Being a successful enterprise company today means understanding and adhering to global privacy regulations and business requirements to protect user data and respect privacy.

One critical digital component of privacy compliance is the cookie popup, which has become a familiar notification on websites and apps. These popups serve a dual purpose: they inform website and app users about data collection and request their permission to collect and use personal data.

As global privacy laws like the GDPR and CPRA tighten their grip and online consumers become more savvy, cookie popups have become indispensable tools for maintaining transparency, protecting revenue, and building trust with users.

We explore the importance of cookie popups, details of implementation, and best practices for great user experience, high consent rates, and achieving and maintaining privacy compliance.

What is a cookie popup?

A cookie pop-up, also known as a cookie banner or consent banner, is a notification that appears on a digital property to inform visitors and users about the use of components and other tracking cookies and to ask for their permission to use them to collect personal data.

A cookie popup appears on websites, apps, and other digital platforms where data is collected, and outlines the types of third-party cookies and other tracking technologies used on the site and what they’re used for. It also informs users about the data collected via cookies, parties that may access the data, and other factors, depending on relevant privacy regulation requirements.

Under European rules like the General Data Protection Regulation (GDPR) and ePrivacy Directive (also sometimes known as the “cookie law”), websites and apps must comply with more than just notification requirements. When collecting users’ personal data, digital property owners have certain obligations regarding users’ data privacy. For instance, securely storing data collected, including consent choices, or not disclosing or selling the data to third parties without prior consent from users in many cases.

The importance of a cookie popup

Cookie popups are important for website owners, app publishers, and others with platforms that collect personal data. They’re also important to consumers whose data is being requested as well. They let users know what technologies can collect their data, for what purposes, and enable (ideally) granular consent options, which usually also need to be changeable or revocable over time to be privacy-compliant.

The main reason to implement a cookie popup is to comply with global privacy laws, such as the GDPR and the California Privacy Rights Act (CPRA). By using these popups, websites can demonstrate their compliance and commitment to user privacy, thereby building trust with visitors. This trust enhances user engagement, leading to higher-quality data, which in turn benefits marketing operations and boosts revenue.

Additionally, cookie popups give users control over their data. By enabling people to choose which cookies they feel comfortable accepting, website owners are improving the website browsing experience.

For businesses, cookie popups enable the collection of useful data for improving website performance and marketing strategies in a legally compliant way. This can also contribute to improving ecommerce and product development.

Cookie popups and data privacy laws

Cookie popups play a crucial role in compliance with data privacy laws across the globe. Many regulations, such as the GDPR, require websites to gather explicit consent from users before collecting, using, or sharing their data through cookies. Other laws, like those in the US, usually only require users to be able to opt-out.

To comply with global data privacy laws, website owners and app publishers must follow a few key requirements of cookie popup use.

• Transparency: Cookie popups must clearly disclose the types of cookies and other tracking technologies in use and explain the purposes of data collection and third-party access to the data, among other considerations.
• User control: Popups should provide users with granular control over their cookie preferences, enabling them to accept or reject different categories of cookies (e.g., functional, analytical, marketing), referred to as granular consent.
• Informed consent: The information provided in the popup must be clear and easily understandable and avoid legal or technical jargon to ensure users can make informed decisions. Ideally, the popup will also have geotargeting functionality to enable display in users’ preferred languages around the world.
• Active consent: Websites and apps must obtain affirmative action from users indicating their agreement before placing non-essential cookies. Consent cannot be assumed, manipulated, or pre-set.
• Accessibility: Cookie popups should be designed to be user-friendly and accessible across different devices, including mobile, and for users with different abilities and browsing setups.
• Policy links: The popup should include links to more detailed cookie or privacy policies for users who want additional information on data processing, their rights, and how to exercise them.
• Regular updates: Cookie policies and popups should be regularly updated to reflect changes in tracking technologies present on a website, data processing practices, or new or updated regulations. New user consent may also need to be obtained if data processing practices change.

While cookie popups are not explicitly mandated by all privacy laws, they have become a common practice for demonstrating compliance and respecting user privacy. For instance, while the CPRA doesn’t specifically require cookie popups, many websites use them to comply with the law’s broader privacy protection requirements.

International laws requiring cookie consent popups

Various countries have different regulations related to cookie consent popups.

