After setting up my small blog I already had a base solution to make cookies GDPR compliant, but it was a quite expensive for me.
I was not that happy, so I decided to explore GDPR requirements.
In general, if your website is visited by EU consumers, you must comply with the GDPR even when you don't collect any personal data.
Since site visitors can be tracked by third parties through cookies, you should always keep an eye on the cookies that are set when your site loads.
You comply with the GDPR if you set cookies after obtaining prior consent. The consent banner should block cookies until the user clicks the allow button.
You also comply with the GDPR if you do not set any cookies at all or set strictly necessary cookies without prior consent obtaining.
The European Commission gives examples of such strictly necessary cookies:
- user input cookies, for the duration of a session
- authentication cookies, for the duration of a session
- user centric security cookies, used to detect authentication abuses and linked to the functionality explicitly requested by the user, for a limited persistent duration
- multimedia content player session cookies, for the duration of a session
- load balancing session cookies, for the duration of session
- user interface customisation cookies, for a browser session or a few hours
Any statistical, advertising or similar cookies aren't strictly necessary and cannot be set without prior consent obtaining.
If you use Google Analytics, Google Adsense or DoubleClick you should to get user's consent. By the way, Google warns about this.
To check website cookies for GDPR compliance you can use 2GDPR
It takes about a minute to scan.
If violations are found, it will take longer to analyze the results.