Understanding the cookie popup

Privacy-led marketing and compliance with global privacy laws require companies to implement a cookie popup that informs users and asks them for their consent. Here’s what you need to know for great user experience, high-quality data, and privacy compliance.
Resources / Blog / Understanding the cookie popup
Published by Usercentrics
10 mins to read
Aug 6, 2024
Start scan

Being a successful enterprise company today means understanding and adhering to global privacy regulations and business requirements to protect user data and respect privacy.

One critical digital component of privacy compliance is the cookie popup, which has become a familiar notification on websites and apps. These popups serve a dual purpose: they inform website and app users about data collection and request their permission to collect and use personal data.

As global privacy laws like the GDPR and CPRA tighten their grip and online consumers become more savvy, cookie popups have become indispensable tools for maintaining transparency, protecting revenue, and building trust with users.

We explore the importance of cookie popups, details of implementation, and best practices for great user experience, high consent rates, and achieving and maintaining privacy compliance.

A cookie pop-up, also known as a cookie banner or consent banner, is a notification that appears on a digital property to inform visitors and users about the use of components and other tracking cookies and to ask for their permission to use them to collect personal data.

A cookie popup appears on websites, apps, and other digital platforms where data is collected, and outlines the types of third-party cookies and other tracking technologies used on the site and what they’re used for. It also informs users about the data collected via cookies, parties that may access the data, and other factors, depending on relevant privacy regulation requirements.

Under European rules like the General Data Protection Regulation (GDPR) and ePrivacy Directive (also sometimes known as the “cookie law”), websites and apps must comply with more than just notification requirements. When collecting users’ personal data, digital property owners have certain obligations regarding users’ data privacy. For instance, securely storing data collected, including consent choices, or not disclosing or selling the data to third parties without prior consent from users in many cases.

Desktop Banner

Cookie popups are important for website owners, app publishers, and others with platforms that collect personal data. They’re also important to consumers whose data is being requested as well. They let users know what technologies can collect their data, for what purposes, and enable (ideally) granular consent options, which usually also need to be changeable or revocable over time to be privacy-compliant.

The main reason to implement a cookie popup is to comply with global privacy laws, such as the GDPR and the California Privacy Rights Act (CPRA). By using these popups, websites can demonstrate their compliance and commitment to user privacy, thereby building trust with visitors. This trust enhances user engagement, leading to higher-quality data, which in turn benefits marketing operations and boosts revenue.

Additionally, cookie popups give users control over their data. By enabling people to choose which cookies they feel comfortable accepting, website owners are improving the website browsing experience.

For businesses, cookie popups enable the collection of useful data for improving website performance and marketing strategies in a legally compliant way. This can also contribute to improving ecommerce and product development.

Cookie popups play a crucial role in compliance with data privacy laws across the globe. Many regulations, such as the GDPR, require websites to gather explicit consent from users before collecting, using, or sharing their data through cookies. Other laws, like those in the US, usually only require users to be able to opt-out.

To comply with global data privacy laws, website owners and app publishers must follow a few key requirements of cookie popup use.

  • Transparency: Cookie popups must clearly disclose the types of cookies and other tracking technologies in use and explain the purposes of data collection and third-party access to the data, among other considerations.
  • User control: Popups should provide users with granular control over their cookie preferences, enabling them to accept or reject different categories of cookies (e.g., functional, analytical, marketing), referred to as granular consent.
  • Informed consent: The information provided in the popup must be clear and easily understandable and avoid legal or technical jargon to ensure users can make informed decisions. Ideally, the popup will also have geotargeting functionality to enable display in users’ preferred languages around the world.
  • Active consent: Websites and apps must obtain affirmative action from users indicating their agreement before placing non-essential cookies. Consent cannot be assumed, manipulated, or pre-set.
  • Accessibility: Cookie popups should be designed to be user-friendly and accessible across different devices, including mobile, and for users with different abilities and browsing setups.
  • Policy links: The popup should include links to more detailed cookie or privacy policies for users who want additional information on data processing, their rights, and how to exercise them.
  • Regular updates: Cookie policies and popups should be regularly updated to reflect changes in tracking technologies present on a website, data processing practices, or new or updated regulations. New user consent may also need to be obtained if data processing practices change.

