving security, product improvement, improving customer experiences, training staff, etc.

If your processing is based on consent, then you don’t need to do an LIA. You can just rely on consent as a legal basis.

In addition, while you must clearly communicate about both of them to users to protect them from harm or deception, only consent requires affirmative action on behalf of the user before it becomes effective.

If you aren’t sure whether your purpose of processing personal data is legitimate, you should rely on other lawful bases, such as consent to collect user data. 

Frequently asked questions

What is a legitimate interest under GDPR?

A legitimate interest is a legal basis for processing personal data under the GDPR. It is one of the six conditions for lawfully processing personal data. This means that if you have a legitimate interest in processing an individual’s personal data, you do not need to obtain consent from them before doing so.

The GDPR states that processing is lawful under this basis if:

• your purpose for carrying out the processing is legitimate;
• it is necessary for fulfilling the said purpose; and
• it is balanced against any impact on the individual’s rights and freedoms; 

When can I use legitimate interest?

Legitimate interests are a legal basis for processing personal data. The GDPR states that you can only rely on this basis if the processing is in your or the individual’s legitimate interest, and the individual’s rights and freedom do not override it.

It is legal when:

• the alternatives (other lawful bases including consent) are not appropriate or achievable;
• you have a clear and legitimate purpose for processing personal data; or
• the processing is necessary for fulfilling the business purpose.

Should I accept legitimate interest?

Legitimate interest is a lawful reason for processing personal data under the GDPR and is an exemption to consent.  However, you should still provide information about how you are processing personal data, why it is necessary, and how long it will be kept. The GDPR requires that you tell people what information you hold about them, why you hold it, and how long it will be kept. This is to demonstrate transparency and accountability.

If you collect data from someone who has not given their consent, then you must include an explanation of your legitimate interest in collecting the data in your privacy notice.

What is the legitimate interest of data subjects?

The legitimate interest of data subjects means the vital interest of individuals whose data is being collected and processed by businesses. Legitimate interests under GDPR are not generally used in the context of data subject’s rights. However, here it means the data processing that is necessary to protect the rights and freedom or even life of data subjects. Hence, the legitimate interest of data subjects means the vital interest basis that the GDPR grants to businesses to process personal data.

The post Legitimate Interest Under GDPR: When to Use It? appeared first on CookieYes.

The ePD came to be better known as the ‘cookie law’ or EU cookie law since its most notable impact was seen in the emergence of the cookie consent banners on websites. Prior to its arrival, most websites dropped cookies on a user’s browser, often without their consent or knowledge.

What is the Cookie Law?

The EU cookie law, or simply cookie law is the commonly used term to refer to the ePrivacy Directive (ePD). It is a piece of legislation that requires websites to obtain consent from users before storing, using, or retrieving cookies from their devices, except for strictly necessary cookies. Article 5(3) of the Directive sets the guidelines for information stored in the terminal equipment of a subscriber or user. This can be read in conjunction with cookies. It says:

• Websites are allowed to set cookies after users are provided with clear and precise information about the purposes of cookies that are placed on the user’s device. 
• Users should be given the opportunity to refuse cookies on their device
• Users should be offered the right to refuse before dropping the cookies and also at any later time.
• The method for giving information, requesting consent or offering the right to refuse should be made as user-friendly as possible.

The ePD specifies exemptions from cookie consent for cookies that fall under the following criteria:

• Cookies that are used for the sole purpose of carrying out the transmission of a communication over an electronic communications network, 
• Cookies that are strictly necessary in order to provide service explicitly requested by the user.

Things to know: EU Cookie Law

How does GDPR affect EU cookie law?

Recital 30 of the General Data Protection Regulation considers cookies as part of personal data. It requires websites and web publishers to obtain valid consent when collecting personal data from users. Therefore, the GDPR and Cookie Law work in tandem in the European Union.  For consent to be valid under the GDPR, it should be:

• Freely given: The user should have a choice to give/deny consent and should not be forced to consent.
• Informed: The user should be informed of what they are consenting to such as the use of cookies, and the purposes for which they are used on your site.
• Specific: Consent should be asked for specific purposes separately. For instance, cookie consent cannot be bundled with terms and conditions.
• Unambiguous and affirmative: Consent should be given using a positive action, such as clicking on the ‘Agree’ button and cannot be implied.

The new draft ePrivacy Regulation also places consent requirements before processing any kind of data from users’ data, including cookies. If you are a website owner or web publisher, here’s what you need to do to comply with the cookie law.

Checklist to comply with EU cookie law

• Display a cookie banner on a user’s first visit to your website.
• Inform users of the cookies you use, and their purposes.
• Collect users’ active consent to cookies.
• Provide users with the option to take affirmative action such as clicking on ‘accept’ or ‘reject’ cookies button.
• Give users the option to opt-in to specific cookie categories.
• Do not use pre-ticked or ‘on’ sliders for cookies other than strictly necessary cookies.
• Block third-party cookies until the user gives explicit consent for their use.
• Store cookie consents for proof of compliance in case you are subject to regulatory scrutiny.
• Provide detailed information – the name of the provider that sets the cookie, description and cookie duration in your cookie policy.
• Give users a user-friendly and easily accessible option to revoke or withdraw consent.
• Do not use cookie walls that prevent access to the website unless the user accepts cookies.
• Do not set cookies if the user is scrolling or continuing to use a website without interacting with the cookie banner.

