Are your website cookies compliant with GDPR?

[nexuser]

Some of my clients websites have banners to get cookie consent.
But these banners don't work properly and don't block cookies during the first visit.
I used GDPR cookie compliance tool to check many other sites for violations and I found, that some of them have similar problems.

Do you comply with these GDPR requirements? If not, why?
As far as I know, cookies can only be set after prior consent

 

[estwig]

GDPR compliant cookies - who cares - really!

 

[ecommerce84]

One of my bugbears of modern internet browsing are these blasted cookie consent banners which as you suggest don’t even do anything half of the time.

We don’t have them on either of our websites and I never intend to.

 

[nexuser]

GDPR compliant cookies - who cares - really!

I'm worried because the French DPA (CNIL) is actively trying to solve this problem now.
The ICO will probably follow the same rules

We don’t have them on either of our websites and I never intend to.

I don't think that's the right decision

 

[Root 66 Woodshop]

I'm worried because the French DPA (CNIL) is actively trying to solve this problem now.
The ICO will probably follow the same rules



I don't think that's the right decision

Sod the french... we're leaving!!

 

[fisicx]

I don't think that's the right decision

The ICO isn't ever going to do anything about the millions of small site that aren't compliant. If they do ever catch up with you it will just be a warning.

But they won't so I'm not going to bother.

 

[nexuser]

The ICO isn't ever going to do anything about the millions of small site that aren't compliant. If they do ever catch up with you it will just be a warning.
But they won't so I'm not going to bother.

But anyone can just file a complaint with the ICO regarding my small site.
In this case, it doesn't matter that thousands of other small sites aren't compliant.
Isn't it?

 

[Mike Kilby PC.dp]

Nice to see the usual "nobody ever does anything" or "they won't come after the small business" type responses. They have and they will prosecute small businesses.

There are tools on the net to check cookie compliance. The ICO only need engage a company to automate the process of checking every UK registered or hosted domain name for compliance.

As ever, my advice is don't listen to what anyone else says they do. If they want to risk their reputation let them get on with it.

Functional Cookies are allowed and don't need consent, we just need to tell people about them.
Non-Functional "unnecessary" cookies like advertising, need consent and it must be a click or a tick, not a "keep using the site to agree".
Tracking cookies are a grey area, we use them but cannot identity the individual, just the user browsing the site, so we never know who they are, they're anonymous in that respect. On that basis we don't ask for consent.

The issue seems to be some Cookie Banners are Scripts inserted and run from external sites. These don't appear to control the delivery of cookies, where as some CMS platforms have cookie modules that will.

If it's there and asking consent, it needs to exercise that choice. If it doesn't it will be considered unlawful.

 

[fisicx]

Nice to see the usual "nobody ever does anything" or "they won't come after the small business" type responses. They have and they will prosecute small businesses.

I've looked at the ICO prosecutions and can't see any for cookies. They may have provided notice to small businesses and they are now compliant bur that's not a prosecution. Have you got some examples of small businesses that have been prosecuted for cookies that don't comply with GDPR regulations?

 

[Mike Kilby PC.dp]

I never said they have prosecuted for non compliance on cookies, I said the ICO have prosecuted small businesses. Just because you're small, doesn't mean they won't do anything, which was what was implied by your comment

 

[fisicx]

I never said they have prosecuted for non compliance on cookies, I said the ICO have prosecuted small businesses. Just because you're small, doesn't mean they won't do anything, which was what was implied by your comment

Nope it didn't imply that at all. I just said they are unlikely to go after a small business because a cookie is non-compliant - the subject of this thread.

 

[Graham Tyers]

The ICO has only just changed its own website after someone pointed out that their own website wasn't compliant.

https://gdpr.report/news/2019/06/19/the-ico-admits-its-own-website-is-not-gdpr-compliant/

They have bigger fish to fry before getting around to making everyone have stupid annoying pop-up-notices that everyone will just click anyway to get to the content they want.

 

[fisicx]

It's also worth noting that browsers are moving towards blocking third party and tracking cookies by default making the whole cookie compliance thing redundant.

In any case, I use ghostery which even if I agree to cookies they still get blocked.

 

[nexuser]

The ICO has only just changed its own website after someone pointed out that their own website wasn't compliant.

Obviously, not completely

Total scanned: 20 pages
Below are the webpages loaded and cookies that require prior consent from EU users to be installed:
https://ico.org.uk/your-data-matters/be-data-aware/
Cookie (Vimeo): vuid;

 

[gpietersz]

Now there is this:

https://curia.europa.eu/jcms/upload/docs/application/pdf/2019-10/cp190125en.pdf

No pre-ticked boxes, and even cookies that are not linked to personal data need consent. From the reasoning I assume simple cookies (like those storing cookie consent/refusal) are exempt.

People also forget that server logs store IP addresses which are considered personal information for GDPR so they need to be purged regularly as well.