Cookie Consent Banner Requirements: Ultimate Guide
With many data privacy laws requiring placing cookie consent banners for your visitors, it can be hard to know what these banners should include.
In this article, we’ll look at the most important cookie consent banner requirements you should watch out for.
Let’s dig in.
- Cookie consent banners inform the consumer about the website’s data collection and processing
- They benefit both the consumer and the business
- The main cookie consent requirements include: being clear and concise, and having options to accept or reject cookies, modify cookies, learn more, and an option to dismiss the banner
What is a Cookies Consent Banner?
Tip: Have an option where the user can toggle preferences in the cookie banner.
Why are Cookie Consent Banners Important?
Cookie consent banners are important for many reasons, not only for businesses but for consumers too.
For the business, cookie consent banners help to:
- Improve user experience
By allowing users to select which types of cookies they want to allow, cookie consent banners help the business offer a more tailored user experience on their website.
- Increase transparency
Cookie consent banners also help the business be more transparent in how it handles data privacy, thus building trust and credibility with its consumers.
- Refine analytics accuracy
With access to more data from consumers, a business can obtain more accurate data that, in turn, helps it make more informed business decisions.
- Minimize legal risk
With many data privacy laws requiring placing cookie consent banners, failing to comply can lead to fines and penalties for the business.
For example, failing to comply with GDPR cookie consent requirements can lead to a fine of €10 million or 2% of the company's global annual turnover or €20 million or 4% of the company's global annual turnover, depending on the severity of the violation.
At the same time, cookie consent banners help the consumer to:
- Personalize their website experience
By being able to choose which cookies type they want to allow, consumers can get a more personalized experience on the website they are on.
- Increase privacy awareness
Cookie consent banners serve to inform the visitor how their data will be used by the website, thus greatly raising their privacy awareness and helping them make more informed privacy choices.
- Reduce the feeling of being “watched”
Some types of cookies can be used for targeting or monitoring the user for advertising purposes. By empowering users to disallow these types of cookies, the business helps reduce the feeling of being “watched” all the time.
- Builds a positive relationship with the business
Finally, with the business showing commitment to protecting its consumers’ privacy and respecting their choices, this in turn creates a positive relationship between the two.
Cookie Consent Banner Requirements
Cookie consent banner requirements vary from country to country and from one law to another. Here’s an overview of the requirements from the most common compliance frameworks:
GDPR Cookie Consent Banner Requirements
Under GDPR, businesses must obtain valid and informed consent from consumers through cookie consent banners before they can process their personal information using cookies placed on the website.
To be compliant with the GDPR, cookie consent banners must, first and foremost, adhere to Article 4(11), which defines consent as:
“Freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear indicative action, signifies agreement to the processing of personal data relating to him or her.”
In this case, such a “clear, indicative action” would be the user clicking the “accept cookies” button on the cookie consent banner.
More specifically, cookie consent banner requirements are outlined in several GDPR articles and recitals, including:
- Article 7 - Conditions for consent: consent request must be easy-to-access and a clear language
- Article 13- Information to be provided where personal data are collected from the data subject: the purpose of data processing
- Article 22 - Automated decision-making and profiling: unless the consumer gave their explicit consent through the cookie consent banner
- Recital 32 - Consent: must be clear, freely given, specific, informed, and unambiguous
- Recital 42 - Burden of proof and requirements for consent: data controller should be able to demonstrate that the data subject has given consent
CCPA/CPRA Cookie Consent Banner Requirements
That said, several sections of both are of particular note here:
- CCPA Section 1789.100 - Notice at Collection: a business must provide a “Notice at Collection” to consumers
- CCPA Section 1798.120 - Right to opt-out: a clear “Do Not Sell My Personal Information” link must be available on the homepage
- CPRA Section 1798.105 - User Rights: the CPRA amended the CCPA by adding the user right to correct inaccurate personal information
- CPRA Section 1798.121 - Sensitive personal information: explains what SPI is
- CPRA Section 1798.185 - Transparency: disclosing the type of data collected and the data retention period
PIPEDA Cookie Consent Banner Requirements
Similarly to the CCPA/CPRA, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) also doesn’t include special provisions regarding cookie consent banners.
There are, however, several PIPEDA principles that are related to them:
- Principle 3 - Consent: must be meaningful
- Principle 4 - Limiting collection: data collection must be limited to a specific purpose
- Principle 5 - Limiting use, disclosure, and retention: personal information can only be used, disclosed, and retained for the purposes for which it is collected
- Principle 6 - Consent withdrawal: consumers can withdraw their consent at any time
- Principle 9 - Individual access: consumers can access and request corrections of their personal information
UK GDPR Cookie Consent Banner Requirements
Since the UK GDPR is largely based on the same principles as the EU GDPR, there’s very little difference between the two when it comes to cookie consent banner requirements.