While cookie popups are not explicitly mandated by all privacy laws, they have become a common practice for demonstrating compliance and respecting user privacy. For instance, while the CPRA doesn’t specifically require cookie popups, many websites use them to comply with the law’s broader privacy protection requirements.

Cookie popup

International laws requiring cookie consent popups

Various countries have different regulations related to cookie consent popups.

  • General Data Protection Regulation (GDPR): This EU regulation, effective since May 2018, is one of the most comprehensive laws requiring explicit consent for non-essential cookies. It has been influential on subsequent data privacy laws around the world.
  • ePrivacy Directive: This EU directive specifically targets the use of cookies and similar technologies used in electronic communications, requiring prior informed consent from users. It will eventually be codified into a regulation.
  • California Consumer Privacy Act (CCPA): While not explicitly mandating cookie popups, the CCPA requires businesses to provide clear information about data collection practices and offer opt-out options. From January 1st, 2023, the CPRA modifies and expands the CCPA. Popups can also assist with privacy compliance for companies that have to comply with multiple US state-level laws.
  • Lei Geral de Proteção de Dados (LGPD): General Data Protection Law in English, Brazil’s data protection regulation includes provisions that necessitate transparent cookie practices.
  • Personal Information Protection and Electronic Documents Act (PIPEDA): Canada’s privacy law affects how businesses handle personal information, including through cookies. Uses a hybrid approach to consent requirements (i.e. opt-in and opt-out).
  • South Africa’s Protection of Personal Information Act (POPIA): This law predates the GDPR and has implications for cookie usage and consent requirements. One of the few international privacy laws that can result in prison sentences for violations.

It’s important to note that while these laws influence cookie consent practices globally, the specific requirements for cookie popups can vary by jurisdiction. Many websites implement cookie consent mechanisms to comply with these various regulations, especially if they have a global audience.

Typically, data privacy laws protect residents of the jurisdiction where they are active, e.g. the GDPR protects residents of the EU. Many laws are also extraterritorial, which means it doesn’t matter where companies are located if they process the data of residents of the region where the law is active. So a US-based company has to comply with the GDPR if it processes data of EU residents.

The list above covers the more well-known privacy regulations, but it is not exhaustive. To date, the majority of the world’s population is covered by one or more privacy regulations. It’s important for website owners and app publishers to be up to date on the jurisdictions and laws relevant to their business, and the compliance requirements. Companies should consult qualified legal counsel and/or a privacy expert.

When implementing a cookie consent popup on your website, it’s crucial to ensure compliance with privacy regulations and provide a good user experience. Use the following checklist to create an effective and compliant cookie consent mechanism:

  • Clear information: Explain which cookies you use, to collect which kinds of data, and why. Specify the types of cookies, e.g. necessary, functional, analytics, marketing). Mention if third-party cookies are used, and who sets them.
  • Give consent options: Provide equal consent options, like both “Accept and “Reject” buttons, both overall consent to cookie use and ideally options for granular consent to some cookies. Do not use manipulative tactics like prechecking boxes or only showing an “Accept All” option.
  • Active consent collection: Require users to take a clear affirmative action that’s recorded, e.g. clicking a button. Do not use scrolling or continued browsing as consent, which is prohibited under many laws.
  • Enable easy consent withdrawal: Provide a method for users to easily change their preferences or withdraw consent. Include a persistent “cookie widget” or callback button to make it easy to access.
  • Timely consent collection: Obtain consent before setting any non-essential cookies in jurisdictions where this is required. Best practice would be to block cookies automatically until consent is obtained.
  • Consent storage: Securely store user consents for as long as needed for privacy compliance and other legal requirements. Be ready to provide information in the event of data protection authorities’ inquiry or data subject access request.
  • Provide users with more information: Include a link to your full cookie policy or privacy policy that is prominent on any website page or app screen. Ensure it’s kept up to date.
  • Visibility and accessibility: Ensure the popup is prominently displayed and easily noticeable. Make it accessible on all devices (desktop and mobile) but also well branded and user-friendly to use. Don’t use it to block user access to websites or apps unless they give consent.
  • Language and readability: Use clear, understandable language without technical or legal jargon. Provide the banner in all languages your website supports, ideally with automatic geotargeting.
  • Respect user choices: Implement technical measures to honor user preferences. Block non-essential cookies until consent is given. If users decline consent, don’t ask again before the legally allowed period of time, e.g. 12 months, depending on the law. If your data processing purposes change, however, you may be legally required to get new consent, however.

