Why you need a cookie banner

Cookie banners, also known as “consent banners” are not new. In fact, they are quickly becoming an expected part of the user experience when visitors arrive on websites for the first time. This is because privacy laws are increasingly requiring companies to obtain visitors’ or customers’ consent before collecting, using, or selling their personal information.

These requirements are included in data privacy laws like the European Union’s General Data Protection Regulation (GDPR), ePrivacy Directive, California Consumer Protection Act (CCPA), and Brazilian Data Protection Law (LGPD). Clear, transparent compliance with them, including implementing a cookie banner on your website, for example, also helps build trust and encourages long-term relationship development with your users and customers.

Since the General Data Protection Regulation (GDPR) came into effect in 2018, cookie banners are the new normal. When a user visits your website for the first time, a pop-up window or banner will appear. It’s intended to inform the user about the processing of their personal data.

A cookie is just a small text file, saved in the user’s browser, and used to store information. It enables functions like the web server’s ability to “recognize” a user on future visits to the site.

Cookies can be set in a browser without the user knowing it. However, the question is whether it’s legal to do so or not.

Consent banners or cookie consent popups appear on or over a website’s homepage content and are interactive. Once users have selected consent preferences in the cookie banner – if they interact with it at all – those preferences are saved by your website’s Consent Management Platform (CMP).

A cookie banner gives your website visitors control over their website experience, how they are tracked, and how their data is used. It informs visitors about the web technologies, including cookies, used on the website to ensure its proper functioning.

Additionally, cookies can also track user behavior and collect data about them and their actions.

Given this information, cookie banners must provide options to enable or prevent the use of those technologies.

Privacy violations come with hefty fines. However, the worst part is losing your customer’s trust and negative word of mouth.

Because people are becoming increasingly aware of privacy and rights regarding their data. Showing that you take their privacy seriously via a cookie consent popup empowers them to control access to their data and can be a key competitive advantage.

Additionally, consent management best practices increase user trust. This means that people are more inclined to share more of their data upon seeing a cookie consent banner since a company is being transparent about its collection and purposes of use. More data means better insights for marketing, as well as more ad revenue.

Cookie banners have to provide visitors with clear information in plain language about their:

• Privacy rights,
• About which web technologies, like cookies, are used on that site,
• For what purposes,
• A link to the company’s privacy policy should also be included.

Cookie banners have to provide users with consent options. So a website visitor must be able to opt in or opt out of the use of cookies entirely. Alternatively, they can customize which services they will allow to access their data.

There are three primary types of cookie consent banners that can be integrated into a company’s website.

This type of consent banner is usually located at the bottom of a page and informs people about the use of cookies being processed on a website. However, it does not give the option of a granular decision.

This is not a GDPR-compliant cookie banner. You can use notice-only cookie banners under the CPRA, but you’ll also need certain links on your homepage to be compliant

This popup or banner assumes user consent based on actions such as continuous use of the website. For instance, a banner might state, “Continuing to use this website will be taken as consent to use cookies.” Therefore, people are typically required to take action if they want to reject the use of certain types of cookies.

Opt-out cookie banners align with data privacy laws like the CCPA, which don’t mandate explicit user consent for cookies. However, this is not a GDPR-compliant cookie banner.

Lastly, this category of consent banner requires people to actively agree, typically by clicking “Accept,” to permit the use of cookies and other tracking technologies placed on their device. This option offers clearer control and is a cookie banner example that can be fully GDPR compliant.

Companies can choose the most suitable type of cookie consent banner based on factors such as user experience, jurisdictional compliance, and the specific needs of the website.

Cookie consent banners come in various designs. However, there are certain best practices to follow when creating a cookie consent pop-up to ensure that it is transparent, clear, and provides people with granular control while being user-friendly.

For starters, your cookie banner text should inform the visitor about the cookies the website is using and their purpose. It should leave no confusion. This means you offer people the option to both “Accept” and “Reject” options. Once someone sets their cookie preferences, they should be able to modify them at any time via a prominent link or a button on the webpage.

Additionally, take the time to create a personalized consent banner that matches your brand’s visual identity. A cookie consent banner that fits in with your brand — in terms of colors, fonts, and language — feels more personal and intentional than one that hasn’t been customized at all.

There are multiple ways to install a cookie banner on your website. The first is to use a Consent Management Platform, such as Usercentrics, that enables you to create a customizable GDPR-compliant cookie banner in minutes. Our software will scan your website so you know which cookies and tracking technologies are collecting data. Then, we’ll help you comply with global privacy laws by recording and maintaining a log of the cookie consent you receive from website visitors.

Another option is to manually code a cookie banner for your website. Add a short explanation as to the purpose of cookies, a clear statement on which action will signify consent, as well as a link to a cookie policy. However, under EU law, if your website uses any non-exempt cookies or scripts, these scripts must be prevented from running until a website visitor explicitly grants consent.

Therefore, a CMP is an easier option to implement as it requires less effort to set up and is more likely to help you remain compliant with privacy laws while automating the cookie consent management process.

