Cookie banners: How to stay compliant with privacy laws

  • by Osano Staff
  • · posted on January 6, 2023
  • · 7 min read
Cookie banners: How to stay compliant with privacy laws

Today, multiple data privacy laws regulate millions of businesses and protect the data of hundreds of millions of individuals. This landscape is in constant flux, not only because of updates to existing laws and the creation of new ones, but also because of how businesses approach compliance. 

Privacy professionals and novices alike have been hard at work determining the best way to adhere to the dozens of data privacy laws’ requirements. While not everything is set in stone, a few best practices have emerged—notably, the use of cookie banners.

Data privacy regulations often require businesses to disclose their use of data collection (as is done through third- and first-party cookies) to website visitors, provide links to their privacy policies, and provide a method for visitors to opt into or out of (depending on the regulation) to data collection. Cookie banners are a common way to quickly and unobtrusively meet all of those requirements. 

In this article, we’ll look at what cookie banners are, whether you need one on your website, and how to go about implementing a cookie banner that keeps you on your local data protection authority’s good side.

What is a cookie banner?

A cookie banner is a pop-up that appears when you visit a website for the first time, informing you about the use of cookies, asking for your consent, or both. 

Cookie banners are a core component of consent management. Consent management is, in turn, the practice of asking for, recording, and acting upon a website visitors’ preferences when it comes to data collection. A consent management solution typically includes cookie banner functionality as a means of asking visitors for consent. These banners take the form of a notice banner that then goes away on its own, or they may be presented with a banner that requires some interaction, like clicking a button to consent to the use of certain types of cookies. Different jurisdictions have different requirements for cookie banners.

Depending on the type of cookie consent banner and the applicable cookie laws, the website visitor may be asked to select which cookies they approve of. A full consent management solution will include a way to categorize cookies, as well as a preference center that allows visitors to update, add, and revoke consent for different cookie types. Some cookies will be essential for the website to function, such as remembering which products the visitor added to their cart on an ecommerce site. Other cookies are for marketing, personalization, or analytics purposes, which a visitor may wish to block or permit accordingly.

Finally, these banners can include a link to the cookie policy, which provides an in-depth look at all the cookies used on the site, their purpose, and more.

Why are cookie banners important?

Privacy laws, such as the GDPR and the California Privacy Rights Act (CPRA), require the visitor’s consent and proof of consent each time you process their personal data. For cookie usage, this translates into a few steps:

  • Informing visitors you’re using cookies and giving them the option to accept or not. Depending on the law, it may even be illegal to load non-essential cookies until the visitor gives consent.
  • A cookie policy with details about each type of cookie used.
  • A backend that captures consent records for auditing.
  • The ability to block cookies that are not consented to.
  • A way to categorize cookies.
  • A preference center that enables visitors to update, add, and revoke their consent.
  • The ability to show different language, preference select, and consent options based on the local law.

 

Cookie consent banners serve as a quick and efficient way to meet all of these requirements. They aren’t the only way—some find cookie banners to be overly intrusive. Alternative systems like the use of Global Privacy Control (GPC) may see more popularity in the future. Furthermore, the CPRA and other laws already require businesses to accept consent preference signals from the GPC.

Cookie banners, however, will likely remain a staple of modern websites, as they guarantee every visitor is presented with relevant privacy information and the opportunity to make their consent preferences known. Whatever the method, asking for consent is absolutely essential—not only is it required by law, but it’s also a respectful and ethical way to secure website visitors’ data.

Do I need a cookie banner on my website?

Do you use cookies that process personal data or track your website visitors? Then the answer is yes, you need one. 

Cookie banner requirements differ from law to law. For instance, in the EU, it’s considered best practice to have a separate cookie policy, whereas, in the U.S., you can include it in the privacy policy. 

Regardless of the various requirements, a cookie banner is a must-have in order to be compliant and respect your visitors’ fundamental right to privacy. 

What is Cookie Consent? Download our FAQ guide to begin  your road to  compliance.

Cookie banner examples

Cookie banners come in various forms and designs. Most providers allow you at least some basic customization, though they shouldn’t permit so much customization as to render your banner noncompliant. Examples include changing colors and fonts to match your branding or adding your own logo.

In terms of location, cookie banners can pop up in the middle of the page, at the bottom, or at the top. What matters is making sure the visitor interacts with the banner, especially when you’re required to secure opt-in consent.

Types of consent

The various data privacy laws worldwide broadly require one of two types of consent: opt-in or opt-out. But what does that mean for your cookie banner?

Opt-in consent

Opt-in consent is more commonly used outside of the U.S. and requires visitors to agree to data processing before any such activities can begin. The GDPR in Europe and the LGPD in Brazil are examples.