How do you comply with EU cookie law?

1. Sign up on CookieYes for free

Enter your email and your website address to signup.  No credit card details are required.

2. Add a cookie banner to your website

Select and customize the cookie banner. Copy the code and add it to your website’s source code. 

3. Complete your website scanning

After adding the code to your website, verify your email address to scan your entire website for cookies. Your new cookie list will be auto-updated on your live cookie banner.

Your cookie consent mechanism is all set up and you are ready to obtain active consent from your users. Once up and running, you can access the following features that help foolproof your cookie compliance.

Consent Log: Your user consents will also be automatically recorded in the Consent Log to maintain proof of consent. 

Revisit Consent Button: You can customize the consent revisit widget that is enabled by default. It gives users the option to change consent at any time, after the banner is dismissed. 

Cookie Manager: You can also manually edit cookie details – name, description and category or add new cookies to auto-block.

Cookie Policy: You can generate a cookie policy for your website. Your complete cookie list will be embedded within your policy by default.

Cookie Law in the UK

The Privacy and Electronic Communications Regulations (PECR) is the UK version of the ePrivacy Directive. Similar to the Directive, PECR regulates electronic communications in the UK such as electronic marketing, including telephone calls, SMS messages, emails and faxes and the use of cookies and trackers on websites. It works alongside the UK GDPR. 

Similar to the provision in the EU, cookie law in the UK also requires prior consent for setting cookies and follows the same guidelines as underlined in the GDPR.

Cookie laws in the US

While the US does not have a federal privacy law, state-level privacy regulations like the California Consumer Privacy Act (CCPA) have provisions to regulate the use of cookies.

California Consumer Privacy Act (CCPA)

California state’s privacy law CCPA does not explicitly require a cookie consent banner, it requires notice before/during the collection of personal information. Since personal information may include cookies and other trackers, CCPA requires a ‘Do not sell’ opt-out notice if websites drop third-party cookies on a user’s device.

Cookie laws around the world

As the GDPR became the blueprint for data privacy regulations across the world, consent is a key requirement for data privacy laws across the world. 

While not all regulations mention cookies or have specific guidelines for cookies, the definition of personal data is broad, so identifiers like cookies, trackers and IP addresses etc. fall within the scope of the law.

General Personal Data Protection Law (LGPD), Brazil

Brazil’s privacy regulation LGPD defines personal data as any information related to a natural person and therefore can cover the use of cookies and trackers.  As per the LGPD, consent must be a free, informed, and unambiguous indication, given for specific purposes. As this closely resembles cookie law in the EU, a cookie banner is required to comply.

Protection of Personal Information Act (POPIA), South Africa

South Africa’s regulation POPIA does not explicitly regulate the use of cookies, but the definition of ‘unique identifier’ in POPIA can include cookies and trackers. As per POPIA, websites are required to obtain opt-in consent whenever users are asked for their personal information and consent should be voluntary, specific and informed action. Therefore, a cookie consent banner is required under this act.

Personal Data Protection Law (PDPL), Saudi Arabia

Saudi Arabia’s privacy law PDPL requires that consent is necessary to process personal data, with some exceptions. While the law does not specifically mention cookies it defines personal data as any information that identifies a person specifically or could lead to their identification. As cookies can be covered within this scope, cookie consent can be a requirement under the law.

What is ePrivacy Regulation?

The Regulation on Privacy and Electronic Communications or ePrivacy Regulation is the proposed regulation for protecting electronic communication within the EU. It will repeal and replace the ePrivacy Directive and would be lex specialis to the General Data Protection Regulation (GDPR) in the EU. It regulates the confidentiality of electronic communication, Internet of Things (IoT), metadata, cookie consent, and data collection for marketing purposes. The final draft of the ePrivacy Regulation was published in February 2021 and is expected to come into force in 2023.

FAQ on Cookie Law

What does the cookie law say?

The EU Cookie Law or ePrivacy Directive is a directive that requires websites to get consent before drooping cookies on a user’s device. Certain cookies are exempt from consent requirements, including:

• Cookies that are used to carry out the transmission of communication over an electronic communications network.
• Cookies that are strictly necessary to provide a service requested by the user.

As per the rules of the ePrivacy Directive and the GDPR website owners should:

• Inform users that the website uses cookies (eg: via a cookie banner.
• Provide detailed information concerning (i) the information the cookie collects and (ii) the purposes and the provider that sets the cookie.
• Provide information in plain and clear language.

Does EU cookie law apply to US websites?

The ePrivacy Directive does not have extra-territorial scope and applies to activities within the European Union. If a US-based website does not conduct any business with the EU residents, it may not be required to comply with EU cookie law. 

However, if a US website does business with EU residents and collects and processes their personal data to provide its services, the EU cookie law will apply in conjunction with the GDPR. Unlike the ePD, GDPR can apply to any organization, established in the EU or not, if they offer goods and services to the people in the EU, or monitors their behaviour taking place in the EU. 

Is there a cookie law in the US?

No. There are no federal-level privacy laws in the US. However, state-level privacy regulations like the California Consumer Privacy Act (CCPA) and Virginia Consumer Data Protection Act (VCDPA) have provisions to regulate the use of cookies. For instance, CCPA requires websites to display an opt-out notice so users can opt-out of the sale of their personal information (i.e. data sharing with third parties).

The post A Guide to Cookie Law appeared first on CookieYes.