Cookie Policy Research for 4allrecipe.com
GDPR and ePrivacy Directive Requirements
Key Cookie Compliance Requirements:
1.Consent Required: Must receive users’ consent before using any cookies except strictly necessary cookies
2.Clear Information: Provide accurate and specific information about data each cookie tracks and its purpose in plain language before consent is received
3.Document Consent: Document and store consent received from users
4.Service Access: Allow users to access service even if they refuse certain cookies
5.Easy Withdrawal: Make it as easy for users to withdraw consent as it was to give consent
Cookie Types by Purpose:
1.Strictly Necessary Cookies: Essential for browsing and using website features (no consent required, but must explain purpose)
2.Preferences/Functionality Cookies: Remember user choices like language, region, login credentials
3.Statistics/Performance Cookies: Collect aggregated, anonymized information about website usage
4.Marketing Cookies: Track online activity for advertising purposes (require explicit consent)
Cookie Types by Duration:
•Session Cookies: Temporary, expire when browser closes
•Persistent Cookies: Remain until deleted or expired based on expiration date
Cookie Types by Provenance:
•First-party Cookies: Placed directly by the website being visited
•Third-party Cookies: Placed by external parties (advertisers, analytics)
GDPR Considerations:
•Cookies qualify as personal data when used to identify users
•Companies need consent or legitimate interest to process user data
•ePrivacy Directive supplements GDPR for electronic communications
Source: https://gdpr.eu/cookies/
Cookie Consent Implementation Requirements
Cookies That Require Consent:
•Cookies used for direct marketing
•Cookies used to track users’ behavior across multiple websites
•Cookies used to compile a profile of user’s interests, habits and preferences
•Third-party cookies (placed by someone other than the site owner)
•Socially shared content cookies
•First-party cookies used for tracking
Cookie Banner Requirements:
1.Load on every page: Especially during first visits
2.Clear language: Concise, clear and easy to understand
3.Inform visitors: About cookies being used, their purpose, what accepting/rejecting means
4.Block non-technical cookies: Until user gives consent
5.Three options: Accept all, reject all, and preferences/settings
6.No implied consent: Closing banner or scrolling doesn’t imply consent
7.No pre-ticked boxes: For opt-in consent
8.Link to policy: Update privacy/cookie policy with detailed information
9.Recall option: Allow users to withdraw/change consent anytime
10.Log consent: Document consent for compliance proof
11.Renewal timing: Wait 6 months to 1 year before re-requesting consent from users who opted out
GDPR vs CCPA Differences:
•GDPR: Requires opt-in consent (explicit permission before using cookies)
•CCPA: Requires opt-out approach (can use cookies but must provide “Do Not Sell” option)
Penalties for Non-Compliance:
•GDPR: Up to €20 million or 4% of total worldwide annual turnover
•Recent example: Amazon fined €746 million for invalid marketing cookie consent
Source: https://www.cookielawinfo.com/cookie-consent/
Google AdSense Specific Requirements
Key Requirements (Effective January 16, 2024):
1.Consent Management Platform (CMP): Must use a Google-certified CMP that integrates with IAB’s Transparency and Consent Framework (TCF) when serving ads to EEA/UK users
2.EU User Consent Policy Compliance: Must make disclosures and obtain consent for cookies and personal data collection for ads personalization
3.Geographic Scope: Applies to European Economic Area (EEA), UK, and Switzerland
•EEA includes EU member states plus Iceland, Liechtenstein, and Norway
Ad Serving Options:
1.Personalized Ads:
•Reach users based on interests, demographics, and other criteria
•Requires clearly identifying all ad technology providers
•Must obtain user consent for collection, sharing, and use of personal data
2.Non-Personalized Ads:
•Targeted using contextual information rather than user behavior
•Still use cookies for frequency capping, aggregated reporting, fraud prevention
•Consent still required for cookie usage in countries under EU ePrivacy Directive
•No consent required for Trust Token API or Shared Storage API
Ad Technology Provider Requirements:
•Must select from Google-certified providers who comply with GDPR
•Options: Commonly used set OR custom set of providers
•Must clearly identify selected providers to users
•Must obtain users’ consent in line with EU user consent policy
•Can list providers in consent flow or on separate page linked from consent flow
