Cookie Consent Banner Requirements: Ultimate Guide

Table of Contents

With many data privacy laws requiring placing cookie consent banners for your visitors, it can be hard to know what these banners should include. In this article, we’ll look at the most important cookie consent banner requirements you should watch out for.

Let’s dig in.

Key Takeaways

Cookie consent banners inform the consumer about the website’s data collection and processing

They benefit both the consumer and the business

The main cookie consent requirements include: being clear and concise, and having options to accept or reject cookies, modify cookies, learn more, and an option to dismiss the banner

What is a Cookie Consent Banner.png

What is a Cookie Consent Banner.png

A cookie consent banner is a notification that appears on the webpage when a user visits a website for the first time. It informs the user that the website uses cookies and collects data about their online behavior and how they interact with the website.

The consent banner includes a brief description of the cookies, how they are used, and the data collected by the website. It also provides users with an option to accept or deny cookie usage. By accepting the cookies, users indicate that they have read and agreed to the cookie policy of the website.

Tip: Have an option where the user can toggle preferences in the cookie banner.

Why are Cookie Consent Banners Important.png

Why are Cookie Consent Banners Important.png

Cookie consent banners are important for many reasons, not only for businesses but for consumers too.

Business Benefits

For the business, cookie consent banners help to:

Improve user experience

By allowing users to select which types of cookies they want to allow, cookie consent banners help the business offer a more tailored user experience on their website.

Increase transparency

Cookie consent banners also help the business be more transparent in how it handles data privacy, thus building trust and credibility with its consumers.

Refine analytics accuracy

With access to more data from consumers, a business can obtain more accurate data that, in turn, helps it make more informed business decisions.

Minimize legal risk

With many data privacy laws requiring placing cookie consent banners, failing to comply can lead to fines and penalties for the business.

For example, failing to comply with GDPR cookie consent requirements can lead to a fine of €10 million or 2% of the company’s global annual turnover or €20 million or 4% of the company’s global annual turnover, depending on the severity of the violation.

Consumer Benefits

At the same time, cookie consent banners help the consumer to:

Personalize their website experience

By being able to choose which cookies type they want to allow, consumers can get a more personalized experience on the website they are on.

Increase privacy awareness

Cookie consent banners serve to inform the visitor how their data will be used by the website, thus greatly raising their privacy awareness and helping them make more informed privacy choices.

Reduce the feeling of being “watched”

Some types of cookies can be used for targeting or monitoring the user for advertising purposes. By empowering users to disallow these types of cookies, the business helps reduce the feeling of being “watched” all the time.

Builds a positive relationship with the business

Finally, with the business showing commitment to protecting its consumers’ privacy and respecting their choices, this in turn creates a positive relationship between the two.

Cookie consent banner requirements vary from country to country and from one law to another. Here’s an overview of the requirements from the most common compliance frameworks:

GDPR Cookie Consent Banner Requirements.png

GDPR Cookie Consent Banner Requirements.png

Under GDPR, businesses must obtain valid and informed consent from consumers through cookie consent banners before they can process their personal information using cookies placed on the website.

To be compliant with the GDPR, cookie consent banners must, first and foremost, adhere to Article 4(11), which defines consent as:

“Freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear indicative action, signifies agreement to the processing of personal data relating to him or her.”

In this case, such a “clear, indicative action” would be the user clicking the “accept cookies” button on the cookie consent banner.

More specifically, cookie consent banner requirements are outlined in several GDPR articles and recitals, including:

Article 7 – Conditions for consent: consent request must be easy-to-access and a clear language

Article 13– Information to be provided where personal data are collected from the data subject: the purpose of data processing

Article 22Automated decision-making and profiling: unless the consumer gave their explicit consent through the cookie consent banner

Recital 32Consent: must be clear, freely given, specific, informed, and unambiguous

Recital 42Burden of proof and requirements for consent: data controller should be able to demonstrate that the data subject has given consent

CCPACPRA Cookie Consent Banner Requirements.png

CCPACPRA Cookie Consent Banner Requirements.png

The California Consumer Protection Act (CCPA) and the California Privacy Rights Act (CPRA) do not explicitly outline cookie consent banner requirements as the GDPR does.

That said, several sections of both are of particular note here:

CCPA Section 1789.100 – Notice at Collection: a business must provide a “Notice at Collection” to consumers

CCPA Section 1798.120 – Right to opt-out: a clear “Do Not Sell My Personal Information” link must be available on the homepage

CPRA Section 1798.105 – User Rights: the CPRA amended the CCPA by adding the user right to correct inaccurate personal information

CPRA Section 1798.121 – Sensitive personal information: explains what SPI is

CPRA Section 1798.185 – Transparency: disclosing the type of data collected and the data retention period

Similarly to the CCPA/CPRA, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) also doesn’t include special provisions regarding cookie consent banners.

There are, however, several PIPEDA principles that are related to them:

Principle 3 – Consent: must be meaningful

Principle 4 – Limiting collection: data collection must be limited to a specific purpose

Principle 5 – Limiting use, disclosure, and retention: personal information can only be used, disclosed, and retained for the purposes for which it is collected

Principle 6 – Consent withdrawal: consumers can withdraw their consent at any time

Principle 9 – Individual access: consumers can access and request corrections of their personal information

Since the UK GDPR is largely based on the same principles as the EU GDPR, there’s very little difference between the two when it comes to cookie consent banner requirements.

