Cookie Banners: What They Are, How To Get One, and Why You Need Them
By using cookie banners you can make your data collection and processing activities more visible to your users. Read all about cookie banners here!
If your business operates online and collects data for processing, you will most likely need to notify users and obtain their consent. Cookie banners are the most efficient way to accomplish this. They are not perfect, but you cannot do without them. By using cookie banners, you can make your data collection and processing activities more visible to your users. Cookie banner best practices ensure that your company complies with data protection laws all over the world.
This is why you should learn more about them. In this article, you'll learn everything you need to know on how to make a cookie banner, including:
- What a cookie banner is, and why you need one
- Legal requirements for cookie banners
- Examples of great-looking cookie banner designs
- How to choose a cookie banner and integrate one to your website
By the end of this article, you will know what type is required and how to make a cookie banner.
What are cookie banners, and why do you need one?
Cookie banners: A definition
A cookie banner is a tool for informing users about your cookie use and, if necessary, obtaining consent for cookie use.
Personal data is collected by some cookies, and data privacy laws protect personal data. Before using any cookies, it is often necessary to obtain the user's permission. This is where a cookie banner can help. It is a good UI/UX practice that will assist you in complying with laws.
Before we get into why you need a cookie banner and how to make it both compliant and beautiful, you should first understand what cookies are and how they work.
What are cookies, and how do they work?
Cookies are small text files that your website or app uses to collect data for later processing. Your website or app sends these files to the user's device, where they begin collecting data.
Each cookie is intended to collect a specific type and amount of data. There is no single cookie that collects all of the data you require. Businesses use a variety of cookies designed to collect data for a specific processing purpose. In most cases, the cookies you require are provided by the third-party tools you integrate with your website.
Assume you use Google Analytics to track how visitors interact with your website. When you integrate Google Analytics with your website and a user visits it, Google Analytics sends cookies to the user's device. This cookie will collect data about the pages they visit, how they navigate the website, their demographics, IP address, digital fingerprints, and other factors.
If you use Google advertising tools along with Google Analytics (GA), your website will also send marketing and advertising cookies to users' devices in addition to the GA cookies.
GDPR cookie consent for publishers and advertisers: Google’s Consent Mode API and Secure Privacy,
Learn more about cookies, how they work, and what you must do to comply with the EU cookie laws.
What are cookie banners for?
The use of personal data entails certain responsibilities. Some of the data you collect and process is personal data about real people. These individuals have data privacy rights, so you must protect their data while it is under your control.
There is nothing wrong with processing personal data. Personal data circulating on the internet, on the other hand, may be abused; thus, companies that process it must ensure its security.
Before you begin processing data, you must first ask your user if they are okay with it. Most data protection laws require businesses to obtain users' permission before using cookies.
- Ask the user for consent to use the cookies, or
- Inform the user about your privacy practices and cookie usage.
The first approach requires a user opt-in, i.e., the user must consent to having their data collected and processed.
The second one does not require an opt-in or explicit consent, but may allow the user to opt-out of the later processing.
Learn more about the principles of opt-in vs. opt-out.
The most practical way to ask for consent and inform users about cookies is to use a cookie banner. Although the laws do not explicitly require a banner, best practices in UI and UX indicate that using a cookie banner for these purposes is the way to go.
Most of the data privacy laws worldwide require you to obtain cookie consent. Some only require that you inform users about cookies. At the same time, very few countries have no requirements in place (and you probably do not operate in those countries).
Failure to meet the legal requirements for cookie banners renders consent null and void, implying that data collection, processing, and storage is illegal. Penalties can reach as high as a few million Euros in Europe.
A cookie banner and a cookie notice mean the same thing: a tool notifying users about your cookies and asking for their consent.
In summary, the notice or banner provides quick information, while the policy provides detailed information.
Cookie banners and data privacy laws
Cookie banners help you to comply with data privacy laws. Therefore, your cookie banner needs to meet the requirements prescribed by the laws that apply to your business.
Cookies and consent
Depending on what the law requires from your business, there are three possible scenarios:
- You need to obtain explicit cookie consent, or,
- There are no cookie banner obligations whatsoever.
There are only a handful of countries that do not require cookie banners, and these are getting fewer as more laws are updated. These countries are primarily underdeveloped countries where online businesses are not as prevalent as in developed countries, so these will not be included in this article.
However, you need to understand the difference between explicit and implied consent.
Implied v. explicit cookie consent
Data privacy laws take two different approaches in collecting personal data:
- Opt-in approach, which requires the user to opt into data processing with an affirmative action such as clicking the ACCEPT COOKIES button, and
There are many ways to request this. Some laws require businesses to collect separate consent for each specific processing purpose. Other laws allow businesses to use a single consent for all processing purposes. Additionally, most laws also have other requirements aside from consent.
Implied consent means that the user can indicate passively that they have no objections to cookies. It is sufficient to inform users that the website employs cookies and to request that they leave if they do not agree.
The California CCPA and CalOPPA are two notable laws that rely on implicit consent.
Read more about the difference between implied and explicit consent.
Which cookie requirements do you need to meet?
Cookie banner requirements vary per country. You need to check with the appropriate data protection laws that apply to your business. Most data protection laws available have some requirements regarding how consent is collected.
Cookies banners and EU cookie laws
Cookies are governed by two EU laws: the ePrivacy Directive and the General Data Protection Regulation (GDPR).
It also requires businesses to inform users about their privacy practices, including what data is processed, why, and how long. In practice, this means that businesses must inform customers about cookies and obtain their permission to use them.
Implied consent was not valid for ePrivacy Directive compliance, but obtaining a single consent for all data categories and all the processing purposes was acceptable. That changed with the implementation of the GDPR.
GDPR. In many cases, the GDPR requires explicit consent to process personal data. It establishes a number of legal bases for processing, one of which is consent. Most businesses will rely on this legal basis to meet the GDPR processing requirements.
Planet49 is a German company that used to serve users a cookie banner with pre-selected checkboxes.
The Court determined that the cookie banner does not collect consent in accordance with the GDPR and German data protection laws. Although it had been collecting consent for each specific purpose of processing, the consent checkboxes had been pre-checked. According to the ruling, providing users with pre-checked consent checkboxes does not allow users to take affirmative action for consent; thus, the consent request is invalid. Personal data processing has also been declared illegal. Take a look at our Data Processing Agreement Guide
Following the ruling, the European Data Protection Board (EDPB) issued guidelines on how to create a legal cookie banner and how a business should collect cookie consent. The guidelines prompted all of the European Union's data protection authorities to issue their own national guidelines on the subject.
We have a separate comprehensive article that covers all of the current cookie guidelines.
Learn more about GDPR compliance.
ePrivacy Regulation. The European Union has one more data privacy law in the pipeline. It is known as the "Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications)", or ePrivacy Regulation for short.
The GDPR will be supplemented by the ePrivacy Regulation (ePrivacy Regulation vs GDPR), which will replace the ePrivacy Directive. It has not yet been approved by EU institutions, but the draft is nearly complete, with no significant changes expected.
This regulation does not require user consent for cookies that improve user experiences while not invading privacy, such as cookies that remember some website preferences, cookies that remember what you have put in your shopping basket, and similar ones.
How should a EU laws-compliant cookie banner look?
According to the guidelines of Europe's data protection agencies, your cookie banner should ensure that the consent is:
- Freely given, which means that the consent cannot be obtained in exchange for something else, such as access to website content,
- Informed, which means that you must inform users about the processing prior to obtaining their consent,
- Specific, which means that consent is required for each specific processing purpose, and
- Unambiguous, which means that only affirmative action by the user indicates consent.
If this sounds too abstract, the images below will help to clarify things. First, we will demonstrate what is incorrect, which is something that businesses frequently do. Then we'll compare it to how Secure Privacy obtains consent.
The cookie banner above prevents users from accessing the website without providing cookie consent. If the user refuses to accept cookies, they will be unable to access the website. That is not allowed.
The cookie banner shown above is the one that appears on our website. This banner's consent is freely given because it does not restrict access to the website consent without accepting cookies.
The cookie banner above asks for a single general consent for all processing purposes. That is incorrect because consent must be obtained separately for each processing purpose.
The cookie banner above asks for consent for each specific processing purpose. It is the user's responsibility to check the boxes. They should be presented to the user unchecked. That is the proper method for obtaining specific consent.
The act of browsing the website does not constitute consent. That is not permissible under the GDPR. The user must express explicit consent through affirmative action.
The user can accept cookies by clicking the ACCEPT button in the banner above. It also provides an equally prominent DECLINE button. Cookies will not be sent to the user's device unless the ACCEPT button is clicked.
Cookie banners and CCPA and CPRA
Cookies banners and the LGPD
The Brazil LGPD's cookie notice requirements are very similar to those of the GDPR. Businesses must notify users about data collection, including cookie data, and obtain explicit consent for their use.
PIPEDA cookie banners
In addition, PIPEDA requires businesses to notify users about cookies and obtain meaningful consent for some of them.
PIPEDA does not require prior explicit consent for all the cookies, but it does for some of them. For some cookies, implied consent is sufficient to ensure compliance. Others require explicit consent.
PIPEDA has the following cookie banner requirements:
- Explicit consent is required for meaningful consent, and
- The cookie banner text must not be deceptive or misleading.
If you want to learn more about the PIPEDA cookie banner requirements, click here.
Cookies banners in other international data privacy laws
Almost all data protection laws worldwide have some requirements for how you should collect users' consent.
They usually necessitate explicit consent. For more information, please see our comprehensive overview of international data privacy laws.
Industries with custom requirements for cookie banners
So far, the advertising industry is the only one that has established cookie banner standards to assist businesses in their industry. The Interactive Advertising Bureau (IAB) is a group of online advertising companies that help their peers comply with applicable laws, such as data privacy laws. As a result, the IAB Transparency and Consent Framework (IAB TCF) was born. It is a set of guidelines that ensures cookie laws are followed. It ensures that your cookie banner complies with the GDPR by precisely requesting and obtaining consent as the law requires.
More information on the IAB TCF can be found here.
Consequences for using non-compliant cookie banners
So, what if you don't follow data protection laws and fail to provide users with a cookie notice or obtain their consent when needed?
You will be penalized.
Most of the time, it will be a monetary fine. In some countries and cases, a warning and a deadline to meet the requirements may suffice.
If a user or the data protection authorities notice that you are not complying with the applicable laws, they may open an investigation into you. This could result in a fine and brand damage.
Users feel unsafe when they discover that a website or app does not respect their online privacy. They consider such businesses as deceptive and insidious. Users are more aware than ever of the importance of online privacy and do not trust companies that do not respect it.
However, brand damage is not your only concern. Non-compliance with the cookie banner rules also results in financial penalties.
Penalties differ from one law to the next, but they are never minor. GDPR was the first to impose hefty fines for non-compliant companies, with the goal of preventing tech behemoths from getting away with minor infractions.
There are fines for violations of data protection laws all over the world, including:
- GDPR: up to 4% of the annual turnover or up to 20 Million EUR, whichever is greater
- CCPA: up to $7,500 per violation, per user (the same offense against 100 users equals 1000x$7,500, or $7,500,000)
- LGPD: 4% of the annual turnover or up to 50 Million Real, whichever is higher
- PIPEDA: up to CAD 100,000 per violation
- Thailand PDPA: up to 5 Million Baht, and, in some cases, a year in prison. Read more about the PDPA and what are the key differences between PDPA and GDPR.
Examples of cookie banner penalties
So far, the EU data protection authorities have imposed the most severe penalties for non-compliant cookie banners and illegally obtaining consent.
Nobody is safe. Non-compliant cookie banners have resulted in fines for big tech, small and medium businesses, micro-businesses, and private individuals.
Here are some examples to put things into perspective:
- French CNIL fined Facebook 60 Million EUR for failing to provide the users with the ability to withdraw previously given consent as easily as it was given.
- For the same reasons as Facebook, the French CNIL fined Google 150 million EUR.
- Spanish AEPD fined Vueling 30,000 EUR for obtaining only implied consent when explicit consent was required.
Non-compliant companies suffer brand damage as a result of non-compliance. Over the last few years, there has been a steady rise in online privacy awareness. Many users are aware of how they should be prompted for cookie consent.
Businesses that do not properly obtain consent are not only breaking the law, but are also perceived as shady and untrustworthy. Why should users trust you with anything else if you collected and processed their data without their permission?
You get the idea. People dislike businesses that do not respect their privacy.
If you think no one cares about cookie banners and that you can get away with a non-compliant one, think again.
NOYB (None of Your Business) is an Austrian NGO that advocates for internet privacy. One of their biggest struggles is convincing non-compliant companies to provide GDPR-compliant cookie banners to users.
Most companies that must comply with the GDPR are not yet compliant, mainly because they assume they could get away with it. There are billions of websites, but there are only about 50 data protection agencies to enforce the GDPR (27 European countries) and the national data protection laws.
It appears to be an impossible task, so they want to hold companies accountable and force them to comply. As a result, they have filed hundreds of complaints against randomly selected non-compliant businesses.
Keep in mind that just one dissatisfied user is enough to alert the relevant data protection agency about your non-compliance, subjecting you to an investigation and possibly a penalty.
Which cookie banners do you need to integrate with your website?
The type of cookie banner you require for your website is determined by the legal requirements for the data that you process.
To comply with the EU cookie laws, Brazil LGPD, Thailand PDPA, or another similar law, your cookie banners must:
- Appear at the moment of collection of data to inform the user about the data collection and to obtain consent
- Request consent in such a way that it is freely given, informed, specific, and unambiguous
- Provide processing information or a link to the privacy and cookie policies
- Be readable, easy to understand, and do not trick the user into providing consent.
- inform the user about the processing and,
- If you sell personal data, inform them about that as well. Because consent is not required in the United States, the cookie banner serves only as an informative tool.
Meaningful consent is required in Canada, which means explicit consent on some occasions and implied consent on others.
In Singapore, explicit consent is required, but it does not have to be specific for each specific purpose. One general consent is sufficient.
If you operate in a country with data protection legislation, you must include a cookie banner on your website.
Cookie banner design examples
You need to integrate a cookie banner into your website due to legal requirements, but that doesn’t mean it needs to be boring. As long as you meet the requirements, you are free to play around with your cookie banner design and style.
Styles of cookies banners
Cookie banner legal requirements and UX best practices result in a variety of cookie banner styles. When deciding on the design of your cookie banner, you have the following options:
- The visual design
- The positioning
- The copy
The visual design can be simple or reflect your company's branding.
Businesses are free to experiment with designs that complement their brand image. Some have been very inventive in their approaches.
Following are some examples:
Read more about some beautiful brand cookie banner designs.
The text must be easily understandable, easy to read and provide sufficient information about the processing. Apart from that, you have complete control over the wording of your cookie banner.
Here are some excellent examples of cookie banner texts:
When you visit Revolut’s website, this one will greet you:
This one belongs to New Balance:
Read more about some wonderful and compliant cookie banner texts.
You have complete control over where your cookie banner appears. Here are a few possibilities:
At the bottom
Bottom left side
On the left side
At the center
The possibilities are limitless. You are free to place your cookie banner wherever you see fit.
