Cookie Consent 101
An article that serves as an introduction to data capture and cookie consent in the EU.
This article helps you understand:
Cookie Consent in the EU
Data Capture Process in the EU
Cookie Consent Requirements in the EU
Cookie Classifications
Data privacy legislation is becoming increasingly prevalent in economies across the globe, and many countries have based their legislation on the EU's General Data Protection Regulation (GDPR). When comparing other countries' data legislation to the EU, the scope and applicability are often similar, with sometimes the main difference being financial fines. With this in mind, this article focuses on cookie consent strictly within the EU.
Defining a Cookie
A cookie represents a set of data that is stored in the site visitor’s browser. They were created to make browsing the web more consistent for a visitor by remembering parts of their previous web behavior. Cookies can store settings and data such as language, passwords, identifiers and carts.
The core purpose of GDPR-type legislation is that organizations must receive users’ consent before any cookies are used, except for strictly necessary cookies. When Sitecore CDP documentation and articles refer to cookies and tracking, this is under the assumption that consent has been given for the cookie to be set and data to be captured.
Consent is the first stage in the data capture process.
Let’s dive a little more into consent for a moment.
Websites that deal with EU citizens must comply with the following GDPR cookie consent requirements:
- Prior and explicit consent must be obtained before any activation of cookies (apart from necessary cookies).
- Consents must be granular
- Consent must be freely given
- Consents must be as easily withdrawn as they are given.
- Consents must be securely stored as legal documentation.
- Consent must be renewed at least once per year. However, some national data protection guidelines recommend more frequent renewal, e.g. 6 months. Check your local data protection guidelines for compliance.
Consent Classification & Cookies
As you have experienced from navigating the web, consent classifications vary, however, these are the classifications provided by the EU:
- Strictly Necessary cookies
- Preferences cookies
- Statistics cookies
- Marketing cookies
Regulation for Data Capture
This affects all data capture and is not just related to Sitecore CDP data capture:
- If data capture is classified as Strictly Necessary then no consent is required, and data capture can occur without consent.
- If data capture is classified as anything else, consent is required and data capture should not occur until consent is gathered.
Learn more about the detail of these classifications here.
Some Sitecore CDP clients classify Sitecore CDP cookies as Strictly Necessary, as we perform key functionality on their site. Some other clients classify Sitecore CDP cookies as Preference or Marketing. This is a decision for you as a Data Controller and you should consult with your Data Protection Officer (DPO) and local regulations to determine what classification is right for your deployment of Sitecore and any other data capture providers you use.
Now that you're up to speed on Cookie Consent, we recommend you read the Is the future cookieless? article.
Disclaimer
The author's opinions do not constitute legal or privacy advice in any way whatsoever. Sitecore strongly recommends that you perform your own independent research and/or speak with your DPO and experts within your business when making decisions related to consent, data capture or your responsibilities as a Data Controller.
Ruadhán Barry
Director of Analytics
Updated 3 months ago