Cookie Consent Records

Cookie Consent is a term used for the users’ consent received for letting a website activate its cookies.

Consent is a required legal basis under Article 6 of EU GDPR for websites, in order to be able to collect, process or share the personal data of individuals inside the EU. This requirement is fulfilled through the cookie consent banner. A Cookie consent banner basically is a cookie warning that pops up on websites when a user first visits the site. This website banner is a declaration about the cookies present on a website and gives the users a choice of prior consent before their data is handled.

CCPA requires you to disclose details on how you use cookies and why. Most importantly, you must give visitors the opportunity to withdraw or refuse consent.

Cookie consent is obtained when the user visits your site for the first time. You don’t need to obtain it upon return visits as once consent is obtained, it is to be assumed that the user consents to those same cookies each time they return.

You don’t even require consent if you change any cookies provided you have already explained the cookies collection purpose on your website unless any significant change has been made to the way cookie information is being used. In that case, you will need to prompt users for consent once again.

Opt-in Consent

According to the UK’s independent data protection authority, Information Commissioner’s Officer (ICO), Whatever method you use must meet the standard of an unambiguous indication by clear affirmative action. This means you must ask people to actively opt in.

Opt-out Consent

As per CCPA rules, you do not need consent to store cookies on a user’s device, unless your visitor is a minor (< 16 years of age). CCPA follows an opt-out approach. It requires you to give the users a choice to opt out of cookies along with disclosing the details about cookies and their purposes.

Requirement under GDPR

As per Article 7 – ‘Conditions for consent’ of EU GDPR:

“Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.”

This means you must have an effective audit trail of how and when consent was given, so you can provide evidence if challenged.

The website owner must be able to demonstrate that the users coming from the European Union have given their consent before processing their personal data. In the case of cookies, the website will have to keep records in order to prove that its users have given their consent to store the cookies on their devices. It is not proposing a standard mechanism to demonstrate consent.

Requirement under US Privacy Laws

US Privacy Laws allows businesses to follow an opt-out approach rather than an ot-in approach for processing personal information. Business needs to ensure that users have a choice to opt-out of the collection of personal information.

The opt-out is usually implemented via a “Do Not Sell My Personal Information” link on the website and also on the cookie banner.

It also requires websites to notify users, before using cookies by providing details about the type of cookies and their purposes in the privacy notice.

Thus, it is clear that website owner must be able to demonstrate that the users coming from the European Union have given their consent before processing their personal data. In the case of users from US, consent log is required to show the opt-out of the users from processing their personal data.

Mandatly stores cookie consent records in an easy to download excel format which can be used to demonstrate compliance in front of authorities as and when required. This complies the conditions of informed, freely given and explicit consent as required under ePrivacy Directive (EPD).

The consent log records the consent and other details of all the users interacting with the banner on your website.

Mandatly stores the following information in its consent log:

Interaction ID

A unique identification number is allotted to each interaction with the banner. This interaction ID is saved in the visitor’s browser as well as in the application for demonstrating the compliance.

This interaction ID is changed when visitors change their consent.

Domain from which consent was submitted

It records the domain URL on which the visitor has provided their consent.

Anonymized IP Address

It records the anonymized IP address of the user providing their consent. Their IP address is made anonymous by setting the last digits of their IP address to zero.

User Location

It records the name of the country from which the visitor is accessing the website.

Consent date and time

It records the exact date and time of providing consent by the visitors.

Thus, Mandatly provides an audit trail of detailed consent records, easily downloadable to demonstrate compliance.