Cookie Consent — GDPR vodic za kolacice

Sve o kolacicima: tipovi, GDPR zahtevi, implementacija banera, Google Consent Mode i kazne

60%
EU sajtova bez validnog consent-a
€150M
CNIL kazna Google-u (cookies)
2024
Google Consent Mode v2 obavezan
4
Kategorije kolacica

Sadrzaj

  1. Sta su kolacici i tipovi
  2. ePrivacy Directive (Cookie Law)
  3. GDPR zahtevi za kolacice
  4. Kategorije kolacica
  5. Implementacija cookie banera
  6. Google Consent Mode v2
  7. Tehnicka implementacija
  8. Dark patterns — sta NE raditi
  9. Kazne i presude
  10. Reference i resursi

1. Sta su kolacici i tipovi

Kolacici (cookies) su mali tekstualni fajlovi koje web sajt cuva u browseru korisnika. Koriste se za pamcenje sesije, preferencija, pracenje ponasanja i ciljano reklamiranje.

TipTrajanjeOpisPrimer
SessionDo zatvaranja browseraPrivremeni, brisu se automatskiLogin sesija, korpa
PersistentDefinisano (dani/meseci/godine)Ostaju posle zatvaranja browsera"Zapamti me", jezicka pref.
First-partyRazlicitoPostavljeni od sajta koji posetilac gledavasajt.rs sesija
Third-partyRazlicitoPostavljeni od trecih strana (ads, analytics)Google Analytics, FB Pixel
Third-party cookies nestaju: Chrome planira da blokira third-party cookies (Privacy Sandbox). Safari i Firefox ih vec blokiraju. Ovo menja ceo advertising ekosistem i cini server-side tracking sve vaznijim.

2. ePrivacy Directive (Cookie Law)

ePrivacy Directive (2002/58/EC, azurirana 2009) je EU regulativa koja specificno regulise kolacice. GDPR regulise licne podatke generalno, a ePrivacy specificno elektronske komunikacije i kolacice.

  • Clan 5(3): Pristup informacijama na uredjaju korisnika (kolacici) zahteva informisanu saglasnost
  • Izuzetak: Kolacici koji su strogo neophodni za pruzanje usluge koju je korisnik eksplicitno zatrazio NE zahtevaju saglasnost
  • ePrivacy Regulation: Nova regulativa (zamenjuje Directive) je u pripremi od 2017. i trebala bi da harmonizuje pravila u celoj EU

3. GDPR zahtevi za kolacice

GDPR postavlja stroge zahteve za prikupljanje saglasnosti:

ZahtevSta znaciPrimer
Informed consentKorisnik mora znati STA, ZASTO i KO prikupljaJasno navesti kategorije i svrhu svakog kolacica
Prior consentSaglasnost PRE postavljanja non-essential kolacicaNema GA skripte dok korisnik ne klikne "Prihvati"
Granular consentMogucnost izbora po kategorijama"Prihvatam analytics ALI ne marketing"
Free consentOdbijanje mora biti jednako lako kao prihvatanje"Odbij sve" dugme jednako vidljivo kao "Prihvati"
Easy withdrawalKorisnik moze promeniti odluku u svakom trenutkuLink "Upravljanje kolacicima" u footeru
DocumentedDokaz da je saglasnost dataLog sa timestamp-om, verzijom consent-a
Kljucno: "Nastavkom koriscenja sajta prihvatate kolacice" NIJE validan consent. GDPR zahteva afirmativnu akciju (klik na dugme). Takodje, unapred cekirani checkbox-ovi nisu validni (Planet49 presuda, CJEU 2019).

4. Kategorije kolacica

KategorijaConsent?Primeri
Neophodni (Essential)NE trebaSession ID, CSRF token, load balancer, korpa, jezik
Analiticki (Analytics)DAGoogle Analytics, Hotjar, Microsoft Clarity, Plausible*
FunkcionalniDAChat widget, video preferences, A/B testing
Marketinski (Advertising)DAFacebook Pixel, Google Ads remarketing, AdSense

* Plausible ne koristi kolacice ali prikuplja podatke koji mogu biti licni (IP, User-Agent). Strogo pravno, i dalje moze zahtevati consent u nekim jurisdikcijama.

