Data Privacy Metrics: Questions From Our Webinar
June 22, 2023
Sure, data privacy regulations say you need to inform website visitors about any data collection activities you perform. You know that the most significant tracking technologies on your website are cookies, so you need to show website visitors a cookie banner.
But what does that cookie banner actually need to do? What does it actually need to look like?
Well, here’s an example:
It’s a great example of how to get on the fast track to receiving a painful GDPR fine. But unless you’re a masochist, it’s more of an example of what not to do.
Websites must obtain user consent to opt into or out of the collection and processing of their personal data, and a well-crafted cookie banner is a vital tool in meeting this compliance requirement. In this article, we will delve into different data privacy regulations’ requirements for things like:
Throughout, we’ll provide you with some cookie banner examples that align with the requirements of the GDPR, CCPA/CPRA, and other data privacy laws, as well as cookie banner examples that you might see on various content management systems (CMSs).
The GDPR doesn’t explicitly mention cookies, but it does have several requirements for consenting to data processing and collection. The most important thing for website owners to know is how the GDPR defines “consent”:
“Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
So, a GDPR-compliant cookie banner must:
Furthermore, because different cookies can be used for different purposes (such as marketing, analytics, and personalization), the GDPR requires that you give users granular control over the types of cookies they consent to or not. A user might be comfortable with analytics cookies that merely help diagnose site performance, but don’t want cookies used for marketing purposes.
An example cookie banner that meets these requirements looks like this:
Specifically, this cookie banner complies with the French Data Protection Authority’s (DPA’s) requirements for GDPR compliance. As you can see, it:
Here’s another GDPR-compliant banner from France in the original French:
Note that both of these banners are compliant with the French DPA’s GDPR guidance even though they look a little different—one is vertically aligned and would appear on the side of the screen while the other is horizontally aligned and would appear at the top; their color scheme is different; and the language they use is different.
If you were to cater to French citizens, you would obviously default to using the French language. But your cookie banner ought to adjust to the language preferences set by the individual user in their browser—that ensures the user is truly informed (as required by the GDPR).
The GDPR permits you to use different color schemes, styling, and placement of your cookie banner. But remember: Consent must be freely given through an affirmative action. So, certain design practices that manipulate users into giving consent are forbidden by the GDPR. If you were color the “Continue Without Accepting” button the same shade as the background and thereby make the “Accept All” button easier to click, that would constitute a violation of the GDPR. Similarly, if your banner were incredibly small and appeared in a tiny corner of the screen, that would also violate the law.
One last important point to note about GDPR cookie banner examples: You may have noticed we referred to the French DPA’s interpretation of the GDPR above. Each member state in the EU has its own DPA, and each DPA has its own interpretation of the GDPR. That means each GDRP jurisdiction may require its own banner.
For example, take a look at this example of a GDPR-compliant banner that would display in Spain (again, translated into English):
Rather than require a user to click a “Customize Your Choices” button as was the case with the French banner, the Spanish banner provides those choices right up front. The cookie banner’s text is also different—these are all individual differences determined by the given jurisdiction’s DPA.
Obviously, this makes providing a GDPR-compliant banner really difficult. To deploy a homegrown cookie consent banner solution, you’d have to research every DPA’s interpretation of the GDPR and translate that interpretation into a compliant design.
That’s not to mention the difficulty of actually operationalizing all of this! Getting a GDPR-compliant cookie banner isn’t just about finding the right examples of cookie banner text; the banner has to actually do what it says it will. Remember the fake banner we showed at the start of this article? If you click on Agree or Reject, the banner actually has to allow or block cookies, respectively, as soon as the user makes their preference clear.
Like the GDPR, your cookie banner’s design will depend on how the CPRA’s specific requirements around consent and data collection. Here’s a lightly edited passage on what the CPRA has to say about cookie consent:
A business that sells or shares consumers’ personal information or uses or discloses consumers’ sensitive personal information […] shall:
- Provide a clear and conspicuous link on the business’s internet homepages, titled “Do Not Sell or Share My Personal Information,” to an internet web page that enables a consumer […] to opt-out of the sale or sharing of the consumer’s personal information.
- Provide a clear and conspicuous link on the business’s internet homepages, titled “Limit the Use of My Sensitive Personal Information,” that enables a consumer [...] to limit the use or disclosure of the consumer’s sensitive personal information.
We cleaned up the text a little bit for clarity and ease of reading (surprisingly, legal texts can be a bit convoluted), but if you want to take a look at the original, the relevant passage in the CPRA is Section 1798.135.
However, you’ll notice that this section of the CPRA doesn’t mention anything about banners—the CPRA actually doesn’t require businesses to include links titled “Do not Sell or Share My Personal Information” or “Limit the Use of My Sensitive Personal Information” on their banner; merely that they appear on the “business’s internet homepages.”
Thus, a CPRA-compliant cookie consent banner might look like this:
To be compliant, a business would also need to include the links mentioned above somewhere on their website homepage, usually in the footer. When clicking on these links, consumers should be able to trigger a data subject access request (DSAR) that allows them to exercise their right to opt out. The thing about DSARs, however, is that they can take some time and effort to execute, which can irk some consumers and creates additional risk. That’s why it can be a good idea to default to a higher standard of consent.
For example, the following is an example of a CPRA-compliant cookie consent banner that relies on opt-in consent; you won’t collect any personal information from consumers unless they click “Accept” first.
Both of these banners comply with the CPRA—just note that you still need links titled “Do Not Sell or Share My Personal Information” or “Limit the Use of My Sensitive Personal Information” on your homepage.
If you use a software tool to manage your website like a content management system (CMS), they’ll often provide some sort of cookie banner functionality. The following is an example of a cookie banner provided by HubSpot CMS.
However, you need to manually create these cookie banners for each jurisdiction, putting the burden of compliance on you. The alternative is to build one cookie banner that follows the strictest consent requirements, but then you wind up losing a lot of business intelligence when visitors fail to opt in—even when they live in a jurisdiction that requires opt-out consent or a jurisdiction with no relevant regulation.
When a CMS offers a cookie banner functionality, it can only find and block cookies that it drops or that it has dropped on its behalf via integrations. If you have manually added scripts to your website or use third-party scripts, CMSs won’t be able to detect or block them accordingly. As a business grows, more and more of these scripts tend to accumulate on the website from various stakeholders in marketing, development, and other teams—relying on CMS cookie banners indefinitely can be problematic in that case.
In essence, CMS cookie banners are good for personal websites and websites owned by small businesses limited to a single jurisdiction with minimal data tracking technologies. Any business that serves customers from multiple jurisdictions or that intends to use a digital channel for growth is better served by using a consent management platform (CMP) to manage cookies instead.
As purpose-built solutions for cookie banners, CMPs address the issues you’ll run into developing a homegrown cookie banner or using a CMS to deliver cookies banners. The specific features vary from CMP to CMP, so we’ll cover how Osano Cookie Consent avoids these issues. Osano Cookie Consent:
CMPs ideally provide you with compliant banners out of the box, but being able to customize banners to match your branding is important too. Osano allows businesses to customize their banners while providing guardrails against excessive customization that could cause a cookier banner to fall out of compliance.
In fact, the bulk of the compliant banners shown in this article were templates accessible right in the Osano platform.
Are you evaluating consent management platforms but aren't sure where to start? Our template guides you through the questions you need to ask so you know which consent management platform is right for you and your team.Download Now
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.