•Must link to each provider’s activity descriptions
Implementation Requirements:
1.AdSense Account Settings: Privacy & messaging → European regulations → Settings
2.Consent Dialog: Create own consent dialog for EEA/UK/Switzerland users
3.Consent Signals: Must pass consent signals to AdSense
4.Privacy Sandbox APIs: Consent required for Topics, Fledge, Attribution Reporting API
Important Notes:
•Settings only apply to AdSense for content (not AdSense for search)
•Ad technology providers ≠ mediation networks
•Must comply with both EU ePrivacy Directive and GDPR requirements
Source: https://support.google.com/adsense/answer/7670013?hl=en
Google Consent Mode v2 Requirements
Mandatory Implementation (March 2024):
•Required for: All websites using Google services (Ads, Analytics, AdSense) serving EU/EEA users
•Purpose: Strengthened enforcement of EU user consent policy
•Scope: European Economic Area (EEA) traffic
New Parameters (v2 Addition):
In addition to existing ad_storage and analytics_storage, must implement:
| Parameter | Values | Description |
| ad_user_data | ‘granted’ / ‘denied’ | Consent for sending user data related to advertising to Google |
| ad_personalization | ‘granted’ / ‘denied’ | Consent for personalized advertising |
Implementation Requirements:
1.Default Consent State: Set before user grants consent
2.Consent Updates: Track on page where they occur, before page transitions
3.Regional Scoping: Best practice to scope default consent settings to regions requiring consent banners
4.Google Tag: Must be installed on every page if using gtag.js
5.Tag Manager: Recommended to load banner through Tag Manager container
Implementation Methods:
•Basic Consent Mode: Tags don’t load until consent is granted
•Advanced Consent Mode: Tags load but adjust behavior based on consent state
Technical Implementation:
•Use gtag(‘consent’, ‘default’, …) command before measurement data commands
•Update consent state based on user interaction with consent settings
•Ensure consent updates are tracked before page transitions
Legacy Tag Migration:
•Must update from legacy tags (ga.js, analytics.js, conversion.js) to gtag.js or Google Tag Manager
•Legacy tags no longer supported for consent mode
Source: https://developers.google.com/tag-platform/security/guides/consent
Detailed GDPR and European Privacy Law Requirements
GDPR Cookie Compliance Requirements:
1.Prior and explicit consent: Must be obtained before any cookie activation (except necessary cookies)
2.Granular consent: Users must be able to activate some cookies rather than others (not all-or-nothing)
3.Freely given consent: Cannot be forced or due to manipulation
4.Easy withdrawal: Consent must be as easily withdrawn as given
5.Secure storage: Consents must be securely stored as legal documentation
6.Consent renewal: Must be renewed at least every 12 months (some guidelines recommend 6 months)
Valid GDPR Consent Characteristics:
•Freely given: No imbalance of power; genuine choice
•Specific: Linked to particular purpose; not broad or vague
•Informed: Individual knows data controller identity and processing purpose
•Unambiguous: Clear affirmative action or overt confirmation
GDPR Consent Principles:
1.Transparency: Clear and concise information about data processing
2.Granularity: Consent for distinct processing operations (no blanket consent)
3.Ease of withdrawal: As easy to withdraw as to give consent
4.Documentation: Must keep records to demonstrate compliance
Consent Interface Requirements (Article 7):
•Clearly distinguishable from other matters
•Intelligible and easily accessible form
•Clear and plain language
•No pre-ticked boxes
•Avoid predetermination
•Offer specific choices
Documentation Requirements:
Must maintain detailed records including:
•Date and time of consent
•Method of consent collection
•Information provided to data subject before consent
•Identity of consenting data subject
•Specific details of consent scope and context
Consent Withdrawal Process:
1.Acknowledge withdrawal request
2.Verify data subject identity
3.Locate and delete personal data from all systems
4.Provide confirmation of deletion
5.Document withdrawal details (date, time, acknowledgment, confirmation)
EDPB Guidelines (May 2020):
•No pre-ticked checkboxes allowed
•Continued scrolling/browsing cannot constitute valid consent
•Must have clear affirmative action
•Accept and reject options must be equally presented and accessible
Geographic Scope:
•Applies to all websites collecting data from EU visitors
•Companies outside EU must comply if processing EU residents’ data
•EEA includes EU member states plus Iceland, Liechtenstein, and Norway
Sources:
