Cookie Banners: What They Are, How To Get One, and Why You Need Them

If your business operates online and collects data for processing, you will most likely need to notify users and obtain their consent. Cookie banners are the most efficient way to accomplish this. They are not perfect, but you cannot do without them. By using cookie banners, you can make your data collection and processing activities more visible to your users. Cookie banner best practices ensure that your company complies with data protection laws all over the world.

Get a free cookie banner on your site now

This is why you should learn more about them. In this article, you'll learn everything you need to know on how to make a cookie banner, including:

What a cookie banner is, and why you need one
Legal requirements for cookie banners
Examples of great-looking cookie banner designs
How to choose a cookie banner and integrate one to your website

By the end of this article, you will know what type is required and how to make a cookie banner.

The very first step to understanding why online privacy laws worldwide affect the use of cookies and cookie banners, you need to understand what a cookie banner is and how does it interact with cookies and internet users.

A cookie banner is a tool for informing users about your cookie use and, if necessary, obtaining consent for cookie use.

Personal data is collected by some cookies, and data privacy laws protect personal data. Before using any cookies, it is often necessary to obtain the user's permission. This is where a cookie banner can help. It is a good UI/UX practice that will assist you in complying with laws.

Before we get into why you need a cookie banner and how to make it both compliant and beautiful, you should first understand what cookies are and how they work.

What are cookies, and how do they work?

Cookies are small text files that your website or app uses to collect data for later processing. Your website or app sends these files to the user's device, where they begin collecting data.

Each cookie is intended to collect a specific type and amount of data. There is no single cookie that collects all of the data you require. Businesses use a variety of cookies designed to collect data for a specific processing purpose. In most cases, the cookies you require are provided by the third-party tools you integrate with your website.

Assume you use Google Analytics to track how visitors interact with your website. When you integrate Google Analytics with your website and a user visits it, Google Analytics sends cookies to the user's device. This cookie will collect data about the pages they visit, how they navigate the website, their demographics, IP address, digital fingerprints, and other factors.

If you use Google advertising tools along with Google Analytics (GA), your website will also send marketing and advertising cookies to users' devices in addition to the GA cookies.

GDPR cookie consent for publishers and advertisers: Google’s Consent Mode API and Secure Privacy,

Learn more about cookies, how they work, and what you must do to comply with the EU cookie laws.

The use of personal data entails certain responsibilities. Some of the data you collect and process is personal data about real people. These individuals have data privacy rights, so you must protect their data while it is under your control.

There is nothing wrong with processing personal data. Personal data circulating on the internet, on the other hand, may be abused; thus, companies that process it must ensure its security.

Before you begin processing data, you must first ask your user if they are okay with it. Most data protection laws require businesses to obtain users' permission before using cookies.

In your day-to-day operations, this means that when you want to use cookies, which is usually when the user visits your website, you must either:

Ask the user for consent to use the cookies, or
Inform the user about your privacy practices and cookie usage.

The first approach requires a user opt-in, i.e., the user must consent to having their data collected and processed.

The second one does not require an opt-in or explicit consent, but may allow the user to opt-out of the later processing.

Learn more about the principles of opt-in vs. opt-out.

The most practical way to ask for consent and inform users about cookies is to use a cookie banner. Although the laws do not explicitly require a banner, best practices in UI and UX indicate that using a cookie banner for these purposes is the way to go.

Remember that using cookies without asking for consent or informing users about the use of cookies is a violation of the data protection laws that apply to your business. You must block cookies until you obtain their consent.

Most of the data privacy laws worldwide require you to obtain cookie consent. Some only require that you inform users about cookies. At the same time, very few countries have no requirements in place (and you probably do not operate in those countries).

Failure to meet the legal requirements for cookie banners renders consent null and void, implying that data collection, processing, and storage is illegal. Penalties can reach as high as a few million Euros in Europe.

A cookie banner and a cookie notice mean the same thing: a tool notifying users about your cookies and asking for their consent.

However, a cookie policy (sometimes also called a cookie declaration) is entirely different.

A cookie policy details information about the cookies you use, what these cookies collect, and the purpose of using these cookies. In essence, the cookie policy looks like a privacy policy.

In summary, the notice or banner provides quick information, while the policy provides detailed information.

Cookie banners help you to comply with data privacy laws. Therefore, your cookie banner needs to meet the requirements prescribed by the laws that apply to your business.