Image of Osano's cookie banner for GDPR. It reads, "This website stores data such as cookies to enable essential site functionality, as well as marketing, personalization, and analytics. You may change your settings at any time or accept the default settings. You may close this banner to continue with only essential cookies. [Link to Cookie Policy]. Below this is a link to "Storage Preferences" and three toggles to turn "Marketing," "Personalization" and "Analytics" cookies on or off. To the right are three buttons to "Save," "Accept All," or "Reject All."Image of Osano's Cookie Banner for GDPR

Another term for opt-in consent is explicit consent. That is to say, an explicit consent banner does not assume website visitors have given consent to data collection unless the visitor explicitly indicates their consent. The banner remains active until the visitor interacts with it, and often provides visitors the option of selecting which categories of cookies they do or do not agree to. 

Under explicit or opt-in consent regimes, you may only load essential cookies for a first-time visitor. After they consent to non-essential cookies, then you can proceed and load those as well.

Opt-out consent

Opt-out consent is more common in the U.S. and is also known as implicit consent. You need to be transparent about using cookies, but you can assume consent until the visitor revokes their permission. 

Image of Osano's cookie banner for the United States, not including California and Virginia. It reads, "This website stores data such as cookies to enable essential site functionality, as well as marketing, personalization, and analytics. By remaining on this website you indicate your consent. [Link to Cookie Policy]Image of Osano's Cookie Banner for the US (not including California and Virginia)

A good example that you may be familiar with is a banner that simply states, “By continuing to use this website, you consent to the use of cookies.” Under laws like the GDPR or the LGPD, these banners are non-compliant, but they can work under the CPRA.

Cookie banner requirements

The requirements for cookie banners differ slightly across regulations. Let’s take a look at a few examples.

GDPR cookie banners

The GDPR is a little unique in that each EU member state has its own data protection authority that issues individual requirements for how cookie banners must function in that jurisdiction. Some consent management solutions only offer one GDPR banner, but using one single banner across all EU jurisdictions will not be compliant. Broadly, GDPR banners require the following characteristics:

  • Functions under opt-in or explicit consent.
  • Includes a button to accept cookies and may allow the visitor to select which categories of cookies they accept.
  • Contains details about why the site uses cookies.
  • Includes a link to cookie settings.
  • Alerts the visitor if the site shares data through third-party cookies.
  • Includes a link to the cookie policy.

Additionally, although the UK is no longer an EU member state, it still follows the GDPR. There has been some talk of transitioning to a UK-specific data privacy regulation, but as of this writing, the GDPR still applies.

CPRA cookie banner

Under the CPRA, implicit consent banners are acceptable. However, for compliance with more than just the CPRA, you may choose to use an explicit consent banner. And even if you’re only complying with the CPRA, if you’re targeting visitors younger than 16, you’ll need opt-in consent. Furthermore, cookie banners that follow the CPRA should inform visitors if the site sells or shares data with third parties.

LGPD cookie banner

The LGPD requirements for cookies are similar to those of the GDPR, so the requirements for the cookie banner are the same.

Nevada privacy law cookie banner

This law takes a few ideas from both the GDPR and the CCPA/CPRA. But when it comes to cookies, it isn’t as strict as either of them. It only requires opt-out consent, so an explicit banner telling visitors you use cookies will be enough.

How do I install a cookie banner on my website?

Every solution is different, and the implementation process will vary depending on whether you use an out-of-the-box solution or build your own. For readers interested in an out-of-the-box consent management solution, we can speak to Osano CMP’s setup and installation process.

Osano’s consent management solution is installed using a single line of JavaScript added to your page header. The entire process consists of five steps that can usually be accomplished in just a few minutes, regardless of your platform.

(If you want to dive deeper into how Osano CMP is installed, check out our CMP Setup Guide!)

Osano CMP geolocates a website visitor and automatically serves up the appropriate cookie banner based on their jurisdiction. Users can customize their banner’s appearance to match their brand, but the platform provides guardrails that guide users away from accidentally making their banner noncompliant through excessive customization.

Some consent management platforms require their users to become familiar with every jurisdiction’s legal requirements in order to use the platform for compliance, but Osano has all of that expert knowledge built in. In fact, if you receive a fine from a data protection authority as a result of our platform, we’ve pledged to cover the first $200,000.

To see the banner in action, sign up for a free account or request a demo.

Evaluating consent management platforms, but not sure where to start? Our template guides you through the questions you need to ask to know which CMP is right for your team. Download now.

About The Author · Osano Staff

The Osano staff is a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet. Occasionally, the team writes under the pen name of our mascot, “Penny, the Privacy Pro.”