However, it should be noted that the two regulations often use different terminology and also have a different territorial scope and supervisory authority.

Tips for a Compliant Cookie Consent Banner.png

Tips for a Compliant Cookie Consent Banner.png

Cookie consent banners will differ based on the data privacy law they need to comply with.

For instance, since the GDPR follows the opt-in approach, the cookie consent banner needs to include options to accept, reject or customize cookies.

On the other hand, the CCPA/CPRA, which follows the opt-out only, requires that the business informs the consumer about collecting cookies, but it’s up to them (consumers) to opt out of data processing via cookies.

Besides this, here are some more tips for designing a compliant cookie consent banner:

Ensure the Information is Clear & Concise

A vital requirement for a good cookie consent banner is that it is clear and concise about its purpose and what it does. For example, the following cookie consent banner did that well:

ensure-info-is-clear.png

ensure-info-is-clear.png

First, the heading “We value your privacy” indicates the business’ commitment to protecting its visitors’ privacy, and this, in turn, builds trust,

Next, the message clearly explains why the website uses cookies (to enhance the browsing experience, serve personalized ads or content, and analyze traffic) and also provides a Cookie Policy link where the visitor can learn more.

Finally, it includes buttons to accept, reject, and customize cookie preferences instead of just to accept. If we are to find any issue, it would probably be that the “Accept All” button is more prominent than the other buttons, thus potentially influencing the user’s decision.

The cookie consent banner should not be an obstacle to user experience. It is best to position the banner where it least obstructs the user’s view of the webpage content, which is at the top or bottom of the page.

Do Not Use Pre-Ticked Boxes

Consent must be given freely and deliberately according to GDPR. Pre-ticked cookie consent boxes are not compliant with the regulation, so do not use them.

At a minimum, you should provide options to accept or reject cookies.

However, by offering granular consent options, you can empower consumers to enable or disable individual cookie categories (analytics, marketing, preferences, etc.)

This way, they can better make cookies that fit their needs and preferences.

Finally, you should provide an easy way for the consumers to withdraw their previous consent or modify it via a button or link in the banner.

Although there are no penalties specifically for non-compliant cookie consent banners, each data privacy law includes its compliance fines for violation.

GDPR Penalties

Up to €10 million or 2% of the global annual turnover (whichever is higher) for lower violations

Up to €20 million or 4% of the global annual turnover (whichever is higher) for more severe violations

CPRA Penalties

$2,500 for an unintentional data privacy violation

$7,500 for an intentional data privacy violation and violations that involve consumers under 16 years of age

PIPEDA Penalties

Up to 10,000 CAD for non-compliance with certain PIPEDA provisions.

Up to 100,000 CAD for non-compliance with PIPEDA’s security breach notification requirements.

UK GDPR Penalties

Up to £9 million or 2% of the annual turnover (whichever is higher) for lesser violations.

Up to £18 million or 4% of the annual turnover (whichever is higher) for more severe violations.

Closing

Cookie consent banners can help your business ensure compliance with the relevant data privacy regulations, and improve user experience and trust.

To ensure your business is fully compliant with GDPR or other data privacy laws, get in touch with Captain Compliance today.

FAQs

The cookie consent banner should: 1. Be in clear and concise language so the user can understand its purpose

Provide options (buttons or links) for the user to accept, reject, customize cookies, or dismiss the banner

Allow the user to withdraw their consent or modify previous cookie preferences

Not be intrusive

Include a link where the consumer can learn more about the cookies policy

Learn everything you need to know about the cookies policy.

If your website has visitors from the EU, it will require a cookie consent banner, even if your business or website is not located in the European Union.

Learn more about GDPR compliance requirements.

Cookie consent banners inform visitors of a website that it (the website) collects certain data via cookies or another tracking method, the type of data it collects, and the purpose of collecting their data. The banner also enables users to give their consent (by clicking the “accept” or decline (by clicking the “reject” button, as well as to withdraw or change consent or learn more about the website’s cookies policy.

Here are our top 9 picks for the best cookie consent solution.

A GDPR-compliant cookie banner serves to inform the website visitor that the website collects data via cookies, the purpose of collecting this data the type of data it collects. It also allows users to accept or reject cookies or customize cookies, withdraw consent, and learn more about the cookies policy.

Learn what are strictly necessary cookies.

The Privacy and Electronic Communications Directive on Privacy and Electronic Communications, or the cookies law is an EU directive that focuses on privacy and personal data protection in electronic communications. Unlike the GDPR, which provides a broader framework, the ePD only deals with electronic communications.

The ePrivacy Directive is also often called “the EU cookie law” since it requires websites to inform users about the use of cookies and obtain their consent for non-essential cookies like advertising cookies.

Learn how to make a GDPR privacy policy of your own.

Online Privacy Compliance Made Easy

Captain Compliance makes it easy to develop, oversee, and expand your privacy program. Book a demo or start a trial now.