• General Data Protection Regulation (GDPR): This EU regulation, effective since May 2018, is one of the most comprehensive laws requiring explicit consent for non-essential cookies. It has been influential on subsequent data privacy laws around the world.
• ePrivacy Directive: This EU directive specifically targets the use of cookies and similar technologies used in electronic communications, requiring prior informed consent from users. It will eventually be codified into a regulation.
• California Consumer Privacy Act (CCPA): While not explicitly mandating cookie popups, the CCPA requires businesses to provide clear information about data collection practices and offer opt-out options. From January 1st, 2023, the CPRA modifies and expands the CCPA. Popups can also assist with privacy compliance for companies that have to comply with multiple US state-level laws.
• Lei Geral de Proteção de Dados (LGPD): General Data Protection Law in English, Brazil’s data protection regulation includes provisions that necessitate transparent cookie practices.
• Personal Information Protection and Electronic Documents Act (PIPEDA): Canada’s privacy law affects how businesses handle personal information, including through cookies. Uses a hybrid approach to consent requirements (i.e. opt-in and opt-out).
• South Africa’s Protection of Personal Information Act (POPIA): This law predates the GDPR and has implications for cookie usage and consent requirements. One of the few international privacy laws that can result in prison sentences for violations.

It’s important to note that while these laws influence cookie consent practices globally, the specific requirements for cookie popups can vary by jurisdiction. Many websites implement cookie consent mechanisms to comply with these various regulations, especially if they have a global audience.

Typically, data privacy laws protect residents of the jurisdiction where they are active, e.g. the GDPR protects residents of the EU. Many laws are also extraterritorial, which means it doesn’t matter where companies are located if they process the data of residents of the region where the law is active. So a US-based company has to comply with the GDPR if it processes data of EU residents.

The list above covers the more well-known privacy regulations, but it is not exhaustive. To date, the majority of the world’s population is covered by one or more privacy regulations. It’s important for website owners and app publishers to be up to date on the jurisdictions and laws relevant to their business, and the compliance requirements. Companies should consult qualified legal counsel and/or a privacy expert.

Cookie consent popup best practices checklist

When implementing a cookie consent popup on your website, it’s crucial to ensure compliance with privacy regulations and provide a good user experience. Use the following checklist to create an effective and compliant cookie consent mechanism:

By following this checklist, you can create a compliant cookie consent popup that respects user privacy and provides a good user experience.

How do you add a cookie popup to a website?

There are multiple ways to install a cookie popup on your website.

The first is to use a consent management platform (CMP), such as Usercentrics CMP or Cookiebot CMP, that enables you to create a customizable and compliant cookie banner in minutes.

These CMPs will scan your website so you know which cookies and tracking technologies are collecting data, and create a cookie declaration that you can use alongside a privacy policy. The CMPs also record and securely store consent records, with a log of the cookie consent you receive from website visitors over time.

If you have a WordPress website, WordPress offers a range of cookie popup plugins, like the Cookiebot™ WordPress Plugin, that enable website owners to add a privacy-compliant cookie popup without compromising user experience. We’ve compiled a resource that enables you to compare the 10 Best WordPress cookie consent plugins.

Another option is to manually code a cookie banner for your website. Add a short explanation of the purpose of cookies, a clear statement on which action will signify consent and a link to your cookie policy. However, under EU law, if your website uses any non-exempt cookies or scripts, these scripts must be prevented from running until a website visitor explicitly grants consent.

A “DIY” approach to a cookie popup is not recommended for small businesses, due to the amount of work to build and maintain it, the expense of accessing qualified legal consultation to enable compliance, and the regulatory risks of mistakes or missing crucial components.

Consequences for a non-compliant cookie popup

Cookie popups are no longer just a formality, they are a necessity. If your cookie consent popup does not comply with relevant regulations, you could face hefty fines, operational disruptions, loss of customer trust and brand reputation, and a long-term hit to revenue.

For example:

• Under Art. 84 GDPR, fines can be up to €20 million EUR or 4 percent of a company’s global annual revenue, whichever is higher.
• In the US, the California Privacy Protection Agency (CPPA) can impose fines of up to USD 7,500 per violation.
• Under Switzerland’s FADP, fines can be levied against private individuals, not just companies.
• In the UK, the Information Commissioner’s Office (ICO) can impose fines of up to GDP 17.5 million or 4 percent of a company’s global annual revenue, whichever is higher.
• In South Africa and a few other countries, violations can result in prison sentences of up to 10 years for certain violations.

Fines can be imposed for various reasons, such as not obtaining proper consent, not providing clear information about data collection and use, or not giving users a genuine choice to accept or reject cookies. Fines are generally more severe for repeat offenses or willful violations.

How a Consent Management Platform (CMP) can help

A consent management platform (CMP) provides tools to help you achieve and maintain compliance with data privacy laws such as the GDPR, the ePrivacy Directive, and CPRA.

For example, Usercentrics CMP and Cookiebot CMP automatically scan your website to find, categorize, and list all cookies and trackers in use, including third-party ones. It helps you create personalized consent banners with relevant jurisdictional information to inform visitors and request their permission to use cookies.

