Why you need a cookie banner

When a user visits a website for the first time, a cookie banner will appear, informing the user about the processing of personal data.
Resources / Blog / Why you need a cookie banner
Published by Usercentrics
10 mins to read
Mar 5, 2024

Cookie banners, also known as “consent banners” are not new. In fact, they are quickly becoming an expected part of the user experience when visitors arrive on websites for the first time. This is because privacy laws are increasingly requiring companies to obtain visitors’ or customers’ consent before collecting, using, or selling their personal information.

These requirements are included in data privacy laws like the European Union’s General Data Protection Regulation (GDPR), ePrivacy Directive, California Consumer Protection Act (CCPA), and Brazilian Data Protection Law (LGPD). Clear, transparent compliance with them, including implementing a cookie banner on your website, for example, also helps build trust and encourages long-term relationship development with your users and customers.

Since the General Data Protection Regulation (GDPR) came into effect in 2018, cookie banners are the new normal. When a user visits your website for the first time, a pop-up window or banner will appear. It’s intended to inform the user about the processing of their personal data.

A cookie is just a small text file, saved in the user’s browser, and used to store information. It enables functions like the web server’s ability to “recognize” a user on future visits to the site.

Cookies can be set in a browser without the user knowing it. However, the question is whether it’s legal to do so or not.

Discover which cookies and tracking technologies are present on your website to remain compliant with CCPA, GDPR, LGPD, and more.

Scan your website now

Consent banners or cookie consent popups appear on or over a website’s homepage content and are interactive. Once users have selected consent preferences in the cookie banner – if they interact with it at all – those preferences are saved by your website’s Consent Management Platform (CMP).

A cookie banner gives your website visitors control over their website experience, how they are tracked, and how their data is used. It informs visitors about the web technologies, including cookies, used on the website to ensure its proper functioning.

Additionally, cookies can also track user behavior and collect data about them and their actions.

Given this information, cookie banners must provide options to enable or prevent the use of those technologies.

 

Privacy violations come with hefty fines. However, the worst part is losing your customer’s trust and negative word of mouth.

Because people are becoming increasingly aware of privacy and rights regarding their data. Showing that you take their privacy seriously via a cookie consent popup empowers them to control access to their data and can be a key competitive advantage.

Additionally, consent management best practices increase user trust. This means that people are more inclined to share more of their data upon seeing a cookie consent banner since a company is being transparent about its collection and purposes of use. More data means better insights for marketing, as well as more ad revenue.

Cookiebot by Usercentrics complies with GDPR, DMA, TCF & Google regulations in 3 easy steps.

Try us today

Cookie banners have to provide visitors with clear information in plain language about their:

  • Privacy rights,
  • About which web technologies, like cookies, are used on that site,
  • For what purposes,
  • A link to the company’s privacy policy should also be included.

Cookie banners have to provide users with consent options. So a website visitor must be able to opt in or opt out of the use of cookies entirely. Alternatively, they can customize which services they will allow to access their data.

There are three primary types of cookie consent banners that can be integrated into a company’s website.

Notice-only cookie banner

This type of consent banner is usually located at the bottom of a page and informs people about the use of cookies being processed on a website. However, it does not give the option of a granular decision.

This is not a GDPR-compliant cookie banner. You can use notice-only cookie banners under the CPRA, but you’ll also need certain links on your homepage to be compliant

Implied consent (opt-out) cookie banner

This popup or banner assumes user consent based on actions such as continuous use of the website. For instance, a banner might state, “Continuing to use this website will be taken as consent to use cookies.” Therefore, people are typically required to take action if they want to reject the use of certain types of cookies.

Opt-out cookie banners align with data privacy laws like the CCPA, which don’t mandate explicit user consent for cookies. However, this is not a GDPR-compliant cookie banner.

Explicit consent (opt-in) cookie banner

Lastly, this category of consent banner requires people to actively agree, typically by clicking “Accept,” to permit the use of cookies and other tracking technologies placed on their device. This option offers clearer control and is a cookie banner example that can be fully GDPR compliant.

Companies can choose the most suitable type of cookie consent banner based on factors such as user experience, jurisdictional compliance, and the specific needs of the website.

Cookie consent banners come in various designs. However, there are certain best practices to follow when creating a cookie consent pop-up to ensure that it is transparent, clear, and provides people with granular control while being user-friendly.

For starters, your cookie banner text should inform the visitor about the cookies the website is using and their purpose. It should leave no confusion. This means you offer people the option to both “Accept” and “Reject” options. Once someone sets their cookie preferences, they should be able to modify them at any time via a prominent link or a button on the webpage.

Additionally, take the time to create a personalized consent banner that matches your brand’s visual identity. A cookie consent banner that fits in with your brand — in terms of colors, fonts, and language — feels more personal and intentional than one that hasn’t been customized at all.

