Implied vs Explicit Cookie Consent Modes
ON THIS PAGE
Almost all websites use cookies to store information about website users. Cookies are small, often encrypted files that are located in browser directories. Cookies are used by website owners to perform tasks and help with managing the website. They can either be first or third-party, depending on how they have been created and from which server cookies operate on the user’s browser.
What is a Cookie Consent Mode?
Cookies allow using the website in a more personal way, which could give a positive experience for a website user. However, some cookies collect data across many websites and are used by advertising companies to decide what content to show you. These types of cookies are called targeting cookies and in particular, are what the cookie policy law was designed to highlight. The websites are required to inform and obtain consent from website users to use the cookies and to give website users more control over their online privacy.
Each company or website, collecting website users' personal data, must have a privacy policy. If your website uses cookies, you also need to have a cookie policy. A Cookie Policy is a legal document that provides detailed information about cookies used on your website. GDPR, CCPA, and other privacy laws require that you disclose why you use cookies, what user information you collect, what you do with this information, and what are the benefits for users. The Cookie Policy must be compliant with GDPR, CCPA, and other privacy laws. It has to describe the cookies used on your website, including details about what each cookie does, how long it lasts, and what type of data it collects and stores. In addition, the Cookie Policy has to be updated to recent changes in privacy directives.
To be compliant with privacy laws, you should provide your users an opportunity to choose whether or not they want their data to be collected. In other words, website users should have the possibility to choose between implied or explicit Cookie Consent modes for their data tracking.
With the Cookie Banner from CookieScript, it’s easy to configure your Cookie Banner, which allows your website user to choose between implied or explicit Cookie Consent modes. You can get the Cookie Banner for as many websites as you need, just click the button below and register by filling in a simple form:
Implied Cookie Consent Mode
There are several cookie consent modes, depending on how strict you want it to be. The most common are explicit and implied cookie consent modes.
Implied cookie consent mode means to grant permission or access to track your activity and collect personal information when visiting a website. Implied cookie consent mode is also called opt-out cookie consent mode, or “the soft way” for cookie consent. If a website user accepts implied cookie consent mode, all cookies are set at the website user’s computer and the website user is just informed about cookies. Cookies are deleted only if the user declines cookies.
Article 4 of the GDPR defines cookie consent as:
“ 'consent’ of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
GDPR treats implied cookie consent as valid only when it is:
- freely given
- informed
- specific
- unambiguous.
Freely given. The website users should not feel compelled to give consent to process their personal data. They should have a choice to choose how to deal with their private data.
Specific. The purpose of the data collection should be specific and the consent for different website features should be separated. It means that separate consent requests are needed for different activities and information relating to different activities is distinguishable from information about other features.
Informed. For consent to be informed, your website users must be informed of your Privacy Policy and your Cookie Policy.
Unambiguous. Cookie consent is unambiguous when it is given by clear affirmative action, such as written statements, including by electronic means. It could include consent obtained via tick boxes or any other clear statement that indicates the user's agreement. Language must be clear and simple. A user’s assumed consent, such as their failure to opt out of cookie consent through their inaction, is not valid.
Additionally, GDPR also requires cookie consent to be revocable and demonstrable.
Revocable. The website user has the right to withdraw his consent at any time he wishes and without any justification. Withdrawing the cookie consent should be as easy as it was to give it. To switch to an explicit mode should be made available at every step of the cookie management way.
Demonstrable. According to GDPR, companies or websites must maintain a record of user consent to prove that they have collected consent before collecting personal data from users. The record of users' data could be asked by data protection authorities at any time to demonstrate proof of consent.
Explicit Cookie Consent Mode
Explicit cookie consent mode means rejecting permission or access to track your activity and collect personal information when visiting a website. Explicit, or opt-in cookie consent mode is used by default because that's a requirement for GDPR. When this mode is used, no cookies are stored on the website user’s computer until the website user agrees with the Cookie Policy. An opt-In cookie consent requires a website user to take a positive, affirmative action, such as checking a tick-box or another similar action.
This is also called “the hard way” for cookie consent.
If you choose the explicit cookie consent mode, the website you’re visiting will not track your data.
