Today, multiple data privacy laws regulate millions of businesses and protect the data of hundreds of millions of individuals. This landscape is in constant flux, not only because of updates to existing laws and the creation of new ones, but also because of how businesses approach compliance.
Privacy professionals and novices alike have been hard at work determining the best way to adhere to the dozens of data privacy laws’ requirements. While not everything is set in stone, a few best practices have emerged—notably, the use of cookie banners.
Data privacy regulations often require businesses to disclose their use of data collection (as is done through third- and first-party cookies) to website visitors, provide links to their privacy policies, and provide a method for visitors to opt into or out of (depending on the regulation) to data collection. Cookie banners are a common way to quickly and unobtrusively meet all of those requirements.
In this article, we’ll look at what cookie banners are, whether you need one on your website, and how to go about implementing a cookie banner that keeps you on your local data protection authority’s good side.
What is a cookie banner?
Cookie banners are a core component of consent management. Consent management is, in turn, the practice of asking for, recording, and acting upon a website visitors’ preferences when it comes to data collection. A consent management solution typically includes cookie banner functionality as a means of asking visitors for consent. These banners take the form of a notice banner that then goes away on its own, or they may be presented with a banner that requires some interaction, like clicking a button to consent to the use of certain types of cookies. Different jurisdictions have different requirements for cookie banners.
Depending on the type of cookie consent banner and the applicable cookie laws, the website visitor may be asked to select which cookies they approve of. A full consent management solution will include a way to categorize cookies, as well as a preference center that allows visitors to update, add, and revoke consent for different cookie types. Some cookies will be essential for the website to function, such as remembering which products the visitor added to their cart on an ecommerce site. Other cookies are for marketing, personalization, or analytics purposes, which a visitor may wish to block or permit accordingly.
Why are cookie banners important?
Privacy laws, such as the GDPR and the California Privacy Rights Act (CPRA), require the visitor’s consent and proof of consent each time you process their personal data. For cookie usage, this translates into a few steps:
- Informing visitors you’re using cookies and giving them the option to accept or not. Depending on the law, it may even be illegal to load non-essential cookies until the visitor gives consent.
- A backend that captures consent records for auditing.
- The ability to block cookies that are not consented to.
- A way to categorize cookies.
- A preference center that enables visitors to update, add, and revoke their consent.
- The ability to show different language, preference select, and consent options based on the local law.
Cookie consent banners serve as a quick and efficient way to meet all of these requirements. They aren’t the only way—some find cookie banners to be overly intrusive. Alternative systems like the use of Global Privacy Control (GPC) may see more popularity in the future. Furthermore, the CPRA and other laws already require businesses to accept consent preference signals from the GPC.
Cookie banners, however, will likely remain a staple of modern websites, as they guarantee every visitor is presented with relevant privacy information and the opportunity to make their consent preferences known. Whatever the method, asking for consent is absolutely essential—not only is it required by law, but it’s also a respectful and ethical way to secure website visitors’ data.
Do I need a cookie banner on my website?
Regardless of the various requirements, a cookie banner is a must-have in order to be compliant and respect your visitors’ fundamental right to privacy.
Cookie banner examples
Cookie banners come in various forms and designs. Most providers allow you at least some basic customization, though they shouldn’t permit so much customization as to render your banner noncompliant. Examples include changing colors and fonts to match your branding or adding your own logo.
In terms of location, cookie banners can pop up in the middle of the page, at the bottom, or at the top. What matters is making sure the visitor interacts with the banner, especially when you’re required to secure opt-in consent.
Types of consent
The various data privacy laws worldwide broadly require one of two types of consent: opt-in or opt-out. But what does that mean for your cookie banner?
Opt-in consent is more commonly used outside of the U.S. and requires visitors to agree to data processing before any such activities can begin. The GDPR in Europe and the LGPD in Brazil are examples.
Another term for opt-in consent is explicit consent. That is to say, an explicit consent banner does not assume website visitors have given consent to data collection unless the visitor explicitly indicates their consent. The banner remains active until the visitor interacts with it, and often provides visitors the option of selecting which categories of cookies they do or do not agree to.
Under explicit or opt-in consent regimes, you may only load essential cookies for a first-time visitor. After they consent to non-essential cookies, then you can proceed and load those as well.
Opt-out consent is more common in the U.S. and is also known as implicit consent. You need to be transparent about using cookies, but you can assume consent until the visitor revokes their permission.
Cookie banner requirements
The requirements for cookie banners differ slightly across regulations. Let’s take a look at a few examples.
GDPR cookie banners
The GDPR is a little unique in that each EU member state has its own data protection authority that issues individual requirements for how cookie banners must function in that jurisdiction. Some consent management solutions only offer one GDPR banner, but using one single banner across all EU jurisdictions will not be compliant. Broadly, GDPR banners require the following characteristics:
- Functions under opt-in or explicit consent.
- Includes a button to accept cookies and may allow the visitor to select which categories of cookies they accept.
- Includes a link to cookie settings.
- Alerts the visitor if the site shares data through third-party cookies.
Additionally, although the UK is no longer an EU member state, it still follows the GDPR. There has been some talk of transitioning to a UK-specific data privacy regulation, but as of this writing, the GDPR still applies.
CPRA cookie banner
Under the CPRA, implicit consent banners are acceptable. However, for compliance with more than just the CPRA, you may choose to use an explicit consent banner. And even if you’re only complying with the CPRA, if you’re targeting visitors younger than 16, you’ll need opt-in consent. Furthermore, cookie banners that follow the CPRA should inform visitors if the site sells or shares data with third parties.
LGPD cookie banner
The LGPD requirements for cookies are similar to those of the GDPR, so the requirements for the cookie banner are the same.
Nevada privacy law cookie banner
How do I install a cookie banner on my website?
Every solution is different, and the implementation process will vary depending on whether you use an out-of-the-box solution or build your own. For readers interested in an out-of-the-box consent management solution, we can speak to Osano CMP’s setup and installation process.
(If you want to dive deeper into how Osano CMP is installed, check out our CMP Setup Guide!)
Osano CMP geolocates a website visitor and automatically serves up the appropriate cookie banner based on their jurisdiction. Users can customize their banner’s appearance to match their brand, but the platform provides guardrails that guide users away from accidentally making their banner noncompliant through excessive customization.
Some consent management platforms require their users to become familiar with every jurisdiction’s legal requirements in order to use the platform for compliance, but Osano has all of that expert knowledge built in. In fact, if you receive a fine from a data protection authority as a result of our platform, we’ve pledged to cover the first $200,000.
To see the banner in action, sign up for a free account or request a demo.