Cookies are Personal Data. The GDPR explicitly states that online identifiers, even if they are pseudonymous or if they do not directly identify an individual, will be considered Personal Data if there is potential for an individual to be identified or singled out. Any persistent cookie that is unique to the device by virtue of its attributes or stored values fits the criteria for Personal Data, and would be considered a cookie.
DecisionWise will not accept implied consent. There are several reasons for this, primarily due to the GDPR requiring users to make an “affirmative action” to signal their consent.
No advice to adjust browser settings. The GDPR says it must be as easy to withdraw consent as it would be to give it. Telling people to block cookies if they don’t consent would not meet this criterion. This method is difficult, ineffective against non-cookie-based tracking, and doesn’t provide enough granularity of choice.
“By using this site, you accept cookies” statements is not acceptable. If there is no genuine and free choice, then there is no valid consent. We have to provide some service to those who don’t accept those terms.
DecisionWise will provide an available opt out. Even after getting valid consent, there must be a way for people to change their minds. Again, this comes down to the requirement that withdrawing consent must be as easy as providing it.
DecisionWise will obtain consent. We will offer fair notice and an affirmative “accept” to continue.
We will accommodate “Do Not Track” browser requests. A DNT:1 signal is a valid browser setting that communicates a visitor’s preference. It could also be interpreted by regulators as an exercise of the right to object to profiling.
Consent will be specific to different cookie purposes. Sites that use different types of cookies with different processing purposes will need valid consent mechanisms for each purpose, e.g. granular levels of control with separate consents for tracking and analytics cookies.