This post was written by David Jiménez

The new data protection regulations are present everywhere and this is the reason why cookies, that are used when you visit a website, need to respect GDPR and data privacy.

Thus it’s really important to understand 3 key points about cookies in order to be sure that we don’t breach the rules. First what kind of cookies can we use on our website? Second what kind of record data can we collect about the users? And third, how do we have to inform the users and get their consent to use cookies?

But first things first, what’s a cookie exactly? At Efficy, we attended a lunch event organized by CMS a Law Firm specialized in privacy, data security & data protection last week and we’ll try in this following blog to summarize their best practices and share advice that they gave us to you.

What’s a cookie?

A cookie appears when you go on a website and you request information from it. When the website replies it sends a cookie which is put on your hard drive.
When you get online to return to the website, your computer sends the cookie back and it allows the website server to identify you and record data that can be shared with other “third-parties” (e.g. advertising…).

Cookies – basis rules

Let’s imagine a visitor comes to your website and you want to record his or her data, meaning for example that you want to know which page he or she visited, you’ll always need to think about these 3 following basic rules:

  1. Tell people that you use cookies
  2. Explain what the cookies are doing and why
  3. If required, get the person’s consent to use cookies

Decide what solution you will implement to obtain consent:

  • Step 1: Determine how you will notify users of your use of cookies when they land on your website
  • Step 2: Determine what information to provide to users at first sight (when they land on the website) and in the cookie policy
  • Step 3: Determine the mechanism that you will implement to obtain the user’s consent

Step 1 – NOTIFY

It seems obvious but you need to inform clearly, via a pop-up button for example, that your website uses cookies.


Best practice: Use immediately visible notice (BANNERS) that various types of cookies are being used by the website.

  • Who the “data controller” is
  • The types of cookies used
  • The purposes of the cookies
  • Indication of possible cookies from third parties (and details on these third-party cookies) or third-party access
  • Retention, typical values, and other technical information
  • How users can accept all, some or no cookies and how they can change their preferences in the future


Best practice: Active Consent

Use pop-up or banner on the website with “yes” or “no” button or similar set-up that requires users to expressly consent the use of cookies

See below some examples of the best options:

  1. Direct Granular consent with “boxes”
  2. Indirect granular consent, you can provide basic information on types of cookies and then provide granular consent in a second layer of information

Key takeaway

If we had to give you 6 key takeaways from our meeting with CMS there would be these ones:

  • Carry out a cookie audit
  • Identify which cookies are operating on your website
  • Provide the appropriate level of information
  • Deliver a consent solution in which no cookies are set to a user’s device (other than essential cookies) before that user has signaled their wishes regarding those cookies
  • Cookie acceptance banners must not disappear until the user has continued browsing
  • User must be offered the possibility to deactivate/Activate cookies for specific purposes

As a conclusion, you’ll have to think about how to implement a solid cookie policy and a CRM is there to help you with. Indeed, a study from VoteWacth Europe shows that the next European Parliament will be more favorable to stricter data rules. You have been warned ?

Data Digitization E-mailing Juridical
CRM & Data: the solution to improve business success
What is the CRM strategy and how do you implement it?