The original open source cookie consent popup has been upgraded. Try the Osano Consent Management Platform for free (or download the original open source).
Table of contents
- What are cookies?
- What is cookie consent?
- What laws require cookie consent?
- Do I need a cookie policy on my website?
- Cookie consent requirements
- Cookie consent popups
- Cookie consent examples
- GDPR cookie consent
- Cookie consent managers
Creating a business and its corresponding online presence is a lot of responsibility. It can take a lot of time, research, management, and monitoring to ensure that you’re doing your due diligence to protect your customers and your business from allegations of privacy violations. These days, cookie consent management is the number one task that businesses need to worry about when it comes to protecting their customers, obeying the law, and preserving their reputation.
Let’s quickly walk through four of the most frequently asked questions when it comes to cookie consent.
What are cookies?
Cookies are small text files stored on a user’s browser that tracks and collect data, such as their name, geographical location, IP address, and more. Cookies can also track which web pages the user visited and how long they spent on the site. Cookies are often used for marketing purposes and enable businesses to gain data on the sort of people their customers are. They’re a great tool for you to reach your target market—but it’s important to use them correctly, or you could find itself on the wrong side of the law.
What is cookie consent?
When you visit a new website, you might see a banner pop up at the bottom of your screen with a notice to accept or reject cookies or customize the type of cookies you do accept. The act of accepting cookies is cookie consent.
But it’s more complicated than just that. For instance, there is opt-in consent and opt-out consent. In the former case, you have to actually click “accept” and opt into the use of cookies before they can load on your browser. In the latter case, the banner might inform you that cookies are active and provide a link to stop them from tracking you—you have to opt out of thus use of cookies in this case.
Different laws require different kinds of cookie consent, which we’ll get into later on in the article.
What laws require cookie consent?
Before the California Privacy Rights Act (CPRA), there were no cookie consent laws in the United States. There still aren’t any laws at the federal level regarding cookie consent, though several other states now feature data privacy laws. Most will be familiar with the EU’s General Data Protection Regulation, also known as GDPR. Many other countries and regions are also beginning to pass similar cookie laws.
Do I need a cookie policy on my website?
If your website uses cookies, the short answer is yes, you need a cookie policy. Even if your business isn’t physically located in a jurisdiction covered by a cookie consent law, you may still receive web traffic from those regions and process the personal data of people protected by such a law. While you can tailor your cookie notices to only appear to residents within a given location, asking for cookie consent from all of your website visitors is a best practice.
Cookie consent requirements
One of the cookie consent requirements under the GDPR (and most other data privacy laws) is that consent must be freely given, specific, informed, and unambiguous. Specifically, this also means that in order to be compliant with GDPR, website visitors must choose to opt in before you can drop cookies onto their browser. That’s in contrast to opt-out laws, where cookies can be loaded until the user says otherwise.
When they’re permitted to by their governing law, many businesses use an opt-out model since some visitors default to rejecting cookies or exit cookie banners without indicating their preference. The CPRA is an example of a law that allows businesses to do this.
The CPRA’s cookie consent requirements are a little different from the GDPR. While CPRA does not expressly require that a company use opt-in consent for their cookies, they do require companies to disclose that cookies are being used and what the information gathered will be used for. Under the CPRA and other data privacy laws, data collected by cookies is considered personal information. The CPRA gives California residents the right to request access or deletion of their personal information, including data collected by cookies.
The basics of cookie consent requirements across the GDPR, CPRA, and other cookie laws is to first disclose that your website uses cookies, how you use cookies, and what rights visitors have in regard to the use of cookies. This can be done with a pop-up notice or a banner at the bottom of the website.
Cookie consent popups
A cookie consent manager uses banners or popups to collect consent, provide privacy disclosures, and meet other requirements under the law. Some consumers have also started to use universal preference signals, like the Global Privacy Control, as a means of bypassing these cookie consent popups, but most still expect to indicate their consent on a popup. To be compliant, many laws require you to accept consent through both avenues.
As described previously, opt-in and opt-out cookie consent popups are the two main approaches to cookie consent. There are also notice-only cookie banners, which inform the visitor that the website uses cookies but doesn’t provide any mechanism for opting into or out of their use. The only choices a user has with a notice-only banner is to disable cookies in their browser entirely or leave the website. These banners, however, are increasingly uncommon and are not compliant with most modern data privacy laws.
Cookie consent examples
Not every website does cookie consent in the same way. As we mentioned earlier, there are three different kinds of consent (opt-in, opt-out, and notice-only), and not all forms of consent are compliant with data privacy laws.