However, on certain occasions, it can be impossible to use your website properly. It could be impossible to use all of your website functions if the website has strictly necessary cookies, which are essential for users to browse the website and access its features. For example, if you’re visiting an online shop, without strictly necessary cookies you wouldn’t be able to put items in your shopping cart. Therefore, explicit cookie consent mode is not necessarily the best option on some occasions.
Certain cookie management platforms provide information if the website uses strictly necessary cookies. CookieScript allows to create a Cookie Banner that is easily modifiable based on what cookies your website uses so you could inform your users about cookies and can stay GDPR compliant at the same time. Click the button below to register and try the cookie banner.
Implied vs Explicit Cookie Consent Mode
Different privacy laws have different ways of defining implied and explicit cookie consent models. Since the EU Cookie Law and GDPR were introduced, website owners were destined to introduce implied and explicit cookie consent modes to stay compliant with these laws. While it’s an easy task for users to choose one of the two options, your Cookie Banner should involve more information than just these two options. It should also explain the cookies your website is using and note their purpose. You should explain how do you collect, use, share or disclose users' personal data subject to privacy laws. In that way your website could stay compliant with GDPR and users can make an informed decision on whether to opt-in or opt-out of cookies.
With CookieScript, you can choose your consent mode for your CookieScript banner. There are 2 main modes of CookieScript depending on how strict you want it to be and it's called Consent mode:
Consent mode settings for CookieScript banner
Implied: All cookies are set at the visitor’s computer as usual and the visitor is just informed about cookies. Cookies are deleted only if the user declines cookies. We call it “the soft way”
Explicit: This option is used by default because that's a requirement for GDPR. If this option is used, no cookies will be stored on the visitor’s computer until the visitor agrees with the cookie policy. We call it “the hard way”.
Things to note when using explicit mode:
- Removing cookies can influence the workflow of your website. For example, the visitor will not be able to log in until he agrees with your cookie policy. If you have a webshop, it is not recommended to use explicit mode since visitors will not be able to make any purchases before they agree with the cookie policy.
- If you are using some analytics software (like Google Analytics), explicit cookie consent mode might mess up your analytics data since each page view (even from the same visitor) will be tracked as a new and unique visitor.
- In case you have a simple website without any analytics software installed, you should not have any problems using explicit cookie consent mode.
Please keep in mind that a cookie disclaimer is not the same thing as a cookie consent. The cookie disclaimer is simply a cookie message, informing the website visitors that the website uses cookies.
If the cookie disclaimer simply informs the user about the cookies and does not give a choice of consenting to some cookies and not to others, or it has just one option to accept cookies, such a cookie disclaimer does not leave a real choice of consent for the user. Website users could also notice that such a cookie disclaimer gives no guarantee that non-essential cookies, such as third-party cookies, haven’t already been set and activated upon visiting the landing page.
Thus, a cookie disclaimer or a cookie message without any choice of prior and informed consent is not cookie consent that really protects your privacy. Such a cookie disclaimer does not comply with the requirements of the GDPR.
When to use implied Cookie Consent Mode
You should use implied cookie consent mode:
- When your website collects personal data
If a website user wants to share his data with the website to have a personalized experience the next time he visits the same page, he should use implied cookie consent mode and give tracking consent.
- When you use cookies (especially Third-Party Cookies) for analytical purposes.
If you use some analytics software (like Google Analytics), it is recommended to use implied cookie consent mode to accurately discriminate and track individual visitors and their behavior. Explicit Cookie Consent mode might mess up your analytics data since each page view even from the same visitor will be tracked as a new and unique visitor.
- When your website uses strictly necessary cookies
If you have an e-shop, it is recommended to use implied mode for e-shop visitors to be able to make any purchases. Removing cookies can influence the workflow of your website. For example, the visitor will not be able to log in until he agrees with your Cookie Policy.
- When you collect personal data from youth
If your website is designed for children or teenagers and you need to collect the personal data of minors, you need parental consent.
- For advertising and marketing purposes
If you want to use personalized advertising methods, you have to use implied cookie consent mode for your website. Websites and especially Third-Party Cookies collect personal data, which allows them to use personalized advertising and marketing even between multiple websites and platforms.
Also, you may want to have the email addresses of users to send newsletters or marketing emails. In this case, you must ask their permission before storing the emails in your database.