Integrating a cookie banner into your website
Cookie banners abound on the internet, which you could incorporate into your website. However, not all cookie banners are made equal. There are some significant differences to consider, most notably in terms of compliance and pricing.
In this section, we will compare free vs. paid cookie banners and discuss whether you should build one yourself or purchase a done-for-you solution.
Cookie banners: free vs. paid
Advantages of a free cookie banner: The pricing is the only real advantage of having a free cookie banner. You won't have to pay anything for it.
Disadvantages of a free cookie banner: There are three major flaws with free cookie banners all over the internet:
- They are not compliant with data protection laws. Free versions are frequently used to entice you into purchasing a paid version, and only the paid version is compliant. They are usually simple and do not take into account laws such as GDPR.
- They will not collect consent legally and will not keep records of consent obtained.
- They would also not block cookies without first obtaining consent. They are useless additions to your website.
Aside from free cookie banners, there are also tons of free WordPress plugins available on the internet. They will not, however, make you compliant. A good rule of thumb is to avoid free cookie consent tools at all costs.
Advantages of paid cookie banner: It complies with the laws you must follow. You integrate it once and never have to think about it again. Here at Secure Privacy, we closely monitor changes in cookie consent requirements and implement them as soon as they become effective.
Disadvantages of a paid cookie banner: It comes at a price. Some basic versions are relatively affordable. The basic GDPR cookie banner costs a cup of coffee per month.
Building a cookie banner yourself vs. buying one
Building advantages: If you have a programmer and a lawyer available for free, you can build a cookie banner without spending any other resources (aside from their time).
Building disadvantages: Laws are constantly changing, and you must stay up to date. If you build your own cookie banner, make sure that your employees are aware of any changes in legal requirements. Your programmers can quickly implement them and keep you compliant with the laws that apply to your business.
Advantages of buying: It's all taken care of for you and affordable. Even better if your solution is an IAB framework consent management platform.
Disadvantages of buying: Aside from the price, there are no real cons of buying a cookie banner solution. When you build, it could be virtually free. The done-for-you solution must be paid for. However, developers and lawyers who work on the solution you create do not work for free.
|.||Free||Do It Yourself||Paid|
We'll assume you've decided to purchase a cookie banner from Secure Privacy because:
- All the current legal requirements have been embedded into the solution
- It keeps you compliant with the laws you need to comply with, which means less work for your lawyer
- We track the new online privacy legislation and incorporate it into the solution
- We are an IAB consent management platform
- We design elegant cookie banners
- We take care of the UX of the banners to improve the cookie acceptance rate
- We keep track of the consents obtained
- Every day, a team of developers works to improve the cookie banners
- Our cookie scanner will assist you in detecting the cookies used by your website and include them in the banner for compliance
If that's the case, you'll need to make some changes. We've got you covered (contact us). All web platforms are compatible with the Secure Privacy cookie banner solution. Check out the links below:
The data protection laws are embedded in the Secure Privacy cookie banners. They also meet the IAB TCF 2.0 Framework requirements. Secure Privacy is on the IAB CMP list (see the best CMP tools), ensuring that the cookie banner complies with the GDPR.
The Ultimate Guide to GDPR Data Breach Responses
If you think that data breaches only happen to someone else, think again. Data breaches have happened to all types of businesses - from small ecommerce stores to large corporations such as Microsoft and it could happen to you as well. Read about GDPR Data Breach Responses here.
What Is a Data Protection Officer and Do You Need One?
When a business operator realizes they need to comply with the GDPR or any other data protection law, one of the first questions to pop up in their head is - Do I need a DPO? Learn all about DPOs here.
- Data Protection
How to implement an Online Data Protection Strategy
When a company operates online within the European Union, or when its website visitors come from the EU, the company must comply with the General Data Protection Regulation (GDPR). The GDPR was created to protect citizens' personal data and restrict abuses.
- Data Protection