Depending on what the law requires from your business, there are three possible scenarios:

You need to obtain explicit cookie consent, or,
You need to notify the users about the use of cookies and get implied consent, or,
There are no cookie banner obligations whatsoever.

There are only a handful of countries that do not require cookie banners, and these are getting fewer as more laws are updated. These countries are primarily underdeveloped countries where online businesses are not as prevalent as in developed countries, so these will not be included in this article.

However, you need to understand the difference between explicit and implied consent.

Data privacy laws take two different approaches in collecting personal data:

Opt-in approach, which requires the user to opt into data processing with an affirmative action such as clicking the ACCEPT COOKIES button, and
Opt-out approach, which allows businesses to use cookies without consent while allowing users to opt-out of data processing at any time.

The opt-in approach requires explicit consent. When a business asks the user to confirm that they consent to the use of cookies, that is a request for explicit consent.

There are many ways to request this. Some laws require businesses to collect separate consent for each specific processing purpose. Other laws allow businesses to use a single consent for all processing purposes. Additionally, most laws also have other requirements aside from consent.

When the applicable laws require explicit consent, you must not use cookies without first obtaining the user's consent. You must continue to block them until the user agrees to receive them. Otherwise, the processing of personal data will be invalid and illegal, resulting in fines. The EU's GDPR is the most notable law requiring explicit consent.

Implied consent means that the user can indicate passively that they have no objections to cookies. It is sufficient to inform users that the website employs cookies and to request that they leave if they do not agree.

The California CCPA and CalOPPA are two notable laws that rely on implicit consent.

Read more about the difference between implied and explicit consent.

Cookie banner requirements vary per country. You need to check with the appropriate data protection laws that apply to your business. Most data protection laws available have some requirements regarding how consent is collected.

Cookies are governed by two EU laws: the ePrivacy Directive and the General Data Protection Regulation (GDPR).

ePrivacy Directive. The European Union's ePrivacy Directive of 2002 was the first data privacy law to require cookie notices. It requires businesses to obtain user consent before using their data for marketing purposes. Because cookies collect personal data, you cannot use them to collect and process personal data without the user's consent.

It also requires businesses to inform users about their privacy practices, including what data is processed, why, and how long. In practice, this means that businesses must inform customers about cookies and obtain their permission to use them.

The website may use cookies if the user agrees. If the user refuses to consent, the website must not use cookies and must still allow the user to use the website.

Implied consent was not valid for ePrivacy Directive compliance, but obtaining a single consent for all data categories and all the processing purposes was acceptable. That changed with the implementation of the GDPR.

GDPR. In many cases, the GDPR requires explicit consent to process personal data. It establishes a number of legal bases for processing, one of which is consent. Most businesses will rely on this legal basis to meet the GDPR processing requirements.

That does not differ significantly from the requirements of the ePrivacy Directive, or so we thought until the CJEU's Planet49 ruling.

Planet49 is a German company that used to serve users a cookie banner with pre-selected checkboxes.

The Court determined that the cookie banner does not collect consent in accordance with the GDPR and German data protection laws. Although it had been collecting consent for each specific purpose of processing, the consent checkboxes had been pre-checked. According to the ruling, providing users with pre-checked consent checkboxes does not allow users to take affirmative action for consent; thus, the consent request is invalid. Personal data processing has also been declared illegal. Take a look at our Data Processing Agreement Guide

Following the ruling, the European Data Protection Board (EDPB) issued guidelines on how to create a legal cookie banner and how a business should collect cookie consent. The guidelines prompted all of the European Union's data protection authorities to issue their own national guidelines on the subject.

We have a separate comprehensive article that covers all of the current cookie guidelines.

Guarentee a ePrivacy and GDPR-compliant Wordpress Cookie Consent Banner and WordPress Privacy Policy with Secure Privacy

Learn more about GDPR compliance.

ePrivacy Regulation. The European Union has one more data privacy law in the pipeline. It is known as the "Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications)", or ePrivacy Regulation for short.

The GDPR will be supplemented by the ePrivacy Regulation (ePrivacy Regulation vs GDPR), which will replace the ePrivacy Directive. It has not yet been approved by EU institutions, but the draft is nearly complete, with no significant changes expected.

This regulation includes provisions on cookies, among other things. It aims to combat cookie banner overload on the internet by allowing users to grant or deny consent via their browser settings. You cannot use cookies if the user configures their browser to refuse cookie consent.