While data privacy laws are passed in specific regions or countries, your website visitors and customers can come from pretty much anywhere in the world. So the type of cookie banner you need to comply with privacy law typically depends on where your visitors are located, not your company.

So the answer to “Do I need a cookie banner on my website?” is “Most likely you do, yes” and “Why would you risk not having one?” Especially given that, in addition to not wanting to risk violations and fines, you don’t want to jeopardize the trust of your users and customers.

Legally, cookie banners have to provide all of a user’s cookie usage consent options and the ability to exercise them equally. They cannot use text or graphics (or the absence of them) to manipulate users into the “consent” that the company wants.

However, not all privacy laws are the same. For example, the EU’s GDPR and Brazil’s LGPD use an opt-in model, where user consent must be obtained before data can be collected (or used).

However, under US laws like the CCPA, an opt-out model is used. So companies only have to obtain users’ consent before personal information is sold. Consent is not required before or when such data is collected.

There are also or will be more specific considerations for minors and data classified as “sensitive personal information”, especially under the successor to the CCPA, the California Privacy Rights Act (CPRA).

GDPR doesn’t explicitly mention cookies, but it does have several requirements for consenting to data processing and collection. According to Art. 4 of GDPR, user consent must be:

• Freely given
• Informed
• Specific
• Unambiguous
• Revokable
• Obtained before any data is collected

So to create a GDPR-compliant cookie banner, appearance, content, and functionality must meet the above requirements. You cannot coerce or manipulate the user into giving consent, consent must be freely given. And you must clearly describe what kind of data your website will collect upon consent and what the implications of giving consent are.

A GDPR-compliant consent banner requires the following:

• Cookie banners or pop-ups should indicate the use of cookies and other trackers on your website.
• The cookie banner must ensure that the user can give their consent.
• Users have the option to give a granular consent for different processing purposes.
• People must be presented with an opt-out option, which can be through a widget or a link.
• Includes a link to your full privacy policy, cookie policy, and cookie settings.
• Documents a user’s choice in the event of a review.

To comply with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), your cookie banner should focus on providing a notice of collection. Inform users about your website’s data collection practices, including the use of cookies. This is according to CPRA Section 1798.135.

Unlike GDPR, the CCPA and CPRA do not require businesses to obtain cookie consent. Instead, it emphasizes the importance of providing a clear notice of data collection to users. This means that your cookie banner should be designed to serve as a notice of collection, providing easy-to-read and understandable information about the categories of personal information collected, and the purposes of such collection.

In addition, companies also need to include the links mentioned above somewhere on their website homepage, usually in the footer.

Cookie banners are no longer just a formality, they are a necessity. And if your consent banner does not comply with local regulations, you’ll face hefty fines.

For example, under the GDPR, Art. 84, fines can be up to € 20 million EUR or 4% of a company’s global annual revenue, whichever is higher. In the US, the CCPA and CPRA can impose fines of up to $7,500 USD per violation. In the UK, the Information Commissioner’s Office (ICO) can impose fines of up to £17.5 million GBP or 4% of a company’s global annual revenue, whichever is higher.

Fines can be imposed for various reasons, such as not obtaining proper consent, not providing clear information about data collection and use, or not giving users a genuine choice to accept or reject cookies.

Therefore, your cookie banner must be compliant with relevant local privacy laws to avoid potential fines.

Cookies are not the only web technology that can be used in a browser for tracking or data collection purposes. Tracking and retargeting pixels are also used. Regulations like GDPR, include all such technologies that process personal data in any way.

“Strictly necessary” cookies enable a website to function as intended and do not require user consent to be loaded. For example, if you want your customers to be able to browse your e-commerce website while saving the items in their shopping cart, that requires cookies. And for this, you do not need consent. However, other types of cookies do require consent.

Analytics cookies, which provide details like how many visitors are on the website and what pages or functions they’re accessing, do require user consent. As do third-party cookies that track users when they go to other websites or any web technologies that collect users’ personal information, such as name, IP address, location, or other data that can be used to identify a person.

A website should only load the cookies that a user has consented to. However, there are tools, like Google Consent Mode, that help recover valuable data and provide analytic modeling even without the data processing that’s enabled by user consent.

To achieve full privacy compliance on a website, a simple cookie banner is not enough to meet GDPR requirements. And other international privacy laws, such as the California Consumer Privacy Act (CCPA), have specific requirements as well. Therefore, using a cookie banner correctly is just one part of a solid data privacy strategy for your website.

A Consent Management Platform will help you check off all necessary privacy compliance requirements, no matter what your website is used for, and even if you’re subject to multiple countries’ data privacy laws.

A Consent Management Platform (CMP), such as Usercentrics, offers all the necessary features to ensure you can create, design, and publish a privacy-compliant cookie banner. Specific relevant laws and web technologies used on your site, customize the appearance of your banner, and clearly communicate with your website visitors to maintain an accessible and transparent privacy policy for everyone.