What is GDPR Protect – the solution for protecting personal data and cookies?
GDPR Protect allows you to manage all aspects of the Cookie Law, in particular:
- Easily inform users through a cookie banner/consent banner and a dedicated cookie policy page (which is automatically linked to your privacy policy and integrates what is required to comply with the Cookie Law);
- Receive and save cookie consent settings;
- Automatically block scripts that may install cookies/trackers on the website until the user consents through the auto-blocking feature;
- Track consent and retain each user’s consent settings for up to 12 months from the last visit to the site.
You can collect consent through multiple mechanisms, including continued browsing, scrolling, and/or specific click actions. However, please note that permitted consent actions may vary depending on the laws of the Member State.
Below you will find all the necessary steps to use GDPR Protect to ensure you comply with the Cookie Law.
How to generate a cookie policy?
- Go to the dashboard and select the privacy policy for which you want to generate a cookie policy (Pro license required).
- Click Edit in the Privacy and Cookie Policy section, you will notice a Cookie Policy field in the right column: Enable cookie policy.
- Click Activate: your cookie policy will be automatically generated based on your privacy policy configuration.
How to add a cookie banner to a website
Click Generate now in the dashboard > [Your website/app] > Privacy Controls and Cookie Solution.
This will take you directly to the configuration panel for your cookie banner/consent banner.
After saving, you will get a code snippet similar to this:
<script type="text/javascript">
var _iub = _iub || [];
_iub.csConfiguration = {
"siteId": XXXXXX, // your siteId,
"cookiePolicyId": YYYYYY, // your cookiePolicyId,
"lang": "en"
};
</script>
<script type="text/javascript" src="https://cs.iubenda.com/autoblocking/3095420.js"></script>
<script type="text/javascript" src="///cdn.iubenda.com/cs/iubenda_cs.js" charset="UTF-8" async></script>Simply copy and paste it into the head tags of your website’s HTML code as the first element. Alternatively, you can use one of our plugins: we currently have plugins for WordPress, Joomla!, PrestaShop and Magento.
Important: Do not use the code shown above, this is just a sample code. Instead, use the code attached to your cookie policy, which you will receive by following the steps listed above.
Remote configuration function
The remote configuration feature simplifies the add-on process by allowing most changes made in the configurator to be applied directly to your website without the need for a re-embedding. However, some changes, such as using custom CSS, still require re-embedding the code. In any case, when you save the configuration, you will be notified whether the changes will be applied directly or if a re-embedding of the code will be required.
How to request consent only from EU users
The settings also allow you to specify whether you want to apply GDPR protections to the following:
- All your users. In this case, consent will be requested from all users on your site. This is the default setting.
- Only your EU users. In this case, consent will only be requested from EU users.
Here’s an example: a US-based e-commerce website has different sections available to users in the US and in Europe. They want to apply GDPR protections (i.e. show a cookie banner/consent banner) only to their EU-based users.
This is possible by checking Request consent to EU users only, located in Privacy Controls and Cookie Solution > Edit > GDPR. Once you select this option (in the code gdprAppliesGlobally:false), you will be able to automatically detect the user’s country (in the code countryDetection:true).
If you decide to only require consent from users in the EU, but prefer to implement your own country detection system, you will need to set `gdprApplies:false` on pages where consent is not required.
If you are based in the EU, it is mandatory to apply the protections to all users, not just users based in the EU.
Cookie law and cookie policy
The ePrivacy Directive 2002/58/EC (or the Cookie Act) was created to establish guidelines for protecting ePrivacy, including email marketing and the use of cookies, and is still in force today.
The Cookie Act actually applies not only to cookies, but also more broadly to any other technology that stores or accesses information on a user’s device (e.g. pixel tags, device fingerprinting, unique identifiers, etc.). For the sake of clarity, all such technologies, including cookies, are generally defined as trackers. However, in this guide, the terms cookie(s) and tracker(s) will be used interchangeably.
You can think of the ePrivacy Directive as complementing the GDPR, rather than being superseded by it.
Strictly speaking, if you use cookies, you should consider complying with the Cookie Act before you move to GDPR. This is because the Cookie Act is what is called in legal jargon a “lex specialis”, meaning it takes precedence over the GDPR.
Directives, generally speaking, establish certain agreed objectives and guidelines, and Member States are tasked with implementing these directives in their national legislation.
Regulations, on the other hand, are legally binding on all Member States from the moment they enter into force and are applied according to the rules established throughout the Union.
The ePrivacy Directive will actually soon be repealed by the ePrivacy Regulation. The ePrivacy Regulation is expected to be finalized in the near future and will work together with the GDPR to regulate the requirements for the use of cookies, electronic communications and related data protection/personal information.
The Regulation is expected to retain elements similar to the Directive, with many of the same guidelines continuing to apply.
Who is subject to the Cookie Law?
The application of the Cookie Law depends on the legislation under which the site/application operates.
In general, the Cookie Law will apply to you if:
- you or your users are based in the EU; and
- you use cookies or similar technologies on your site/application.
What does the Cookie Law require?
Under the Cookie Act, organizations targeting EU users must inform users about data collection activities and give them the opportunity to choose whether or not to allow this.
This means that if your site/app (or any third party used by your site/app) uses cookies or similar technologies, you must first obtain valid consent before installing those cookies, unless they fall into the exempt category.
In practice, you will need to:
- Show a cookie banner/consent banner on the user’s first visit;
- Implement a cookie policy that contains all the necessary information;
- Allow the user to give consent. Before consent is given, no cookies can be installed — except for exempt cookies.
