Everything you need to know about European data protection regulations and cookie management
The General Data Protection Regulation (GDPR - EU Regulation 2016/679) is the European regulation governing the processing of personal data. In effect since May 25, 2018, the GDPR has revolutionized the way companies must manage online user data.
Regarding cookies and tracking technologies, the GDPR establishes that user consent must be free, specific, informed, and unambiguous. This means that every website using non-essential cookies must obtain explicit consent before installing them.
Important: The GDPR applies to all websites that process data of users residing in the European Union, regardless of where the company is headquartered.
The cookie banner is the main tool through which a website informs users about cookie usage and collects their consent. Under current regulations, the banner must appear on the user's first visit and must meet specific technical and legal requirements.
Warning: Continuing browsing or scrolling the page CANNOT be considered valid consent. The Data Protection Authority has clarified that consent must be an explicit and positive action.
With the provision of June 10, 2021 (effective January 9, 2022), the Data Protection Authority issued the new "Guidelines on cookies and other tracking tools." These guidelines introduced important changes that every website must comply with.
Non-essential cookies must be blocked until the user provides explicit consent.
The banner must have a reject button with the same visibility as the accept button.
The user must be able to individually choose which cookie categories to accept.
It is not allowed to condition website access on cookie acceptance (with some exceptions).
Page scrolling can no longer be considered a valid form of consent.
The user must be able to withdraw consent at any time in a simple and quick way.
Cookie consent has a maximum validity of 6 months, after which the banner must be presented to the user again. Furthermore, consent must be documented and stored to demonstrate compliance in case of audits.
To be compliant with regulations, your website must meet a series of specific technical requirements. Here is a complete list of what needs to be implemented:
The consent archive (or consent registry) is an obligation introduced by the GDPR that requires data controllers to be able to demonstrate that consent was actually obtained. This applies not only to cookies but to any form of consent collected online.
Art. 7 GDPR: "Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data."
Every time a user interacts with a consent mechanism on your site (cookie banner, contact form, newsletter subscription, etc.), you must keep proof of that consent. This proof must include who gave consent, when, to what, and how.
All consents collected through your website must be archived and stored. Here are the main ones:
Every interaction with the cookie banner must be recorded with the expressed preferences.
The data processing consent expressed through contact forms.
Newsletter subscription with proof of consent (double opt-in).
Consents related to terms of service, marketing, and profiling.
Consent expressed during account creation.
Specific consents for direct marketing and profiling activities.
Each consent registry record must contain the following information:
Warning: Failure to store consents can result in significant penalties. In case of inspection, you must be able to demonstrate that each consent was legitimately obtained.
Consentio automates the collection and archiving of all consents, generating a complete audit-proof registry, always available for inspections.
Failure to comply with GDPR regulations and Data Protection Authority guidelines can result in very severe administrative penalties. Fines can reach up to 4% of the company's annual global turnover or up to 20 million euros, whichever is greater.
Maximum penalty: Up to 20 million euros or 4% of annual worldwide turnover, whichever is higher.
Don't risk penalties that could cripple your business. GDPR compliance is not optional, it's a legal obligation. Consentio helps you become compliant in minutes.
Starting from March 2024, Google requires all websites using Google services (Analytics, Ads, Tag Manager) to implement Consent Mode v2. Without this implementation, conversion and analytics data may be lost.
Google Consent Mode is an API that allows you to communicate the consent status of users to Google. Based on the consent obtained, Google adapts the behavior of its tags and services, ensuring user privacy is respected.
From March 2024: Google requires the implementation of Consent Mode v2 to continue collecting conversion and remarketing data in the European Economic Area (EEA) and the United Kingdom.
Consentio is certified as a CMP (Consent Management Platform) compatible with Google Consent Mode v2. Integration is automatic and requires no additional configuration.
Use our free verification tool to discover your website's compliance status.
search Free Check
