Skip to content

Consent must be provable under the GDPR

When a website sets necessary cookies, the visitor needs to be informed about it. For functional cookies, statistics and marketing, the website should wait for the visitor’s consent before cookies are set or scripts that belong to the category are loaded.

When consent is used as the basis for processing personal data, the GDPR’s requirements for consent also apply. This means, among other things, that the website owner needs to be able to show that consent has been given.

That is why it is important to distinguish between two things:

  • the website remembering the visitor’s choice
  • the website owner being able to show the consent later

A cookie banner can store the visitor’s choice in the browser. This is useful so that the website knows which scripts may be loaded on the next visit. But a locally stored choice is not the same thing as documentation of consent.

What does the GDPR say?

According to GDPR Article 7(1), where processing is based on consent, the controller must be able to demonstrate that the data subject has consented to the processing. This is often described as the burden of proof for consent.

In practice, this means that the website owner needs to have control over how consent is collected, documented and followed up.

It is therefore not always enough that the visitor has clicked a button in a cookie banner. The website owner also needs to be able to show what the choice applied to.

What needs to be shown?

There is no requirement that all consent solutions must document information in exactly the same way. But if consent needs to be followed up, it should normally be possible to understand:

  • when the consent was given
  • which categories the consent covered
  • which website or domain the consent applied to
  • which information the visitor received at the time
  • whether the consent was later changed or withdrawn

The purpose is not to collect more information than necessary. The purpose is to be able to show that consent was actually given and what it covered.

A locally stored choice is not provable consent

Many cookie banners store the visitor’s choice locally in the browser, for example in a cookie or another form of browser storage.

This can be necessary for the website to work correctly. The website needs to know whether the visitor has given consent to functional cookies, statistics or marketing.

But if the choice is only stored locally with the visitor, the website owner cannot retrieve the consent afterwards. The local choice can control the website’s behavior, but it does not give the website owner their own documentation of which consent was given, when it was given and which information applied at the time.

Consent needs to be connected to the right information

When the visitor gives consent, it needs to be clear what the consent covers. The information should be understandable enough for the visitor to make a conscious choice.

If the information in the cookie dialog, the categories or the cookie list changes, it can affect what the visitor previously took a position on. That is why the website owner needs to be able to see which information applied when the consent was given.

This may include which categories existed, which purposes were described and which cookie information was shown at the time.

Changes and withdrawal also need to be handled

The visitor must be able to change or withdraw consent.

When that happens, the website needs to respect the new choice. Scripts that require consent should not continue to be loaded if consent has been withdrawn.

It also needs to be possible to understand that the consent has changed. Otherwise, it may be difficult to show which status applied at a certain point in time.

Provability affects the whole implementation

Provable consent is not only a legal question. It affects how the cookie banner and the cookie solution should be built.

If consent needs to be shown afterwards, the solution needs to work together with:

  • the categories in the cookie dialog
  • the information in the cookie list
  • the scripts that are conditioned against consent
  • the ability to change or withdraw consent
  • the documentation of the visitor’s choice

A cookie banner that only shows a box and stores a choice locally therefore does not solve the full need.

Summary

When consent is used, the website owner needs to be able to show that consent has been given.

This means that a consent solution should help you:

  • document which consent was given
  • show when the consent was given
  • understand which categories the consent covered
  • connect the consent to the information that applied at the time
  • handle changed or withdrawn consent

Remembering the visitor’s choice in the browser is important. But it is not the same thing as being able to show the consent later.

Do you need help reviewing your cookie banner?

CookieTractor helps you handle the cookie dialog, consent, cookie list, documentation and follow-up.

If you are unsure whether your current solution is enough for the requirements you need to consider in the EU or EEA, we can help you review how cookies, consent and scripts work on your website.

Feel free to contact us at info@cookietractor.com.