Other regional requirements may also exist—for example, Brazil, Canada, U.S. states, and other jurisdictions all have privacy laws that with different requirements around cookie consent. Cookie consent tools make it simple for businesses to properly display the appropriate cookie consent banners based on the user’s location—but what do those cookie banners actually look like?
Let’s look at a cookie consent example from Osano. We use the Osano Consent Management Platform (CMP) to manage cookies on our website. Osano CMP automatically detects where a visitor is located and delivers the corresponding banner, so if a visitor came from an opt-out jurisdiction, a banner would appear stating that “This website stores data such as cookies to enable essential site functionality, as well as marketing, personalization, and analytics. By remaining on this website, you indicate your consent.” The banner then links to our cookie policy.
Our cookie policy provides clear instructions on how visitors can turn off or customize their cookies, which is accomplished by clicking the Osano Cookie Consent Tool icon in the lower left-hand of the visitors’ screen (if they’re visiting a website that uses Osano to manage consent).
Users are then presented with toggles to accept or reject marketing, personalization, and analytics cookies, as well as an option to opt out of the sale or share of personal information for targeted advertising (not pictured here).
If a visitor were to come to osano.com from a jurisdiction that is subject to the GDPR, then the banner might look something like this:
Note that each country subject to the GDPR has its own requirements for cookie banners.
Taking a look at cookie consent examples from other businesses may give you an idea of what sort of banner you need to display on your website.
GDPR cookie consent
The Osano cookie banner shown above serves as a good GDPR cookie consent example. GDPR cookie consent requirements dictate that an organization must:
- Obtain user consent before deploying any cookies except strictly necessary cookies.
- Inform users how and why the cookies collect data and what it is being used for.
- Record and store cookie consent from users.
- Allow users to access the site or service even if they withdraw consent from certain cookies.
- Create a process for removing consent and cookies that makes it as simple as possible.
Cookie consent must be freely given, specific, informed, and unambiguous. That is the direct language from Article 4 of GDPR.
It is also common to include a link to your cookie policy that includes greater detail about the cookies your website uses. This is a great place to provide more information about cookie customization and let your users know what they are giving up when they decline unnecessary cookies such as marketing or analytics cookies.
Cookie consent managers
A cookie consent manager is a software tool that helps businesses secure cookie consent from website visitors, manage cookies based on the visitor’s consent preferences, and record that consent. Osano serves as an example of this class of solutions—websites running Osano automatically deploy a cookie consent banner that complies with the visitor’s local data privacy law and language preference.
A cookie consent management tool can be a major asset to a business seeking to remain compliant with ever-changing data privacy laws. There can be hefty fines for GPDR noncompliance. For example, Amazon was issued an $877 million fine in 2021 for GDPR violations. Most organizations won’t be accruing GDPR violations at the same rate as Amazon, but GDPR fines can still be an existential threat to a growing business.
Rather than use a consent manager, some businesses opt for GDPR cookie consent plugins for WordPress or similar plugins for web tools. The trouble is, these plugins often offer the bare bones of compliance. They often provide a one-size-fits-all cookie consent popup that is either excessively strict (causing you to be in compliance but lose out on value business intelligence) or too permissive (leaving you noncompliant in many jurisdictions).
Cookie consent plugins also lack many of the ancillary benefits that make compliance many times similar. The Osano cookie consent manager, for instance, also provides cookie policy templates that are easy to tailor to your business—other approaches to cookie compliance force you to develop those policies from scratch.
Rather than rely on plugins or subpar solutions, businesses looking for the best cookie consent manager should keep an eye out for solutions that:
- Discover cookies and other data trackers running on your website.
- Recommended cookie categories (like marketing, personalization, etc.) that users can individually consent to or reject.
- Automatically display the appropriate banner and language to visitors based on their governing laws and language preferences.
- Function without requiring complicated integrations into your tag manager or manual tweaks to your codebase.
- Maintain a history of users’ past cookie consent preferences to prove compliance should the need arise.
Where to learn more
Cookie consent management is a complicated topic, and there’s only so much we can explore in a blog post. There are other questions to answer, like:
- How do you set up a cookie consent program?
- What is involved in cookie consent? Is it just putting a banner up on your site
- When should you ask for tracking consent and show the cookie policy?
- How do you update a cookie list for GDPR cookie consent?
- What happens if you don't use a cookie consent policy on my website?
We explore these and other questions in our free ebook, Cookie Consent Management FAQ. You can download a copy here.