This regulation does not require user consent for cookies that improve user experiences while not invading privacy, such as cookies that remember some website preferences, cookies that remember what you have put in your shopping basket, and similar ones.

Update: ePrivacy Regulation 2021 Draft Update and 2022 ePrivacy Regulation update

According to the guidelines of Europe's data protection agencies, your cookie banner should ensure that the consent is:

Freely given, which means that the consent cannot be obtained in exchange for something else, such as access to website content,
Informed, which means that you must inform users about the processing prior to obtaining their consent,
Specific, which means that consent is required for each specific processing purpose, and
Unambiguous, which means that only affirmative action by the user indicates consent.

If this sounds too abstract, the images below will help to clarify things. First, we will demonstrate what is incorrect, which is something that businesses frequently do. Then we'll compare it to how Secure Privacy obtains consent.

Freely given

The cookie banner above prevents users from accessing the website without providing cookie consent. If the user refuses to accept cookies, they will be unable to access the website. That is not allowed.

It would have been permitted if there had been a button to refuse cookies and gain access to the website. However, because there is only an ACCEPT button, this is illegal.

The cookie banner shown above is the one that appears on our website. This banner's consent is freely given because it does not restrict access to the website consent without accepting cookies.

Informed

The above cookie banner does not notify the user of the processing activities. It neither informs the user why the data is being collected nor links to the privacy policy.

The SP cookie banner informs users that their data will be collected and processed and provides a link to the privacy policy for more information.

Specific

The cookie banner above asks for a single general consent for all processing purposes. That is incorrect because consent must be obtained separately for each processing purpose.

The cookie banner above asks for consent for each specific processing purpose. It is the user's responsibility to check the boxes. They should be presented to the user unchecked. That is the proper method for obtaining specific consent.

Unambiguous

The act of browsing the website does not constitute consent. That is not permissible under the GDPR. The user must express explicit consent through affirmative action.

The user can accept cookies by clicking the ACCEPT button in the banner above. It also provides an equally prominent DECLINE button. Cookies will not be sent to the user's device unless the ACCEPT button is clicked.

The approach to data privacy laws in the United States differs from that of the EU. In the EU, the user must opt-in to the use of cookies. Users have no data privacy rights in most states in the United States, so companies have no data privacy obligations (aside from data breach obligations).

There are only a few states in the United States that have data protection laws in place. This includes California, Virginia, and Colorado so far. None of them require businesses to inform users about the use of cookies and obtain their consent. They do, however, require businesses to inform users about the collecting and processing of personal information.

If you use cookies to collect personal data for processing, you must inform users at the time of collection. Although a banner is not explicitly required, businesses use them because they are a convenient way to comply with the data protection laws.

Cookies banners and the LGPD

The Brazil LGPD's cookie notice requirements are very similar to those of the GDPR. Businesses must notify users about data collection, including cookie data, and obtain explicit consent for their use.

The use of cookies and other online trackers without prior consent is illegal and renders the processing invalid.

In addition, PIPEDA requires businesses to notify users about cookies and obtain meaningful consent for some of them.

PIPEDA does not require prior explicit consent for all the cookies, but it does for some of them. For some cookies, implied consent is sufficient to ensure compliance. Others require explicit consent.

PIPEDA has the following cookie banner requirements:

Informative,
Explicit consent is required for meaningful consent, and
The cookie banner text must not be deceptive or misleading.

If you want to learn more about the PIPEDA cookie banner requirements, click here.

Cookies banners in other international data privacy laws

Almost all data protection laws worldwide have some requirements for how you should collect users' consent.

They usually necessitate explicit consent. For more information, please see our comprehensive overview of international data privacy laws.

So far, the advertising industry is the only one that has established cookie banner standards to assist businesses in their industry. The Interactive Advertising Bureau (IAB) is a group of online advertising companies that help their peers comply with applicable laws, such as data privacy laws. As a result, the IAB Transparency and Consent Framework (IAB TCF) was born. It is a set of guidelines that ensures cookie laws are followed. It ensures that your cookie banner complies with the GDPR by precisely requesting and obtaining consent as the law requires.

More information on the IAB TCF can be found here.

So, what if you don't follow data protection laws and fail to provide users with a cookie notice or obtain their consent when needed?

You will be penalized.

Most of the time, it will be a monetary fine. In some countries and cases, a warning and a deadline to meet the requirements may suffice.

If a user or the data protection authorities notice that you are not complying with the applicable laws, they may open an investigation into you. This could result in a fine and brand damage.