5. Implementacija cookie banera

ResenjeCenaTipPrednosti
CookieConsentBesplatno (open source)JS bibliotekaLagan, prilagodljiv, GDPR compliant
CookiebotOd €9/mesecSaaSAuto-detekcija kolacica, scanner
OneTrustEnterpriseSaaSNajkompletniji, IAB TCF podrska
OsanoOd $0 (basic)SaaSJednostavan, consent kategorije
Google Funding ChoicesBesplatnoGoogleIntegrisan sa AdSense/GAM

CookieConsent (open source) — brzi start

<!-- Dodajte u <head> -->
<link rel="stylesheet" href="https://cdn.jsdelivr.net/gh/orestbida/cookieconsent@3/dist/cookieconsent.css">

<!-- Dodajte pre </body> -->
<script src="https://cdn.jsdelivr.net/gh/orestbida/cookieconsent@3/dist/cookieconsent.umd.js"></script>
<script>
CookieConsent.run({
  categories: {
    necessary: { enabled: true, readOnly: true },
    analytics: {},
    marketing: {}
  },
  language: {
    default: 'sr',
    translations: {
      sr: {
        consentModal: {
          title: 'Koristimo kolacice',
          description: 'Koristimo kolacice za analitiku i poboljsanje iskustva.',
          acceptAllBtn: 'Prihvati sve',
          acceptNecessaryBtn: 'Samo neophodni',
          showPreferencesBtn: 'Podesavanja'
        }
      }
    }
  }
});
</script>

6. Google Consent Mode v2

Od marta 2024, Google zahteva Consent Mode v2 za sve sajtove koji koriste Google servise (Analytics, Ads, Tag Manager) i imaju korisnike iz EU.

Kako radi

  • Consent Mode komunicira sa Google servisima o statusu saglasnosti korisnika
  • Ako korisnik NIJE dao consent, Google ne prikuplja podatke (ili koristi modeling)
  • Dva obavezna signala: ad_storage i analytics_storage
  • Novi signali u v2: ad_user_data i ad_personalization
<!-- Default: sve blokirano dok korisnik ne da consent -->
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}

// Default stanje: blokiraj sve
gtag('consent', 'default', {
  'ad_storage': 'denied',
  'ad_user_data': 'denied',
  'ad_personalization': 'denied',
  'analytics_storage': 'denied'
});

// Kad korisnik prihvati analytics:
gtag('consent', 'update', {
  'analytics_storage': 'granted'
});

// Kad korisnik prihvati marketing:
gtag('consent', 'update', {
  'ad_storage': 'granted',
  'ad_user_data': 'granted',
  'ad_personalization': 'granted'
});
</script>
Obavezno od marta 2024: Bez Consent Mode v2, Google nece kreirati nove audience liste za EU korisnike i remarketing nece raditi. Ovo utice na Google Ads konverzije i Analytics podatke.

7. Tehnicka implementacija — blokiranje skripti

Kljucno: non-essential skripte NE SMEJU se ucitati dok korisnik ne da consent.

<!-- POGRESNO — GA se ucitava odmah, pre consent-a -->
<script async src="https://www.googletagmanager.com/gtag/js?id=G-XXXXX"></script>

<!-- ISPRAVNO — blokirana skripta, ucitava se tek posle consent-a -->
<script type="text/plain" data-cookiecategory="analytics"
  src="https://www.googletagmanager.com/gtag/js?id=G-XXXXX"></script>

<!-- CookieConsent automatski menja type="text/plain" u type="text/javascript"
     kad korisnik prihvati analytics kategoriju -->

Google Tag Manager pristup

  • GTM sa Consent Mode: postavite default consent na "denied"
  • Cookie banner azurira consent status
  • GTM triggeri se pale samo kad je consent "granted"
  • Ovo je najcistiji pristup za sajtove sa mnogo trackera

8. Dark patterns — sta NE raditi

  • "Prihvati sve" veliko, "Odbij" sitno/sakriveno — GDPR zahteva jednaku vidljivost obe opcije
  • Unapred cekirani checkbox-ovi — Nezakonito od Planet49 presude (CJEU, 2019)
  • "Cookie wall" — Blokirate pristup sajtu dok korisnik ne prihvati. EDPB je rekao da ovo nije validan consent.
  • "Nastavkom koriscenja prihvatate" — Nije afirmativna akcija. Nevazeci consent.
  • Samo "Prihvati" bez "Odbij" — Korisnik MORA imati mogucnost odbijanja
  • Tesko pronaci "Upravljanje podesavanjima" — Granularna kontrola mora biti lako dostupna
  • Ponavljanje pitanja — Ako korisnik odbije, ne pitajte ponovo pri svakoj poseti
Test: Da li je jednako lako odbiti kolacice kao prihvatiti? Ako treba 1 klik za "Prihvati" a 3 klika za "Odbij" — to je dark pattern i potencijalno nezakonito.