Usercentrics and Cookiebot CMPs are also Google-certified, integrating seamlessly with Google Consent Mode and Google Tag Manager, enabling compliance with Google’s privacy requirements and maintenance of your marketing activities, including personalization and retargeting, in the EU, UK, and Switzerland.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

Google has introduced two new parameters to Consent Mode, required for personalized advertising from March 2024. If you’re using Google Ads, Google Analytics, and/or the Google Marketing Platform for serving personalized ads in the EU/EEA and UK, you now need to update your consent management to meet Google’s new requirements.

Consent Mode is a tool that signals users’ consent choices to Google tags or SDK so that they can adjust their behavior to align with data privacy requirements. It also enables modeling to recover lost conversions.

Watch our webinar to learn the four steps you need to take now, and how you can protect your ad revenue for 2024 and beyond.

Our expert speakers will guide you through:

• Updating your consent management to meet Google’s new requirements
• Protecting your ad revenue in 2024 and beyond
• Leveraging modeling methods to optimize conversions and drive growth

Watch this expert discussion and ensure your campaigns remain effective in the face of industry changes. Take proactive steps to safeguard your ad revenue and stay compliant with Google’s latest regulations.

Visit Usercentrics at Booth 30 at eTail Nordic 2023
Date: October 10-11, 2023
Place: Radisson Blu Scandinavia Hotel, Amager Boul. 70, 2300,
Copenhagen, Denmark

Schedule a meeting time that’s convenient for you

eTail Nordic is the Nordics premier ecommerce conference. It is the event for Heads of Ecommerce, Digital, and Marketing from leading Nordic and European retailers and brands.

eTail Nordic features small group activities to facilitate making stronger connections and more personalized learning.

Discover strategies from top retail and brand leaders on how to:

• Optimize omnichannel strategies to transform customer journeys
• Supercharge customer experiences to build loyalty and attract new audiences
• Align the digital and physical worlds to exceed rising consumer expectations
• Use fulfillment tech to revolutionize the post-purchase experience
• Embrace digital innovations to deliver hyper-personalized customer experiences

Book a free personalized consultation

Usercentrics invites you to visit us at Booth 30 at eTail Nordic and engage with our data privacy experts. We will be offering one-on-one consultations at our booth to answer your questions and help with your consent-based marketing and data privacy challenges.

Get information and advice on:

• Data privacy compliance with the GDPR and other regulations
• Optimizing cookie banners on websites, apps, and ecommerce
• Building user trust to increase engagement and revenue
• Combining consent management and preference management for optimal user experience and marketing opportunities
• Ensuring ongoing regulatory compliance while getting the data you need for marketing operations

What you’ll gain from your consultation

• Learn strategies to build user trust and increase engagement in ecommerce
• Get expert advice and tools to help you comply with privacy regulations
• Explore successful user engagement and marketing techniques in retail and branding

Who can benefit from a consultation?

Does your company have a growing brand, retail and/or ecommerce presence? Do you collect user data online? Do you need to achieve and maintain data privacy compliance? Our consultation can provide valuable insights tailored to your needs for your audience, region, and regulations.

Visit Usercentrics’ booth at DMEXCO 2023

Date: September 20 and 21, 2023
Place: Cologne, Germany, Messeplatz 1, Hall 7, Booth F-017

DMEXCO is one of the world’s leading digital marketing conferences. It brings together industry experts, marketing professionals, and tech innovators to explore the latest trends and technologies in digital marketing, advertising, and ecommerce. It takes place in Cologne this year and Usercentrics will be a prominent exhibitor at the event.

In addition to sharing our expertise on stage, we will also be providing personalized consultations directly at our booth. You can benefit from one-on-one discussions with our experts to address your specific consent management questions and concerns.

Free personalized consultation

Book your free personalized consultation with our experts at our booth and they will answer your questions. Ask them about privacy compliance, cookie banners, user data collection and storage, or consent-based digital marketing.

• Check if your banner is privacy compliant.
• Learn how to use your cookie banner to get more users to accept marketing cookies.
• Ask about strategies for collecting and analyzing higher quality user data.
• Learn how to build trust with customers using clear consent management and privacy policies.
• Get expert advice and tools to help you comply with privacy regulations, build user trust, and grow your business.

Who can benefit from this meeting?

You can especially benefit from this meeting if your company:

• sells products or services to users and collects user data for marketing purposes
• needs to comply with local privacy laws and is looking for professional tools and strategies to achieve compliance
• needs to use various cookies on their website and avoid potentially hefty fines for noncompliant use

Schedule a meeting time that is convenient for you.

Get to know fraud0

We will be sharing the booth with fraud0, which helps companies protect themselves from fake activity created by bots, such as fraudulent ad impressions. They offer AI-based technology that easily integrates with the Usercentrics Consent Management Platform.