Cookies are small text files that are stored on a user's device when they visit a website. They are used to track the user's personal information, such as login credentials, browsing history, preferences, or shopping cart contents. There are several ways to manage cookies on a website.
The use of cookies and other trackers on websites is regulated by the General Data Protection Regulation (GDPR) in the EU, the California Consumer Privacy Act (CCPA) in the US, and other privacy laws around the world.
Read this blog to find out what is cookie control, how to manage it, and how to stay compliant with the GDPR, the CCPA, and other major privacy laws. At the end of this article, you will also find an automatic cookie control solution, offered by CookieScript.
What is Cookie Control?
Cookie control is the process of managing and controlling the use of cookies on a website. Cookie control also means obtaining and managing valid user consent to use cookies.
The most popular way for cookie control is to set up a cookie banner or pop-up on a website that informs users of the use of cookies and allows them to accept or reject them. Another way is to provide a link to a dedicated Cookie Policy page, where users can learn more about the types of cookies used on the website and how to manage them.
The Cookie Banner includes basic information required by privacy laws. You can provide more detailed information about cookies on your Cookie Policy page or Privacy Policy page.
The Cookie Consent must be obtained prior the storing cookies on users' devices. Websites must give users the possibility to withdraw their consent to use cookies at any time and to control users' data collected via cookies.
Another important aspect of cookie control is compliance with laws and regulations such as the GDPR and the CCPA. It's also necessary to have a legitimate interest in the use of cookies.
Scan your website for free to see all your website cookies in use.
Cookie Control in the EU
The EU has the strictest rules regarding personal data protection in the world. Personally identifiable information (PII) of European citizens is well described and protected by the law. In the EU, the use of cookies on websites is regulated by the GDPR and ePrivacy Directive (EU Cookie Law), which are incorporated into national laws in all EU member states.
To use cookies, websites need to get users’ cookie consent since cookies collect personal data and track user activity. However, some cookies are exempt from the law. Strictly necessary cookies, which are necessary for a website to function properly, do not require Cookie Consent.
Here are the main points you must follow while adding a Cookie Banner on a website:
- Describe what kind of cookies you intend to set and why.
- Explain why you need to set cookies.
- The banner should have opt-in and opt-out options for accepting and rejecting cookies, accordingly.
- Do not drop cookies BEFORE the user gave explicit consent (opt-in option).
- Do not use pre-ticked check boxes for Cookie Consent.
- Give a possibility to enable Cookie Consent based on cookie category.
- Include information about your Privacy Policy and a link to it.
- Give a possibility to withdraw or change the Cookie Consent status on every page of your website.
- Document and store all user consents.
- Make your website accessible even if the user did not allow to use cookies.
- Non-interaction with the banner or scrolling over the web page does not mean the user gave Cookie Consent.
Under the GDPR, explicit Cookie Consent mode is required, meaning that the user must take clear affirmative action to accept cookies.
Websites must disclose what kind of cookies are used, for what purposes, and other details in the cookie notice with the possibility to opt-in and opt-out of cookies.
CookieScript Cookie Banner that allows cookie control by providing different categories of cookies and the possibility to accept or reject each category.
Cookie Control in the US
In the US, cookie control and the processing of personal information are not regulated on a federal level like it is in the EU by the GDPR. Different states have their own privacy laws regarding personal information management, which are in various legislative processes.
California was the first US state to enforce the digital privacy protection. The California Consumer Privacy Act (CCPA) took effect in January 2020. Virginia (VCDPA), Colorado (CPA), and Utah also have privacy laws passed. The CCPA and the VCDPA are already in force, while Colorado and Utah privacy laws will enter into effect on 1 July 2023 and on 31 December 2023, accordingly. Some other states have no real protection for website users at all.
The CCPA does not require websites to obtain user consent for using cookies. The law requires just to inform users of what cookies are used on a website, for what purposes, and what kind of personal information cookies collect on them. That is, under the CCPA, implied Cookie Consent mode is valid when the user is just informed about the use of cookies, which automatically grants permission or access to track his activity and collect personal information. Cookies are deleted only if the user declines cookies explicitly.
Under the CCPA, the users have the right to request disclosure of personal information that a business has collected on them, and the right to request deletion of the information.
In addition, under the CCPA, users have the right to opt out of cookies that sell their personal information to third parties.
Like the CCPA, other privacy laws of the US states have similar requirements regarding the use of cookies and personal information management.
To comply with the US privacy laws for cookies, users must have the following rights:
- Right to notice. Users have the right to be informed about what personal data is being collected about them and the purposes for which the information is being used.
- Right to know. Users have the right to know the third parties with whom the business shares the information and whether their personal data is sold or disclosed.
- Right to disclosure. Users have the right to access their personal data upon request.
- Right to opt-out. Users have the right to agree or disagree to collect, manage, or sell their personal data.
- Right to deletion. Users have the right to ask for the deletion of their personal data.
- Right to equal services and prices. Users must not be discriminated against for exercising their privacy rights.
Like under the GDPR, the US privacy laws require websites to disclose the cookie information in the cookie notice with the possibility to opt-out of cookies.
Cookie Control in the UK after Brexit
After Brexit, the EU GDPR does not apply in the UK. Now the Data Protection Act 2018 (DPA 2018) and the UK GDPR regulate data protection in the UK with the Information Commissioner’s Office (ICO) as the leading data protection authority in the UK. Read the compliance requirements for the UK Data Protection Act 2018.
Like under the GDPR, the UK GDPR and the DPA 2018 require implied, or opt-in Cookie Consent to use cookies and collect the personal information of users. Users must take clear and positive action to consent to the use of cookies, except strictly necessary ones.
