Cookie Law. Checking for compliance
The Cookie Law is a privacy regulation that mandates websites to obtain consent from visitors before storing or accessing any information on their computer, smartphone, or tablet. Websites usually store data using Cookies, these are small pieces of data stored on client's browser and used by the websites to keep customer specific data. The data type stored can vary from authorization details, to previously browsed products, comparison and more.
Some cookies do not fall under the GDPR (General Data Protection Regulation), these are usually used for the proper operation of the site. Others however can be used and stored only after visitors explicit consent.
Being GDPR / Cookie law compliant is a process and involves multiple steps but there are a few essential steps that you need to take care of:
1. Make sure you're not storing non-essential first-party or third-party cookies before obtaining visitor consent
The best approach to test this is by using the Web Developer Tools of a browser such as Firefox, Chrome or Edge. This is a special panel in the browser that allows you to check what cookies are stored at the initial page load. Typically these tools can be accessed by hitting F12 in the browser. From then on, there is a Storage tab which displays all cookies currently stored for the site. These should include only essential cookies used for normal site operation. If you notice cookies like _ga() (Google Analytics 4), _fbq(), etc. this means that you're storing non-essential cookies prior to collecting consent and are violating the cookie law.
In Magento 2 a default cookie list would include the following (see preview below). If you see ANY other cookies set, then you're likely not GDPR compliant.
2. Make sure that visitors are presented with a clear message that your site is using cookies, how are they stored and what they are used for
Getting customer consent is typically done by displaying a sticky popup window at initial first load where customers can give their permission to use cookies or not. This is mandatory and must be present at initial page load.
3. Make sure that visitors are asked for their permission to use or not use cookies, what types of cookies they agree with and which ones they don't
It is a good practice to describe all used cookies and what they are used for. This way visitors can decide which types of cookies they agree with and which ones they don't
4. Make sure that visitors can't hide/close this information without expressing their consent
Visitors may continue with browsing the site, but the sticky popup window should always show on each page load if consent isn't explicitly set.
5. Make sure that visitors can change their cookies usage preferences at any time
It is mandatory that customers can change their cookie preferences at any given point. You can do this by using a sticky widget/icon displayed on the page or in separate page on the site.
6. Make sure that Google Consent Mode V2 signals are updated depending on visitors choice
Although now mandatory, if you want to run Google Ads, you have to collect and send Google Consent Mode V2 signals
All these require attention and through checking. However, there are also a few online tools that you can use to check if your site is GDPR/Cookie law compliant. Among them are Cookie Checker, 2gdpr.com and more. If all this sounds complex, you can check our Consent Mode V2 extension for Magento 2, it is super flexible and covers all the points discussed so far. You can easily collect customer consent, customize popup appearance and content.