By following this checklist, you can create a compliant cookie consent popup that respects user privacy and provides a good user experience.

There are multiple ways to install a cookie popup on your website.

The first is to use a consent management platform (CMP), such as Usercentrics CMP or Cookiebot CMP, that enables you to create a customizable and compliant cookie banner in minutes.

These CMPs will scan your website so you know which cookies and tracking technologies are collecting data, and create a cookie declaration that you can use alongside a privacy policy. The CMPs also record and securely store consent records, with a log of the cookie consent you receive from website visitors over time.

If you have a WordPress website, WordPress offers a range of cookie popup plugins, like the Cookiebot™ WordPress Plugin, that enable website owners to add a privacy-compliant cookie popup without compromising user experience. We’ve compiled a resource that enables you to compare the 10 Best WordPress cookie consent plugins.

Another option is to manually code a cookie banner for your website. Add a short explanation of the purpose of cookies, a clear statement on which action will signify consent and a link to your cookie policy. However, under EU law, if your website uses any non-exempt cookies or scripts, these scripts must be prevented from running until a website visitor explicitly grants consent.

A “DIY” approach to a cookie popup is not recommended for small businesses, due to the amount of work to build and maintain it, the expense of accessing qualified legal consultation to enable compliance, and the regulatory risks of mistakes or missing crucial components.

Discover which cookies and tracking technologies are active on your website to be compliant with CCPA, GDPR, LGPD, and more.

Cookie popups are no longer just a formality, they are a necessity. If your cookie consent popup does not comply with relevant regulations, you could face hefty fines, operational disruptions, loss of customer trust and brand reputation, and a long-term hit to revenue.

For example:

  • Under Art. 84 GDPR, fines can be up to 20 million EUR or 4 percent of a company’s global annual revenue, whichever is higher.
  • In the US, the California Privacy Protection Agency (CPPA) can impose fines of up to USD 7,500 per violation.
  • Under Switzerland’s FADP, fines can be levied against private individuals, not just companies.
  • In the UK, the Information Commissioner’s Office (ICO) can impose fines of up to GDP 17.5 million or 4 percent of a company’s global annual revenue, whichever is higher.
  • In South Africa and a few other countries, violations can result in prison sentences of up to 10 years for certain violations.

Fines can be imposed for various reasons, such as not obtaining proper consent, not providing clear information about data collection and use, or not giving users a genuine choice to accept or reject cookies. Fines are generally more severe for repeat offenses or willful violations.

Privacy compliance is now a key factor in business success. By taking data privacy seriously, you can gain a competitive edge and boost your marketing campaigns.

A consent management platform (CMP) provides tools to help you achieve and maintain compliance with data privacy laws such as the GDPR, the ePrivacy Directive, and CPRA.

For example, Usercentrics CMP and Cookiebot CMP automatically scan your website to find, categorize, and list all cookies and trackers in use, including third-party ones. It helps you create personalized consent banners with relevant jurisdictional information to inform visitors and request their permission to use cookies.

Usercentrics and Cookiebot CMPs are also Google-certified, integrating seamlessly with Google Consent Mode and Google Tag Manager, enabling compliance with Google’s privacy requirements and maintenance of your marketing activities, including personalization and retargeting, in the EU, UK, and Switzerland.

Sign up for a free trial and experience how easily you can create a compliant cookie popup and start gathering consent from your website visitors.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.