Introduction
Cookie banners are not new, but they are quickly becoming an expected part of the user experience when visitors arrive on websites for the first time. This is because privacy laws are increasingly requiring companies to obtain visitors’ or customers’ consent before collecting, using or selling their personal information.
These requirements are included in data privacy laws like the European Union’s General Data Protection Regulation (GDPR), ePrivacy Directive, California Consumer Protection Act (CCPA), or Brazilian Data Protection Law (LGPD). Clear, transparent compliance with them, including implementing a cookie banner on your website, for example, also helps build trust and encourages long-term relationship development with your users and customers.
Benefits of a privacy-compliant cookie banner
Not only do you want to avoid privacy violations and fines, you don’t want to lose customer trust. Consumers are becoming increasingly aware of privacy and their rights regarding their data. Showing that you take their privacy seriously empowers them to control access to their data and can be a key competitive advantage.
Additionally, because consent management best practices encourage user trust, it makes people more inclined to provide more consent to data usage, since you have been transparent about its collection and purposes of use. More data means more insights for marketing, as well as more ad revenue.
What is a cookie banner?
Since the General Data Protection Regulation (GDPR) came into effect in 2018, cookie banners have become increasingly common on websites. When a user visits a website for the first time, a pop-up window or banner will appear, most commonly at the bottom of the page. It is intended to inform the user about the processing of personal data.
A cookie is just a small text file, saved in the user’s browser, and used to store information. It enables functions like the web server’s ability to “recognize” a user on future visits to the site. It is possible for cookies to be set in a browser without the user knowing it. Increasingly, however, the question is whether it’s legal to do so or not.
Cookie banners appear on/over the website’s homepage content and are interactive. They provide information to visitors about what web technologies – including cookies – are used on that website to enable the site to work correctly, but also to track user behavior and collect data about them and their actions. Cookie banners should also provide options to enable or prevent the use of those technologies.
What is a cookie banner for?
Once users have selected consent preferences in the cookie banner – if they interact with it at all – those preferences are saved by that website’s Consent Management Platform (CMP).
A cookie banner gives users control over their website experiences and how they are tracked and their data is used. The user’s consent choices from their first interaction will be used to enable or prevent cookie usage next time the user visits the site.
The CMP also provides an audit trail to show that the company is correctly complying with data privacy laws when using cookies and collecting or using visitors’ data.
What does a cookie banner have to include?
Cookie banners have to provide visitors with clear information in plain language about their privacy rights, about which web technologies, like cookies, are used on that site, and for what purposes. A link to the company’s privacy policy should also be included.
Cookie banners have to provide users with consent options. Users have to be able to opt in or opt out of the use of cookies entirely, or to customize which services they will allow to access their data.
What’s wrong with bad cookie banners?
Not all cookie banners, or their implementations, are created equal. This could be because they weren’t set up right, or because companies don’t want to give people full options to reject the collection or sale of their personal information. The companies don’t want to risk access to the data they need to earn ad revenue.
Some banners don’t provide a “reject” option, or could pre-check boxes, or prevent the ability to customize consent preferences. Some don’t provide clear information about the web technologies used and what users’ options are with regards to them.
Some banners don’t enable users to revisit their consent choices in order to update them in the future.
Some banners don’t display the buttons with equal size or colours of equal shading or brightness. Visual techniques to encourage a specific action or response from users is called “nudging”. Nudging is not legal, but it can also be subtle, and broad enforcement to prevent it would be difficult.
However, there are no legal requirements regarding general aspects of how a cookie banner looks. Companies generally want it to look professional, and often match the company’s existing branding. This helps it look like a legitimate part of the website that users can safely interact with, and not some questionable pop-up ad of the type that used to litter the internet.
Does cookie use require user consent?
Cookies are not the only web technology that can be used in a browser for tracking or data collection purposes. There are also tracking and retargeting pixels, for example. Regulations like the GDPR, for example, include all such technologies that process personal data in any way.
“Strictly necessary” cookies that enable a website to function as intended do not require user consent to be loaded. For example, if you want to be able to move around a website and have items you have saved in a shopping cart still be there, that requires cookie use. But other types of cookies do require consent.
Analytics cookies, which provide details like how many visitors are on the website and what pages or functions they’re accessing, do require user consent. As do third-party cookies that track users when they go to other websites, or any web technologies that collect users’ personal information, such as name, IP address, location, or other data that can be used alone or combined to identify a person.
A website should only load the cookies to which the user has consented. However, there are tools like Google Consent Mode that can help to recover valuable data and provide analytic modelling even without the data processing that’s enabled by user consent.
To achieve full privacy compliance on a website, just a cookie banner is not enough to meet GDPR requirements. Other international privacy laws have specific requirements as well. Using a cookie banner correctly is just one part of a solid data privacy strategy for your website.
A Consent Management Platform will help you check off all necessary privacy compliance requirements, no matter what your website is used for (if it processes user data) even if you’re subject to multiple countries’ data privacy laws.
Cookie usage, the law, and penalties
While data privacy laws are passed in specific regions or countries, website visitors or customers can come from pretty much anywhere. Whether you need a cookie banner to comply with privacy law typically depends on where your visitors are located, not where your company is located.
So the answer to “Do I need a cookie banner on my website?” is “Probably, yes” and “Why would you risk not having one?” Especially given that in addition to not wanting to risk violations and fines, you also don’t want to risk the trust of your users and customers.
Legally, cookie banners have to provide all of a user’s cookie usage consent options and the ability to exercise them equally. They cannot use text or graphics (or the absence of them) to manipulate users into the “consent” that the company wants.
As Art. 4 of the GDPR specifies, user consent must be:
- freely given
- informed
- specific
- unambiguous
- revokable
- obtained before any data is collected
So the cookie banner’s appearance, content and functionality must ensure those requirements are met.
Now, not all privacy laws are the same. For example, the EU’s GDPR and Brazil’s LGPD use an opt-in model, where user consent must be obtained before data can be collected (or used).
However, under US laws like the CCPA, an opt-out model is used. So companies only have to obtain users’ consent before personal information is sold. Consent is not required before or when such data is collected.
There are also or will be more specific considerations for minors and data classified as “sensitive personal information”, especially under the successor to the CCPA, the California Privacy Rights Act (CPRA).
Enforcement of privacy laws is increasing, and fines levied can be substantial. Under the GDPR, Art. 84, they can be up to € 20 million or 4 percent of annual revenue, depending on circumstances. Under the CCPA, fines for willful violations can be $7,500 USD per violation, or up to $2,500 USD per violation if it’s deemed negligent. If you consider that a data breach could include millions of user records, that adds up enormously.
How a Consent Management Platform can help
A Consent Management Platform (CMP) provides all the legally required functionality for a privacy-compliant cookie banner. It will provide full customization for you to include the exact text and links you want, and the appearance to perfectly stand out or blend seamlessly with your branding.
A comprehensive and correctly implemented CMP will enable you to specify which laws are relevant to your company and which web technologies (like cookie sources) your website uses, so you can clearly communicate that information to your website’s visitors. It will record user consents and store them in a safe and compliant way so they are accessible if ever needed for audit. It will also enable a comprehensive and easily updatable privacy policy that is accessible and clear to your website visitors.