Best practices for cookies compliance is formed of two parts; a cookies policy (separate to your privacy policy) and a dynamic cookie management platform.
It is best practice to maintain separate cookies and privacy policies. A cookies policy is a declaration to your website users about
- What cookies are active on your website;
- What data the cookies are tracking and for what purpose; and
- Where in the world this data is sent.
Dynamic Consent Management
It is best practice to use a dynamic consent management tool, such as Dataships’ to manage and automate your cookie compliance, users consent & your records of compliance. There are four important considerations in the implication of such a tool:
1. Initial Cookie Banner:
We recommend implementing a non intrusive cookie banner at the bottom of the user’s screen. This banner should contain a first layer of information about the use of cookies and should link to your Privacy Centre to provide further information.
This cookie banner cannot ‘nudge’ a user into accepting cookies and if you use a button on the banner with an ‘accept’ option, you must give equal prominence to an option which allows the user to ‘reject’ cookies, or ‘manage cookies’ which brings them to an additional layer of information in order to allow them to do that.
2. Second layer of information:
This second layer should provide further details about the categories of cookies being used. Consent does not need to be given for each cookie, but it must be given for each purpose for which cookies are used. These categories must not contain pre-checked boxes signaling ‘consent’ for the use of cookies or be ‘toggled on’. The second layer should also contain a link to your ‘cookie declaration’ detailing all the cookies that are used by your site & for what purpose.
3. Cookie Declaration:
Dataships’ cookie tool works dynamically by continuously scanning your site for cookies and surfacing these dynamically in your cookie declaration. These appear under four headings which you can manage; necessary, preference, marketing and statistics. Here you give your users additional information as to the name of the cookie, the provider, its purpose, expiry and type. Users can then make an informed decision whether to accept or reject these cookies. This ensures you are complying with the transparency articles of the GDPR (Articles 12 – 13).
4. Duration:
If you store a record that a user has given consent to the use of cookies, you should ask the user to reaffirm their consent no longer than six months after you have stored this consent state.