By now, everyone has experienced some version of this situation: you’re on your phone or computer trying to read an article, buy a product, or learn more about an upcoming event. The website you’re using displays a massive cookie banner demanding that you hit the (often all-caps) “ACCEPT” button, or that by visiting the site you’re consenting to infinite collection of your data. With no other choice, you click the button or scroll through the site, and the data collection spigot remains permanently turned on. If you’re a consumer, you may think you’re powerless, and you’d be wrong. If you’re a business thinking that this approach is compliant with data privacy laws in the US (like California’s CCPA) or Europe (like GDPR), you’d be wrong too. The difference is that in the case of the business, being wrong could cost you thousands of dollars in penalties for noncompliance.
Cookie banners have proliferated on websites since GDPR began requiring them in 2018. In the EU, websites and apps are required to ask users to “opt-in” or provide “explicit consent” for cookies and similar technologies (e.g. web beacons, scripts, etc.) before the site starts to use them. For consent to be valid under GDPR it must constitute a real, meaningful indication of the individual’s wishes and meet conditions such as being informed and specific.
The cookie banner in the example above is what’s known as a “cookie wall”. The European Data Privacy Board, which is the regulatory body enforcing GDPR, has explicitly stated that cookie walls are a violation of GDPR and which can subject companies utilizing these cookie walls to lawsuits, investigations and enormous penalties. It’s pretty clear that if you’re subject to GDPR, you better not be using a cookie wall to manage consent. If you are already using a cookie wall, you should find another solution immediately.
But what about US laws like CCPA? You may have heard that CCPA is an “opt-out” or “implied consent” jurisdiction, so you can use a cookie wall, right? Nope. While it is true that in California you don’t need to obtain consent before utilizing cookies, you do need to provide a way for your website visitors to withdraw their consent and also empower to restrict your ability to sell their personal information (which you may be doing under CCPA even if you’re not a tech company). Forcing visitors to accept all data collection can result in penalties enforced by the California Attorney General of up to $7,500 per incident, and individual consumers can sue you for $750 per incident. Violating a data privacy regulation like CCPA results in massive legal and financial headaches.
The first issue is that your free cookie banner is likely to be considered a cookie wall, which neither CCPA nor GDPR allow; if you’re using one then you’re at risk of paying huge penalty amounts to data privacy regulatory bodies. Additionally, you should consider that:
I’m glad you asked. The cookie consent management platform that you use needs to:
If your cookie consent management tool does not have these functionalities (and I can guarantee that cookie walls do not) then you’re using the wrong solution. Clym can help. Our cost-effective, scalable, audit ready platform can accommodate websites of any size built on any platform (Shopify, Magento, Wix, WordPress, etc.), and our team is ready to help when you’re ready. Please feel free to contact us today or book a demo to see how we can assist.