CookieHub helps you make your web site GDPR compliant using various methods designed to comply with the requirements related to storage and processing of personal information.

Ultimately, CookieHub makes getting in compliance easy, but if you want to learn about the specific GDPR requirements and what this plugin does, this handy guide will break it down quickly.

What Is GDPR and Why Should I Care?

If you've yet to find a concise definition on GDPR, the concept is quite simple on paper. GDPR stands for the General Data Protection Regulation. It's a European law that impacts website owners at a global scale because it governs how anyone (from anywhere) collects and processes the personal data of individuals who reside in the European Union.

So, even if you operate your website out of the USA or anywhere else in the world, you need to make sure you're GDPR compliant if you get visitors from the EU.

Why Are Cookies Important to Compliance?

Cookies are actually only mentioned once in the GDPR, so you may be wondering: Why is it such a big deal? The fact is, cookies are a cornerstone when it comes to GDPR compliance.

After all, cookies are one of the most common techniques used for collecting and tracking a user's personal data, and that's why the GDPR has set out specific rules regarding how your site can use cookies.

What Are The GDPR Requirements?

At the most basic level, your website must do all of the following in order to be in compliance with GDPR.

  1. Consent before cookies: You must obtain prior and explicit consent before you begin activating any cookies (aside from necessary, whitelisted cookies).
  2. Don’t make it all or nothing: The consent has to be granular, meaning that a user should be able to activate some cookies without being forced to consent to all or none.
  3. Give freedom of choice: The consent has to be given freely, meaning you do not force it upon them for accessing or using your website.
  4. Provide easy withdrawal: The user should be able to withdraw consent just as easily as they are able to give consent.
  5. Keep proof of consent: The consent has to be stored securely in the form of legal documentation.
  6. Renew consent yearly: The consent has to be renewed by the user at least once yearly.

Cookie banners are the most common way that website owners can obtain cookie consent, and that's why CookieHub exists! We help make collecting GDPR-compliant cookie consent easy. So, let's break down each of these requirements further to show you what CookieHub does to simplify your efforts.

Understanding How GDPR Defines Things

The EU General Data Protection Regulation (GDPR) states in Recital 30 that when cookies can be used to identify a person or person's device, it's considered personal data:

Natural persons may be associated with online identifiers [...] such as internet protocol addresses, cookie identifiers or other identifiers [...] This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

This applies to many web services which are used to collect data and analyze user behavior and display targeted ads.

You Need to Seek Specific Consent

As stated in Recital 32, a consent should be given to process any personal data:

Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her [...] This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. [...]

How CookieHub Helps You Meet This Requirement:
When the CookieHub cookie consent solution is implemented on your web site, it will seek the user's consent to specified cookie categories.

You Need to Seek Active Consent

The consent should be clear and inactivity is not considered consent meaning that you cannot assume the user agrees to be tracked by using the web site as explained in Recital 32:

[...] Silence, pre-ticked boxes or inactivity should not therefore constitute consent. [...]

Recital 42 also supports Recital 32 that inactivity is not considered consent:

Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

How CookieHub Helps You Meet This Requirement:
CookieHub is configured by default to allow the user to opt-in and won't load any third party tracking services until user has allowed certain categories (when implemented correctly).

You Need to Give Users Options

In Recital 32, it's also stated that the user must be able to consent only to certain activities if cookies are used for multiple purposes:

Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

How CookieHub Helps You Meet This Requirement:
CookieHub allows you to customize cookie categories that can be allowed or disallowed on your web site. You can configure which category each third party tracking service falls into and allow your users to take informed decisions.

You Need to Demonstrate Consent

Recital 42 states that you must be able to demonstrate the user's consent:

Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation[...]

How CookieHub Helps You Meet This Requirement:
When the Consent Log feature is enabled, user consents are tracked. You can download the consent log which contains unique token that can be matched to the token stored in the users browser to see which cookie categories were allowed.

You Need a Clear Cookie Declaration

Recital 42 also states that a cookie declaration in clear and plain language should be present:

In accordance with Council Directive 93/13/EEC a declaration of consent preformulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended.

How CookieHub Helps You Meet This Requirement:
CookieHub scans your web site for cookies and automatically categorizes each cookie. Users will be able to see a list of cookies in use along with purpose of each cookie before consenting. Additionally, you can provide a link to your cookie policy page where you can provide detailed information about how personal data is handled.

You Need to Give Withdrawal Options

In article 7, section 3 it's stated that the user must be able to easily withdraw consent at any time:

The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

How CookieHub Helps You Meet This Requirement:
When CookieHub is implemented on your website, users can always click the settings icon in the lower left or right-hand side of their browser to change cookie settings and withdraw consent.