Users feel unsafe when they discover that a website or app does not respect their online privacy. They consider such businesses as deceptive and insidious. Users are more aware than ever of the importance of online privacy and do not trust companies that do not respect it.

However, brand damage is not your only concern. Non-compliance with the cookie banner rules also results in financial penalties.

Penalties

Penalties differ from one law to the next, but they are never minor. GDPR was the first to impose hefty fines for non-compliant companies, with the goal of preventing tech behemoths from getting away with minor infractions.

There are fines for violations of data protection laws all over the world, including:

GDPR: up to 4% of the annual turnover or up to 20 Million EUR, whichever is greater
CCPA: up to $7,500 per violation, per user (the same offense against 100 users equals 1000x$7,500, or $7,500,000)
LGPD: 4% of the annual turnover or up to 50 Million Real, whichever is higher
PIPEDA: up to CAD 100,000 per violation
Thailand PDPA: up to 5 Million Baht, and, in some cases, a year in prison. Read more about the PDPA and what are the key differences between PDPA and GDPR.

So far, the EU data protection authorities have imposed the most severe penalties for non-compliant cookie banners and illegally obtaining consent.

Nobody is safe. Non-compliant cookie banners have resulted in fines for big tech, small and medium businesses, micro-businesses, and private individuals.

Here are some examples to put things into perspective:

French CNIL fined Facebook 60 Million EUR for failing to provide the users with the ability to withdraw previously given consent as easily as it was given.
For the same reasons as Facebook, the French CNIL fined Google 150 million EUR.
Spanish AEPD fined Vueling 30,000 EUR for obtaining only implied consent when explicit consent was required.

Brand damage

Non-compliant companies suffer brand damage as a result of non-compliance. Over the last few years, there has been a steady rise in online privacy awareness. Many users are aware of how they should be prompted for cookie consent.

Businesses that do not properly obtain consent are not only breaking the law, but are also perceived as shady and untrustworthy. Why should users trust you with anything else if you collected and processed their data without their permission?

You get the idea. People dislike businesses that do not respect their privacy.

NOYB complaints

If you think no one cares about cookie banners and that you can get away with a non-compliant one, think again.

NOYB (None of Your Business) is an Austrian NGO that advocates for internet privacy. One of their biggest struggles is convincing non-compliant companies to provide GDPR-compliant cookie banners to users.

Most companies that must comply with the GDPR are not yet compliant, mainly because they assume they could get away with it. There are billions of websites, but there are only about 50 data protection agencies to enforce the GDPR (27 European countries) and the national data protection laws.

It appears to be an impossible task, so they want to hold companies accountable and force them to comply. As a result, they have filed hundreds of complaints against randomly selected non-compliant businesses.

Keep in mind that just one dissatisfied user is enough to alert the relevant data protection agency about your non-compliance, subjecting you to an investigation and possibly a penalty.

The type of cookie banner you require for your website is determined by the legal requirements for the data that you process.

To comply with the EU cookie laws, Brazil LGPD, Thailand PDPA, or another similar law, your cookie banners must:

Appear at the moment of collection of data to inform the user about the data collection and to obtain consent
Request consent in such a way that it is freely given, informed, specific, and unambiguous
Provide processing information or a link to the privacy and cookie policies
Be readable, easy to understand, and do not trick the user into providing consent.

If you need to comply with the CCPA, Virginia CDPA, or the Colorado Privacy Act, the cookie banner should only do two things:

inform the user about the processing and,
If you sell personal data, inform them about that as well. Because consent is not required in the United States, the cookie banner serves only as an informative tool.

Meaningful consent is required in Canada, which means explicit consent on some occasions and implied consent on others.

In Singapore, explicit consent is required, but it does not have to be specific for each specific purpose. One general consent is sufficient.

If you operate in a country with data protection legislation, you must include a cookie banner on your website.

You need to integrate a cookie banner into your website due to legal requirements, but that doesn’t mean it needs to be boring. As long as you meet the requirements, you are free to play around with your cookie banner design and style.

Styles of cookies banners

Cookie banner legal requirements and UX best practices result in a variety of cookie banner styles. When deciding on the design of your cookie banner, you have the following options:

The visual design
The positioning
The copy

Visual design

The visual design can be simple or reflect your company's branding.

Businesses are free to experiment with designs that complement their brand image. Some have been very inventive in their approaches.

Following are some examples:

Read more about some beautiful brand cookie banner designs.