9. Kazne i presude

KompanijaKaznaRazlogOrgan
Google€150MCookie consent — tesko odbijanjeCNIL (Francuska)
Amazon€35MKolacici bez consent-aCNIL
Facebook€60MCookie consent dark patternsCNIL
TikTok€5MCookie consent krsenjeCNIL
Planet49PresudaPre-checked checkbox = nevazeci consentCJEU (2019)
Vueling€30KCookie wallAEPD (Spanija)

Kazne rastu svake godine. Regulatorni organi (CNIL, ICO, AEPD, BfDI) sve cesce sprovode kontrole i za manje sajtove.

10. Reference i resursi

Proverite cookie consent na vasem sajtu →

Cookie Consent — GDPR Cookie Guide

Everything about cookies: types, GDPR requirements, banner implementation, Consent Mode and fines

60%
EU sites without valid consent
€150M
CNIL fined Google (cookies)
2024
Consent Mode v2 required
4
Cookie categories

Table of Contents

  1. Cookie types
  2. ePrivacy Directive
  3. GDPR cookie requirements
  4. Cookie categories
  5. Banner implementation
  6. Google Consent Mode v2
  7. Technical implementation
  8. Dark patterns
  9. Fines and rulings
  10. References

1. Cookie types

TypeDurationDescriptionExample
SessionUntil browser closeTemporaryLogin, cart
PersistentDefined (days/months)Survives browser close"Remember me"
First-partyVariesSet by visited siteSite session
Third-partyVariesSet by third partiesGA, FB Pixel
Third-party cookies are dying: Chrome plans to block them (Privacy Sandbox). Safari and Firefox already do. Server-side tracking becomes increasingly important.

2. ePrivacy Directive (Cookie Law)

EU regulation specifically about cookies (2002/58/EC). Article 5(3): accessing user device information (cookies) requires informed consent. Exception: strictly necessary cookies.

3. GDPR cookie requirements

RequirementMeaning
InformedUser must know WHAT, WHY, and WHO collects
PriorConsent BEFORE setting non-essential cookies
GranularChoice per category (analytics, marketing)
FreeRejecting must be as easy as accepting
WithdrawableUser can change decision anytime
DocumentedProof of consent given (timestamp, version)
Key: "By continuing to use this site you accept cookies" is NOT valid consent. GDPR requires affirmative action (button click). Pre-checked boxes are invalid (Planet49 ruling, CJEU 2019).

4. Cookie categories

CategoryConsent?Examples
EssentialNOT neededSession ID, CSRF, load balancer, cart, language
AnalyticsYESGoogle Analytics, Hotjar, Clarity
FunctionalYESChat widget, video prefs, A/B testing
MarketingYESFB Pixel, Google Ads remarketing, AdSense

5. Banner implementation

SolutionPriceType
CookieConsentFree (open source)JS library
CookiebotFrom €9/moSaaS
OneTrustEnterpriseSaaS
Google Funding ChoicesFreeGoogle

6. Google Consent Mode v2

Required since March 2024 for all sites using Google services with EU users. Without it, Google won't process EU user data.

Two mandatory signals: ad_storage, analytics_storage. New in v2: ad_user_data, ad_personalization.

Required since March 2024: Without Consent Mode v2, Google won't create new audience lists for EU users and remarketing won't work.

7. Technical implementation

Key: non-essential scripts MUST NOT load before consent.

<!-- WRONG — GA loads before consent -->
<script src="https://www.googletagmanager.com/gtag/js?id=G-XXX"></script>

<!-- RIGHT — blocked until consent -->
<script type="text/plain" data-cookiecategory="analytics"
  src="https://www.googletagmanager.com/gtag/js?id=G-XXX"></script>

8. Dark patterns — what NOT to do

  • "Accept all" big, "Reject" tiny/hidden — must be equally visible
  • Pre-checked checkboxes — illegal (Planet49, CJEU 2019)
  • "Cookie wall" — blocking access until accept, invalid per EDPB
  • "By continuing you accept" — not affirmative action
  • Only "Accept" without "Reject" option
  • Repeated asking after rejection
Test: Is it equally easy to reject cookies as to accept? If "Accept" takes 1 click but "Reject" takes 3 — that's a dark pattern and potentially illegal.

9. Fines and rulings

CompanyFineReason
Google€150MCookie consent — hard to reject
Amazon€35MCookies without consent
Facebook€60MDark patterns
TikTok€5MCookie consent violation
Planet49RulingPre-checked = invalid consent

10. References and resources

Check cookie consent on your site →
GDPR vodicGDPR Guide Privacy PolicyPrivacy Policy Third-Party TrackeriThird-Party Trackers Prava korisnikaUser Rights GDPR KazneGDPR Fines Politika privatnostiPrivacy Policy