Under the UK GDPR and the DPA 2018, websites must inform users about the use of cookies. Users must have control of any non-essential cookies. Pre-ticked check boxes for the use of different types of cookies are not allowed.
Cookie Control in Web Browsers
Cookies could also be controlled by browsers or plugins from the user side. Some privacy-friendly browsers like Apple’s Safari, Brave, or Firefox automatically block Third-Party Cookies. Google initially announced in early 2020 that it will also automatically block Third-Party Cookies in Chrome by default. However, the decision was delayed several times. Lately blocking Third-Party Cookies in the Chrome browser was delayed until 2024. In August 2019 Google launched Privacy Sandbox to replace the use of Third-Party Cookies. The Privacy Sandbox initially proposed using an algorithm in the browser, called Federated Learning of Cohorts (FLoC). However, FLoC technology does not seem to be an alternative to Third-Party Cookies. The latest Google initiative to replace Third-Party Cookies in Chrome is the so-called trust token API, which is in a trial process now.
Alternatively, users can manually set up to disable third-party or even first-party cookies. Read an article about the pros and cons of disabling cookies, and how to disable them.
Please bear in mind that disabling strictly necessary cookies could break websites since the most basic functions of a domain could stop working.
If you want to control cookies by yourself, read these step-by-step guides on how to control or disable cookies for different devices, operating systems, and browsers:
- The guide on how to disable cookies on Android.
- The guide on how to disable cookies on iPhone.
- The guide on how to disable cookies on iPad.
- The guide on how to disable cookies on Macbook.
- The guide on how to disable cookies in Chrome.
- The guide on how to disable cookies in Firefox.
- The guide on how to disable cookies in Safari.
- The guide on how to disable cookies in Edge.
You could also delete already existing cookies on your device. Different browsers may require a bit different procedures, but as the basic way, go to Settings, then Privacy, and then Cookies, where you will find the Delete Cookies or Clear data tab. By clicking these tabs you could delete all cookies or just selected cookies.
Conclusion
In conclusion, cookie control is an important aspect of website management, that is required by privacy laws. The most popular way for cookie control is to set up a Cookie Banner on a website that informs users of the use of cookies and allows them to accept or reject them. Website owners must follow the privacy requirements to be compliant with privacy laws. By providing users with the ability to manage cookies and being transparent about their use, website owners can ensure that they are in compliance with privacy laws and regulations and that users have a positive experience on your website.
Automatic Cookie Control Solution by CookieScript
If cookie control seems complicated, it is another way to stay compliant with privacy laws. Cookie control could be easily achieved through a cookie manager like the CookieScript Consent Management Platform.
CookieScript CMP is the best cookie control solution control solution for your business with the following functions:
- Displays a Cookie Consent banner using geo-targeting. Different cookie banners will be delivered to website users based on their geographic locations.
- Provides fully customizable and configurable Cookie Banner. You can personalize colors, fonts, text, and style, and adjust the banner to your website's design.
- Scans your website for cookies and auto-updates your cookie list and Cookie Policy.
- Categorizes cookies and provides a cookie declaration that includes a cookie provider and third-parties information.
- Maintains a full history of user consent for proof of compliance.
- Allows users to withdraw consent at any time.
- Blocks cookies until users agree to the Cookie Consent and the Privacy Policy.
- Creates a unique and professional Privacy Policy for your business or website.
All these features come with affordable pricing that is much cheaper than alternatives in the market! Pricing plans are adjusted per the number of domains, you pay for as much as you really use.
With the PLUS pricing plan, which is just €9 per month/domain, you can scan 3000 pages per domain and have all necessary features included. You could also have a free Cookie Banner for a staging website.
Frequently Asked Questions
What is cookie control?
Cookie control is the process of managing and controlling the use of cookies on a website. Cookie control also means obtaining and managing valid user consent to use cookies. Cookie control could be easily achieved through a cookie manager like the CookieScript Consent Management Platform.
What is cookie control in the EU?
The use of cookies on websites in the EU is regulated by the GDPR. Under the GDPR, explicit Cookie Consent mode is required, meaning that the user must take clear affirmative action to accept cookies. Websites must disclose the type of cookies used, for what purposes, and how to opt-in and opt-out of cookies. The GDPR also gives users the right to access, rectify, or delete collected data.
What is cookie control in the US?
In the US, cookie control and the processing of personal information are not regulated on a federal level. The CCPA, the first privacy law in the US, requires businesses to inform users about the use of cookies, for what purposes are they used, what personal information they collect, and who they share it with. Use CookieScript CMP to be CCPA and other privacy laws compliant.
Is cookie consent required in the US?
Cookie consent is not required in the US. However, the website must inform users about the use of cookies. Users have the right to opt out of cookies that sell or share their personal information with third parties. Use CookieScript CMP to be compliant with the CCPA.
Should I accept or decline cookies?
There are options regarding cookie control: accept all cookies, reject all cookies, or accept just first-party cookies and reject Third-Party Cookies. Enabling all cookies is recommended for users who want to get the best internet browsing experience and who do not mind sharing their data with third parties. Disabling cookies entirely is not recommended since many websites will not function normally. CookieScript recommends enabling just first-party cookies and disabling Third-Party Cookies. See the guides on how to enable or disable cookies for various browsers.
Does Google Analytics 4 use cookies?
GA4 uses first-party cookies to separate unique users and unique sessions from a single user. GA4 does not require you to set cookies on your website to receive data and transmit it to Google Analytics. However, it requires user consent.
Does Google Analytics 4 require cookie consent?
Since GA4 uses cookies that track users, it requires user consent. In the EU, you need to get explicit consent to use cookies on your website. If you use GA4 with IP anonymization and do not share users' data with other Google products, you do not need to receive Cookie Consent.