However, it should be noted that the two regulations often use different terminology and also have a different territorial scope and supervisory authority.
Tips for a Compliant Cookie Consent Banner
Cookie consent banners will differ based on the data privacy law they need to comply with.
For instance, since the GDPR follows the opt-in approach, the cookie consent banner needs to include options to accept, reject or customize cookies.
On the other hand, the CCPA/CPRA, which follows the opt-out only, requires that the business informs the consumer about collecting cookies, but it’s up to them (consumers) to opt out of data processing via cookies.
Besides this, here are some more tips for designing a compliant cookie consent banner:
Ensure the Information is Clear & Concise
A vital requirement for a good cookie consent banner is that it is clear and concise about its purpose and what it does. For example, the following cookie consent banner did that well:
First, the heading “We value your privacy” indicates the business’ commitment to protecting its visitors’ privacy, and this, in turn, builds trust,
Finally, it includes buttons to accept, reject, and customize cookie preferences instead of just to accept. If we are to find any issue, it would probably be that the “Accept All” button is more prominent than the other buttons, thus potentially influencing the user’s decision.
Adjust the Size and Position of the Cookie Consent Banner
The cookie consent banner should not be an obstacle to user experience. It is best to position the banner where it least obstructs the user’s view of the webpage content, which is at the top or bottom of the page.
Do Not Use Pre-Ticked Boxes
Consent must be given freely and deliberately according to GDPR. Pre-ticked cookie consent boxes are not compliant with the regulation, so do not use them.
Provide Granular Consent Options
At a minimum, you should provide options to accept or reject cookies.
However, by offering granular consent options, you can empower consumers to enable or disable individual cookie categories (analytics, marketing, preferences, etc.)
This way, they can better make cookies that fit their needs and preferences.
Make it Easy to Opt-Out and Modify Cookie Preferences
Finally, you should provide an easy way for the consumers to withdraw their previous consent or modify it via a button or link in the banner.
Penalty for a Non-Compliant Cookie Consent Banner
Although there are no penalties specifically for non-compliant cookie consent banners, each data privacy law includes its compliance fines for violation.
- Up to €10 million or 2% of the global annual turnover (whichever is higher) for lower violations
- Up to €20 million or 4% of the global annual turnover (whichever is higher) for more severe violations
- $2,500 for an unintentional data privacy violation
- $7,500 for an intentional data privacy violation and violations that involve consumers under 16 years of age
- Up to 10,000 CAD for non-compliance with certain PIPEDA provisions.
- Up to 100,000 CAD for non-compliance with PIPEDA's security breach notification requirements.
UK GDPR Penalties
- Up to £9 million or 2% of the annual turnover (whichever is higher) for lesser violations.
- Up to £18 million or 4% of the annual turnover (whichever is higher) for more severe violations.
Cookie consent banners can help your business ensure compliance with the relevant data privacy regulations, and improve user experience and trust.
To ensure your business is fully compliant with GDPR or other data privacy laws, get in touch with Captain Compliance today.
What is required from a cookie banner?
The cookie consent banner should:
1. Be in clear and concise language so the user can understand its purpose
- Provide options (buttons or links) for the user to accept, reject, customize cookies, or dismiss the banner
- Allow the user to withdraw their consent or modify previous cookie preferences
- Not be intrusive
- Include a link where the consumer can learn more about the cookies policy
Are cookie banners required by the GDPR?
If your website has visitors from the EU, it will require a cookie consent banner, even if your business or website is not located in the European Union.
How do cookie consent banners work?
Cookie consent banners inform visitors of a website that it (the website) collects certain data via cookies or another tracking method, the type of data it collects, and the purpose of collecting their data.
The banner also enables users to give their consent (by clicking the “accept” or decline (by clicking the “reject” button, as well as to withdraw or change consent or learn more about the website’s cookies policy.
Here are our top 9 picks for the best cookie consent solution.
What is a GDPR-compliant cookie banner?
A GDPR-compliant cookie banner serves to inform the website visitor that the website collects data via cookies, the purpose of collecting this data the type of data it collects. It also allows users to accept or reject cookies or customize cookies, withdraw consent, and learn more about the cookies policy.
What is the EU cookie consent law?
The Privacy and Electronic Communications Directive on Privacy and Electronic Communications, or the cookies law is an EU directive that focuses on privacy and personal data protection in electronic communications.
Unlike the GDPR, which provides a broader framework, the ePD only deals with electronic communications.