Text

The text must be easily understandable, easy to read and provide sufficient information about the processing. Apart from that, you have complete control over the wording of your cookie banner.

Here are some excellent examples of cookie banner texts:

When you visit Revolut’s website, this one will greet you:

This one belongs to New Balance:

Read more about some wonderful and compliant cookie banner texts.

Positioning

You have complete control over where your cookie banner appears. Here are a few possibilities:

At the bottom

Bottom left side

TRY SECURE PRIVACY FOR FREE

On the left side

At the center

The possibilities are limitless. You are free to place your cookie banner wherever you see fit.

Cookie banners abound on the internet, which you could incorporate into your website. However, not all cookie banners are made equal. There are some significant differences to consider, most notably in terms of compliance and pricing.

In this section, we will compare free vs. paid cookie banners and discuss whether you should build one yourself or purchase a done-for-you solution.

Advantages of a free cookie banner: The pricing is the only real advantage of having a free cookie banner. You won't have to pay anything for it.

Disadvantages of a free cookie banner: There are three major flaws with free cookie banners all over the internet:

They are not compliant with data protection laws. Free versions are frequently used to entice you into purchasing a paid version, and only the paid version is compliant. They are usually simple and do not take into account laws such as GDPR.
They will not collect consent legally and will not keep records of consent obtained.
They would also not block cookies without first obtaining consent. They are useless additions to your website.

Aside from free cookie banners, there are also tons of free WordPress plugins available on the internet. They will not, however, make you compliant. A good rule of thumb is to avoid free cookie consent tools at all costs.

Advantages of paid cookie banner: It complies with the laws you must follow. You integrate it once and never have to think about it again. Here at Secure Privacy, we closely monitor changes in cookie consent requirements and implement them as soon as they become effective.

Disadvantages of a paid cookie banner: It comes at a price. Some basic versions are relatively affordable. The basic GDPR cookie banner costs a cup of coffee per month.

Building advantages: If you have a programmer and a lawyer available for free, you can build a cookie banner without spending any other resources (aside from their time).

Building disadvantages: Laws are constantly changing, and you must stay up to date. If you build your own cookie banner, make sure that your employees are aware of any changes in legal requirements. Your programmers can quickly implement them and keep you compliant with the laws that apply to your business.

Advantages of buying: It's all taken care of for you and affordable. Even better if your solution is an IAB framework consent management platform.

Disadvantages of buying: Aside from the price, there are no real cons of buying a cookie banner solution. When you build, it could be virtually free. The done-for-you solution must be paid for. However, developers and lawyers who work on the solution you create do not work for free.

.	Free	Do It Yourself	Paid

Compliance	Non-compliant most of the time	You have to ensure the compliance of the banner as the laws change	Providers are responsible for compliance and tracking new legal requirements.
Price	Free	You have to pay a programmer and a lawyer	Affordable
Design	Limited options	Total freedom to design it in any way you want	Complete freedom if provided with CSS customizations

We'll assume you've decided to purchase a cookie banner from Secure Privacy because:

All the current legal requirements have been embedded into the solution
It keeps you compliant with the laws you need to comply with, which means less work for your lawyer
We track the new online privacy legislation and incorporate it into the solution
We are an IAB consent management platform
We design elegant cookie banners
We take care of the UX of the banners to improve the cookie acceptance rate
We keep track of the consents obtained
Every day, a team of developers works to improve the cookie banners
Our cookie scanner will assist you in detecting the cookies used by your website and include them in the banner for compliance

If that's the case, you'll need to make some changes. We've got you covered (contact us). All web platforms are compatible with the Secure Privacy cookie banner solution. Check out the links below:

Integrate with WordPress

Integrate with Shopify

Integrate with Hubspot

Integrate with Wix

Integrate with Weebly

Integrate with Magento

Integrate with Squarespace

Integrate with Elementor Cloud

Integrate with Joomla

Integrate with Adobe Atomic Tag Manager

Integrate with Drupal

The data protection laws are embedded in the Secure Privacy cookie banners. They also meet the IAB TCF 2.0 Framework requirements. Secure Privacy is on the IAB CMP list (see the best CMP tools), ensuring that the cookie banner complies with the GDPR.

Read ePrivacy Regulation Latest Blog Posts

Integrating a cookie banner into your website

In this section, we will compare free vs. paid cookie banners and discuss whether you should build one yourself or purchase a done-for-you solution.