How to achieve GDPR compliance for your cookie policy and cookie permissions?

Posted on
How to achieve GDPR compliance for your cookie policy and cookie permissions_.jpeg

Many companies are still incorrectly asking their website visitors for permission to place tracking cookies. Less than twelve percent of websites properly apply the GDPR Privacy Policy regarding cookies. Almost ninety percent of the surveyed sites are in violation and do not meet the minimum requirements set by law.

Until now, there were very few consequences when violating those guidelines. Watch out, that's changing!

Cookie disclaimers: a thing of the past

Previously, it sufficed to inform your website visitors of cookies and data recording if they used your website. A simple cookie disclaimer would be enough for this purpose. It was up to your visitors to decide whether or not to continue browsing your website - the so-called principle of implied consent.

Today, this approach is no longer sufficient to be GDPR-compliant. Regulations require you to present your visitors with an overview of all the different kinds of cookies that your website tracks. In addition, users should be presented with the option to indicate the types of cookies they consent to.

Cookie (Consent) Banners are the way forward to ensure privacy for your website visitors. This technology allows your visitors to specify what types of cookies and tracking they consent to when visiting your website. This way, you can rest assured that your website is in full compliance with GDPR regulations - as long as your cookie banner is set up correctly… However, this does not always turn out an easy task! In this blog post, we’ll help you to get started.

One of the key elements of cookie consent is a visitor’s control of the types of cookies that websites are allowed to use. We can distinguish the following types of cookies:

  • Essential cookies are strictly necessary to ensure a website’s functionality.
  • Functional cookies store information on a user’s device to directly improve their user experience. For example, a functional cookie may be used to store a visitor’s language preference or login details, which helps to automatically sign in.
    You are not required to obtain consent from your website visitors for the use of essential and functional cookies.
  • Analytical cookies provide additional insight into the way your website is used. Which pages are being visited? When do visitors leave your website? What are the most effective buttons? Google Analytics is one of the main tools that relies on analytical cookies. You can use the data they collect to improve your website and its overall user experience.
  • Marketing- or trackingcookies capture the browsing behaviour of your website visitors and use it to create a visitor profile. This profile can be used to personalize the browsing experience. In addition, they allow personalized advertisements.
  • Social sharing-cookies ensure the best possible interaction between your website and related social media plug-ins.
    For this kind of cookies, as well as for the related data collection, you are required to obtain consent from your website visitors.

The categorization of your cookies should be assessed on a case-by-case basis. The first step consists of mapping the types of cookies that your website uses. Next, you can set a specific category for every type of cookie.


How to make your Drupal site GDPR-compliant?

One thing is for sure: your website visitors have to provide their consent for lawful collection of personal data. This consent should be "freely given, specific and informed". The same principle applies to cookies.

To make your website compliant with GDPR regulations, you should start as follows:

Cookie policy

As we’ve mentioned before, the first step consists of mapping the types of cookies that your website uses. Next, you can set a specific category for every type of cookie.

The categorization of your cookies should be assessed on a case-by-case basis. The first step consists of mapping the types of cookies that your website uses. Next, you can set a specific category for every type of cookie. This forms the basis of your cookie policy.

In addition, your cookie policy should clearly indicate the reason why you use certain types of cookies, how long they will be stored for, and how visitors can erase or disable them. You should also clearly mention how you process your visitors’ data, whether this processing takes place within your own organization, if this happens anonymously, as well as the measures you have put in place to ensure confidentiality. You should also make sure that visitors can easily get in touch with you for extra information - therefore, always provide the details and contact information of your organization.

We recommend that you dedicate a separate page to your cookie policy, which you can refer to through your cookie banners.

Cookie banner implementation

Next up is the implementation of cookie banners on your website. You can use an existing Drupal module or a third-party solution. The implementation involves displaying the cookie banner immediately upon a user’s first visit to your website. You are required to respect your visitors’ cookie preferences and remember them for future visits.

An alternative to the embedded Drupal module is the use of a third-party solution in the form of an external tool that generates a cookie consent pop-up for your website. This solution has some drawbacks, however. Most third-party tools of this nature require you to sign up for a subscription service, based on your website’s page view numbers. On top of this, external tools often lack the personalization capabilities that organizations need to adjust the pop-up to your branding.

Support for multiple languages often proves to be yet another hurdle. External pop-ups typically adjust to the browser language, instead of the website language. A final issue is compatibility with other website scripts, such as YouTube or social media widgets. These scripts often start using cookies before the cookie banner is displayed.

Dropsolid puts its weight behind Drupal’s Cookie Compliance Module

The Drupal community had previously designed a number of cookie notification solutions, next to a separate CookieConsent initiative. Rather than developing an entirely new tool, Dropsolid decided to go all in on CookieConsent and help towards building a future-proof cookie solution for Drupal 7, 8 and 9.

The Dropsolid team improved the existing module, adding support for additional languages, a free choice of categories, and allowing for Google Tag Manager integration. In addition, the team added a range of minor improvements - something which we are committed to keeping up.

Cookie banner flow

Download the Cookie Consent Module - Flow

The Drupal Cookie Compliance Module provides the following features:

  • Multilingual support for the cookie consent interface and its descriptions, using a language switch on the website.
  • No cookies will be loaded during a first-time visit until a website visitor provides their explicit consent.
  • The option for visitors to change their cookie preferences.
  • Configuration options to set the storage time for users’ cookie preference choices.
  • Design that can be adjusted to your branding.
  • A building block that allows the video paragraph to be made GDPR-proof.
  • A WYSIWYG editor filter for Drupal 8 websites, enabling automatic GDPR compliance for iframes.
  • Google Tag Manager (GTM) integration. GTM is a leading service designed by Google that offers an interface for the management of external scripts. GTM can be used to categorize cookies and pass on the relevant information to Drupal, so the correct cookies can be matched with visitors’ preferences.

Looking for help with your cookie policy?

Or with the implementation of your cookie banners? Get in touch with our digital experts.