
Data Privacy Metrics: Questions From Our Webinar
Read Now
The simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline the DSAR workflow
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
January 6, 2023
Today, multiple data privacy laws regulate millions of businesses and protect the data of hundreds of millions of individuals. This landscape is in constant flux, not only because of updates to existing laws and the creation of new ones, but also because of how businesses approach compliance.
Privacy professionals and novices alike have been hard at work determining the best way to adhere to the dozens of data privacy laws’ requirements. While not everything is set in stone, a few best practices have emerged—notably, the use of cookie banners.
Data privacy regulations often require businesses to disclose their use of data collection (as is done through third- and first-party cookies) to website visitors, provide links to their privacy policies, and provide a method for visitors to opt into or out of (depending on the regulation) to data collection. Cookie banners are a common way to quickly and unobtrusively meet all of those requirements.
In this article, we’ll look at what cookie banners are, whether you need one on your website, and how to go about implementing a cookie banner that keeps you on your local data protection authority’s good side.
A cookie banner is a pop-up that appears when you visit a website for the first time, informing you about the use of cookies, asking for your consent, or both.
Cookie banners are a core component of consent management. Consent management is, in turn, the practice of asking for, recording, and acting upon a website visitors’ preferences when it comes to data collection. A consent management solution typically includes cookie banner functionality as a means of asking visitors for consent. These banners take the form of a notice banner that then goes away on its own, or they may be presented with a banner that requires some interaction, like clicking a button to consent to the use of certain types of cookies. Different jurisdictions have different requirements for cookie banners.
Depending on the type of cookie consent banner and the applicable cookie laws, the website visitor may be asked to select which cookies they approve of. A full consent management solution will include a way to categorize cookies, as well as a preference center that allows visitors to update, add, and revoke consent for different cookie types. Some cookies will be essential for the website to function, such as remembering which products the visitor added to their cart on an ecommerce site. Other cookies are for marketing, personalization, or analytics purposes, which a visitor may wish to block or permit accordingly.
Finally, these banners can include a link to the cookie policy, which provides an in-depth look at all the cookies used on the site, their purpose, and more.
Privacy laws, such as the GDPR and the California Privacy Rights Act (CPRA), require the visitor’s consent and proof of consent each time you process their personal data. For cookie usage, this translates into a few steps:
Cookie consent banners serve as a quick and efficient way to meet all of these requirements. They aren’t the only way—some find cookie banners to be overly intrusive. Alternative systems like the use of Global Privacy Control (GPC) may see more popularity in the future. Furthermore, the CPRA and other laws already require businesses to accept consent preference signals from the GPC.
Cookie banners, however, will likely remain a staple of modern websites, as they guarantee every visitor is presented with relevant privacy information and the opportunity to make their consent preferences known. Whatever the method, asking for consent is absolutely essential—not only is it required by law, but it’s also a respectful and ethical way to secure website visitors’ data.
Do you use cookies that process personal data or track your website visitors? Then the answer is yes, you need one.
Cookie banner requirements differ from law to law. For instance, in the EU, it’s considered best practice to have a separate cookie policy, whereas, in the U.S., you can include it in the privacy policy.
Regardless of the various requirements, a cookie banner is a must-have in order to be compliant and respect your visitors’ fundamental right to privacy.
Cookie banners come in various forms and designs. Most providers allow you at least some basic customization, though they shouldn’t permit so much customization as to render your banner noncompliant. Examples include changing colors and fonts to match your branding or adding your own logo.
In terms of location, cookie banners can pop up in the middle of the page, at the bottom, or at the top. What matters is making sure the visitor interacts with the banner, especially when you’re required to secure opt-in consent.
The various data privacy laws worldwide broadly require one of two types of consent: opt-in or opt-out. But what does that mean for your cookie banner?
Opt-in consent is more commonly used outside of the U.S. and requires visitors to agree to data processing before any such activities can begin. The GDPR in Europe and the LGPD in Brazil are examples.
Image of Osano's Cookie Banner for GDPR
Another term for opt-in consent is explicit consent. That is to say, an explicit consent banner does not assume website visitors have given consent to data collection unless the visitor explicitly indicates their consent. The banner remains active until the visitor interacts with it, and often provides visitors the option of selecting which categories of cookies they do or do not agree to.
Under explicit or opt-in consent regimes, you may only load essential cookies for a first-time visitor. After they consent to non-essential cookies, then you can proceed and load those as well.
Opt-out consent is more common in the U.S. and is also known as implicit consent. You need to be transparent about using cookies, but you can assume consent until the visitor revokes their permission.
Image of Osano's Cookie Banner for the US (not including California and Virginia)
A good example that you may be familiar with is a banner that simply states, “By continuing to use this website, you consent to the use of cookies.” Under laws like the GDPR or the LGPD, these banners are non-compliant, but they can work under the CPRA.
The requirements for cookie banners differ slightly across regulations. Let’s take a look at a few examples.
The GDPR is a little unique in that each EU member state has its own data protection authority that issues individual requirements for how cookie banners must function in that jurisdiction. Some consent management solutions only offer one GDPR banner, but using one single banner across all EU jurisdictions will not be compliant. Broadly, GDPR banners require the following characteristics:
Additionally, although the UK is no longer an EU member state, it still follows the GDPR. There has been some talk of transitioning to a UK-specific data privacy regulation, but as of this writing, the GDPR still applies.
Under the CPRA, implicit consent banners are acceptable. However, for compliance with more than just the CPRA, you may choose to use an explicit consent banner. And even if you’re only complying with the CPRA, if you’re targeting visitors younger than 16, you’ll need opt-in consent. Furthermore, cookie banners that follow the CPRA should inform visitors if the site sells or shares data with third parties.
The LGPD requirements for cookies are similar to those of the GDPR, so the requirements for the cookie banner are the same.
This law takes a few ideas from both the GDPR and the CCPA/CPRA. But when it comes to cookies, it isn’t as strict as either of them. It only requires opt-out consent, so an explicit banner telling visitors you use cookies will be enough.
Every solution is different, and the implementation process will vary depending on whether you use an out-of-the-box solution or build your own. For readers interested in an out-of-the-box consent management solution, we can speak to Osano CMP’s setup and installation process.
Osano’s consent management solution is installed using a single line of JavaScript added to your page header. The entire process consists of five steps that can usually be accomplished in just a few minutes, regardless of your platform.
(If you want to dive deeper into how Osano CMP is installed, check out our CMP Setup Guide!)
Osano CMP geolocates a website visitor and automatically serves up the appropriate cookie banner based on their jurisdiction. Users can customize their banner’s appearance to match their brand, but the platform provides guardrails that guide users away from accidentally making their banner noncompliant through excessive customization.
Some consent management platforms require their users to become familiar with every jurisdiction’s legal requirements in order to use the platform for compliance, but Osano has all of that expert knowledge built in. In fact, if you receive a fine from a data protection authority as a result of our platform, we’ve pledged to cover the first $200,000.
To see the banner in action, sign up for a free account or request a demo.
Learn how to set up a cookie consent program, what is involved in cookie consent, what happens if you don't use a cookie policy on your website and more.
Download Now
The Osano staff is a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet. Occasionally, the team writes under the pen name of our mascot, “Penny, the Privacy Pro.”
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
Osano Cookie Consent simplifies consent management. Ensure compliance with regulations in 50+ countries.