When to use explicit Cookie Consent Mode
You should use explicit cookie consent mode:
- When website users do not give permission to collect their personal data
On the other hand, a lot of people won’t trust a website to collect and store their personal information, such as location, IP address, browsing activity, and other sensitive data, so they choose explicit cookie consent mode. This should be kept in mind while creating your website since if the website user chooses the explicit, or opt-out cookie consent mode, your website could not function properly.
- When website users ask to temporarily terminate the data collection or delete the data
Users have the right to reject permission to collect or process their data at any time. Even if they agreed to share their data, later they could ask to delete it. You should terminate the processing of data or delete the data in such cases.
- For a simple website
When you have a simple website without any analytics software installed, you should not have any problems using explicit Cookie Consent mode. In this case, you could be sure you are GDPR compliant.
Your Best Explicit vs Implied Cookie Consent Mode Solution
If you want your website to stay compliant with GDPR, CCPA, and other privacy laws and to have a choice to use either explicit or implied cookie consent mode, you could use the Cookie Banner from CookieScript. The Cookie Banner gives options for your users to select either explicit or implied cookie consent. It has all the required information that explains the data usage and also follows the updates for cookie privacy laws automatically. CookieScript also scans your website every month to update its Cookie Declaration, and all cookies are automatically categorized using our cookie database.
You can see how our Cookie Scanner works just by entering your website’s address in the box below:
Frequently Asked Questions
How to change a cookie consent mode from implied to explicit?
The easiest way to change your cookie consent modecookie consent mode is through a Cookie Banner. It gives users options to choose either implied or explicit consent mode and it also provides information on what cookies are being used and what their purpose is. Cookie Banner from CookieScript provides an easy interface to modify your banner.
Can I opt-out of cookies I already accepted?
Yes, you can opt-out of cookies at any time, even after the implied cookie consent mode was already chosen. You can opt-out of cookies if a website you’re visiting has a Cookie Banner. A Cookie Banner from CookieScript gives an option to opt-out for its users – they can opt-out of cookie tracking after reading additional information on cookie tracking and how their data can be used.
Does implied, or soft way of cookie consent meet GDPR?
The soft way of cookie consent does not meet GDPR. Choosing between implied or explicit cookie consent modes should be a clear option when visiting a website for the first time and the Cookie Banner should have information on how the user’s personal information is going to be used if consent is given. Cookie Banner from CookieScript has these choices and meets GDPR.
What cookie consent mode do I have to use for Google Analytics cookies?
If you’re using Google Analytics cookies, to ensure that your website meets EU's General Data Protection Regulation (GDPR) regulations, you need to receive user consent before you can track your visitors and use data for analytical purposes. Thus, you have to use an implicit cookie consent mode. Learn how to stay GDPR consent with the Cookie Banner from CookieScript.
How to avoid cookie consent?
The easiest way to avoid cookie consent is not to use any cookies on your website. If you create a tracking-free zone where users' personal information is not collected by your website or by third parties, and where your website only uses technically necessary cookies, you could avoid the requirements to have cookie consent. However, sometimes your website could contain third-party cookies even without your awareness. You could use a CookieScript Cookie Scanner to check if your website uses any cookies.
What happens if I reject cookies?
The potential problem with refusing to accept cookies is that some websites will not function correctly if you don't accept their cookies. For example, you could not add an item to your cart on the e-shop website. Another downside is that rejecting cookies could diminish user experience on certain websites since cookies allow personalized visiting of a website.
Are cookie disclaimer and cookie consent the same?
No, cookie disclaimer and cookie consent are not the same things. A cookie disclaimer is just a disclaimer or message that your website uses cookies. If the cookie disclaimer simply informs the user about the cookies and does not give a choice of consenting to some cookies and not to others, or it has just one option to accept cookies, such a cookie disclaimer does not leave a real choice of consent for the user. In addition, such a cookie disclaimer gives no guarantee that non-essential cookies, such as third-party cookies, haven’t already been set and activated upon visiting the landing page. Thus, a cookie disclaimer without any choice of prior and informed consent is not cookie consent and it does not comply with the requirements of the GDPR. You could use a CookieScript Cookie Scanner to check if your website uses any cookies.