August 2020

DISCLAIMER

These statements do not constitute legal advice. They merely serve to support and inform you about the current legal
situation. Please consult a qualified lawyer should you have any legal questions.
Cookie Compliance Checklist
Make sure you comply with the GDPR and the ePrivacy Directive (‘cookie law’) by
following these simple steps:

1. Create a comprehensive Privacy ● Ensure it is easy to read, find and

Policy understand for the average user.
● Inform about e.g. lifespan of each
cookie and whether third parties
may have access to those cookies.
● Implementation: Make the
information available in a Privacy
Banner when the user visits your
site (a CMP ensures you have all
necessary information included ).

2. Let users know you are using ● Ensure you inform users of your
cookies or other tracking intentions at or before the point you
technologies start collecting data.
● Include this information in your
Privacy Policy.

3. Explain what your cookies are ● Inform the users about the purpose
doing and why of each cookie separately to ensure
you obtain specific consent for each
cookie objective (= granularity).
● It should be stated in the Privacy
Policy. Check with national data
protection rules for further details
e.g. Denmark requires a granular
selection to be included in the first
layer of the Privacy Banner.

© Copyright 2020 Usercentrics

4. Obtain your users valid consent ● Explicit: Active acceptance e.g.
to store a cookie on their device ticking a box or clicking a link.
● Informed: Who, what, why, how
long?
● Documented: You have the burden
of proof in the case of an audit.
● In advance: No data is to be
collected before opt-in, i.e. cookies
cannot be set on your website
before the user has consented to
them.
● Granular: Individual consent for
individual purpose, i.e. consent
cannot be bundled with other
purposes or activities.
● Freely given: “Accept” and “Reject”
button.
● Easy to withdraw: opt-out on the
same layer as opt-in.

5. Give users access to your ● In the case that a user refuses data
service even if they do not processing, no unessential cookies
consent to cookies must be set. Essential cookies will
be set regardless if the user accepts
or refuses.
● Nevertheless, ensure users are still
allowed to access your service
even if they refuse to allow the use
of certain cookies/technologies.

6. Collect and process data only ● Ensure that cookies are not loaded
after obtaining valid consent until the user has given his consent.

© Copyright 2020 Usercentrics

 ● Once you have indeed obtained
valid consent, you are free to collect
and process personal data for the
purposes you informed your user
before.

7. Document and store consent ● Comply with your documentation

received from users obligation to ensure you are able to
verify the users’ consent in case of
an audit by data protection
authorities (DPA).

8. Offer a simple opt-out, as ● Make it as easy for users to

simple as the opt-in withdraw their consent as it was for
them to give their consent in the
first place. Easy in, easy out.
● External links to a third page for
opt-out are not sufficient.

9. After opt-out ensure that no ● Ensure that from the moment of the
further data is collected or objection on, no further data is
forwarded collected or forwarded.

Would you like to learn more about all the possibilities

our CMP offers for a GDPR-compliant implementation? Get in touch with us
We would be happy to advise you.

© Copyright 2020 Usercentrics