There are multiple ways to install a cookie banner on your website. The first is to use a Consent Management Platform, such as Usercentrics, that enables you to create a customizable GDPR-compliant cookie banner in minutes. Our software will scan your website so you know which cookies and tracking technologies are collecting data. Then, we’ll help you comply with global privacy laws by recording and maintaining a log of the cookie consent you receive from website visitors.

Another option is to manually code a cookie banner for your website. Add a short explanation as to the purpose of cookies, a clear statement on which action will signify consent, as well as a link to a cookie policy. However, under EU law, if your website uses any non-exempt cookies or scripts, these scripts must be prevented from running until a website visitor explicitly grants consent.

Therefore, a CMP is an easier option to implement as it requires less effort to set up and is more likely to help you remain compliant with privacy laws while automating the cookie consent management process.

While data privacy laws are passed in specific regions or countries, your website visitors and customers can come from pretty much anywhere in the world. So the type of cookie banner you need to comply with privacy law typically depends on where your visitors are located, not your company.

So the answer to “Do I need a cookie banner on my website?” is “Most likely you do, yes” and “Why would you risk not having one?” Especially given that, in addition to not wanting to risk violations and fines, you don’t want to jeopardize the trust of your users and customers.

Legally, cookie banners have to provide all of a user’s cookie usage consent options and the ability to exercise them equally. They cannot use text or graphics (or the absence of them) to manipulate users into the “consent” that the company wants.

However, not all privacy laws are the same. For example, the EU’s GDPR and Brazil’s LGPD use an opt-in model, where user consent must be obtained before data can be collected (or used).

However, under US laws like the CCPA, an opt-out model is used. So companies only have to obtain users’ consent before personal information is sold. Consent is not required before or when such data is collected.

There are also or will be more specific considerations for minors and data classified as “sensitive personal information”, especially under the successor to the CCPA, the California Privacy Rights Act (CPRA).

Adherence to privacy compliance is now becoming a determining success factor. Take data privacy seriously and create a competitive advantage while building trust with your customers.

Read now

GDPR-compliant cookie banner requirements and best practices

GDPR doesn’t explicitly mention cookies, but it does have several requirements for consenting to data processing and collection. According to Art. 4 of GDPR, user consent must be:

  • Freely given
  • Informed
  • Specific
  • Unambiguous
  • Revokable
  • Obtained before any data is collected

So to create a GDPR-compliant cookie banner, appearance, content, and functionality must meet the above requirements. You cannot coerce or manipulate the user into giving consent, consent must be freely given. And you must clearly describe what kind of data your website will collect upon consent and what the implications of giving consent are.

A GDPR-compliant consent banner requires the following:

  • Cookie banners or pop-ups should indicate the use of cookies and other trackers on your website.
  • The cookie banner must ensure that the user can give their consent.
  • Users have the option to give a granular consent for different processing purposes.
  • People must be presented with an opt-out option, which can be through a widget or a link.
  • Includes a link to your full privacy policy, cookie policy, and cookie settings.
  • Documents a user’s choice in the event of a review.
Download for free

Cookie banner best practices to comply with CCPA and CPRA

To comply with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), your cookie banner should focus on providing a notice of collection. Inform users about your website’s data collection practices, including the use of cookies. This is according to CPRA Section 1798.135.

Unlike GDPR, the CCPA and CPRA do not require businesses to obtain cookie consent. Instead, it emphasizes the importance of providing a clear notice of data collection to users. This means that your cookie banner should be designed to serve as a notice of collection, providing easy-to-read and understandable information about the categories of personal information collected, and the purposes of such collection.

In addition, companies also need to include the links mentioned above somewhere on their website homepage, usually in the footer.

Cookie banners are no longer just a formality, they are a necessity. And if your consent banner does not comply with local regulations, you’ll face hefty fines.

For example, under the GDPR, Art. 84, fines can be up to 20 million EUR or 4% of a company’s global annual revenue, whichever is higher. In the US, the CCPA and CPRA can impose fines of up to $7,500 USD per violation. In the UK, the Information Commissioner’s Office (ICO) can impose fines of up to £17.5 million GBP or 4% of a company’s global annual revenue, whichever is higher.

Fines can be imposed for various reasons, such as not obtaining proper consent, not providing clear information about data collection and use, or not giving users a genuine choice to accept or reject cookies.

Therefore, your cookie banner must be compliant with relevant local privacy laws to avoid potential fines.

Cookies are not the only web technology that can be used in a browser for tracking or data collection purposes. Tracking and retargeting pixels are also used. Regulations like GDPR, include all such technologies that process personal data in any way.

“Strictly necessary” cookies enable a website to function as intended and do not require user consent to be loaded. For example, if you want your customers to be able to browse your e-commerce website while saving the items in their shopping cart, that requires cookies. And for this, you do not need consent. However, other types of cookies do require consent.

Analytics cookies, which provide details like how many visitors are on the website and what pages or functions they’re accessing, do require user consent. As do third-party cookies that track users when they go to other websites or any web technologies that collect users’ personal information, such as name, IP address, location, or other data that can be used to identify a person.

A website should only load the cookies that a user has consented to. However, there are tools, like Google Consent Mode, that help recover valuable data and provide analytic modeling even without the data processing that’s enabled by user consent.

To achieve full privacy compliance on a website, a simple cookie banner is not enough to meet GDPR requirements. And other international privacy laws, such as the California Consumer Privacy Act (CCPA), have specific requirements as well. Therefore, using a cookie banner correctly is just one part of a solid data privacy strategy for your website.

A Consent Management Platform will help you check off all necessary privacy compliance requirements, no matter what your website is used for, and even if you’re subject to multiple countries’ data privacy laws.

A Consent Management Platform (CMP), such as Usercentrics, offers all the necessary features to ensure you can create, design, and publish a privacy-compliant cookie banner. Specific relevant laws and web technologies used on your site, customize the appearance of your banner, and clearly communicate with your website visitors to maintain an accessible and transparent privacy policy for everyone.

Contact sales

Frequently asked questions

What is a cookie banner?

A cookie banner is a pop-up that appears when you visit a website, informing you about the use of cookies and other trackers as well as processing personal data and asking for your consent to process personal data. Its presence is vital for compliance with laws like GDPR.

When is a cookie banner compliant?

To be considered compliant, a cookie banner must be visible and clearly explain cookie and other trackers’ usage, obtain or deny user consent, and provide a genuine choice with consequences. It should also inform website visitors about their rights, include a link to your full privacy and cookie policy, and adjust based on various languages or regions. It also needs to be possible to give granular consent and to revoke previously given consent.

Do I need a cookie consent banner?

Yes. When GDPR applies to you and you use cookies to process personal data or track your website visitors, then you need a cookie consent banner to comply with local privacy laws.

How to make a cookie banner or cookie pop-up?

You can build a cookies banner by coding one manually. Alternatively, use a Consent Management Platform like Usercentrics which enables you to scan your website and create a personalized cookie banner that matches your branding.

Why do cookies require consent?

Cookies and other trackers require consent because they can track personally identifiable information or online activity and most people don’t feel comfortable with that and prefer to choose what data they share online.

What is GDPR cookie consent?

GDPR cookie consent means websites need clear permission from users before collecting their data via cookies. Website visitors must be able to freely agree to this and have the option to accept or reject cookies.

Is a cookie banner required in the US?

In the US, federal law doesn’t explicitly require a cookie banner. But, if your website has visitors from the EU, California, Brazil, and South Africa, and you use cookies for personal data collection, having a cookie banner is essential for complying with global data protection regulations. US state privacy laws might require that you provide the option to opt out of some processing activities like selling data.

Does Google Analytics use cookies?

Google Analytics does use cookies for analytical purposes. If you have website visitors from the EU, you should present them with a cookie consent banner and give them the option to accept or decline cookies and processing for analytical purposes.

What should a cookie banner say?

A cookie banner text should clearly state the website’s use of cookies and other trackers while also requesting permission to place these cookies on a person’s device. It should provide people with a choice to accept or deny cookies and trackers. And include easily accessible links to your full privacy and cookie policy as well as the settings page.

Are a cookie notice and cookie banner the same?

No, a cookie banner is used to provide users the option to consent to the placing of cookies and trackers as well as the processing of personal data. The cookie notice is a separate page on the website where detailed information about cookies and trackers is included.

What are strictly necessary cookies?

These are cookies that are essential for your website to function. For example, maintain items in a cart or a person’s session while logged in. Strictly necessary cookies require no consent.

What is valid consent?

Valid consent means people giving their permission for the processing of their personal data which is freely given, informed, specific, and through affirmative action.

Dec 20, 2024
The Video Privacy Protection Act (VPPA) was passed in 1988 to protect video rental history and viewing data. Today, its application extends to online video platforms like streaming services. Learn how US courts are interpreting the law and what steps to take for your business to comply.
Dec 13, 2024
The European Accessibility Act (EAA) sets accessibility standards for products and services across the EU, aiming to improve inclusion for people with disabilities and older adults. Learn what it covers, who must comply, and how to prepare for the June 2025 enforcement deadline.
Dec 12, 2024
If you operate in the EU or serve EU customers, it’s important to understand the 7 GDPR principles and how to apply them to your data practices. Below are clear examples and actionable steps you can take to help your business stay compliant and build trust.