What is a cookie banner?

What are the legal requirements for a cookie banner? And how do you get a cookie banner that actually complies with current legislation without messing up your website? Let’s take a look at the fundamentals.

Now, it’s highly unlikely that you have never seen a cookie banner before. Over the past couple of years, there has been a huge rise in banners on websites informing visitors of cookies.

These pop-ups are a result of the 2002 ePrivacy Directive, also known as the European Cookie Law.But when asked: why you need a cookie banner, most people will probably refer to the GDPR.So, if you’re a webmaster or sitting in a marketing team wondering why you should have a cookie banner on your website, this article will explain just that.

What is a cookie banner?

A cookie banner is a pop-up on your website that tells your visitor that you are using cookies.
Fair enough, you’ve seen them. “We use cookies, if you continue, you accept”. But actually, a cookie banner isn’t to be considered just a notice about cookies. It’s to be considered a consent pop-up. Why? Because when using cookies and especially cookies which collect your users’ personal data, there are a couple of privacy laws that kick into action.

Most of these laws regulate the processing of personal data. And that’s what the bulk of cookies collect: Personal data about your visitor to be used for marketing purposes.

If you are unsure whether your website is GDPR compliant, get a free compliance check here!

What is a cookie?

First of all, let’s just take a quick look at what cookies really are and why they are covered by legislation. Cookies are small text files stored in your visitor’s browser by your website.  These files typically contain information about your visitor’s preferred language or shopping cart items but can store a wide range of information including personal identifiable information.

Cookies basically do two things: They can improve the visitor’s experience of your website and they can track the user’s behavior to build online retargeting profiles for marketing. Personal data includes online identifiers, device IDs, user IDs, IP addresses etc.

And typically, they are placed on your visitor’s computer and phones by some of the services that you use. And because cookies collect information about your user that can directly or indirectly identify the user, it’s considered personal information and is governed under law.

We have written more about cookies here: What is a cookie in detail

Cookie banners and legal requirements

Do I really need a cookie banner? Yes, if your website uses cookies – both your own and from third parties – you need a cookie banner. The requirements largely come from the European ePrivacy Directive (aka the “cookie law”) from 2002 but the General Data Protection Regulation (GDPR) also has a say in this matter. Looking more closely at current privacy regulations, the ePrivacy Directive requires websites to collect an informed consent to cookies and other tracking technologies.

That means, you are only required to inform users of cookies before you set them.

However, the GDPR changed that game. Since most cookies collect your visitors’ personal information (IP-address, location, device-ID, user-ID etc.) and process this data for primarily marketing purposes, the GDPR takes over.

The GDPR doesn’t really talk about cookies, but the data cookies and other tracking technologies (e.g., fingerprinting) processes. And, according to the GDPR, you need to collect a valid consent before processing any personal data collected through e.g., cookies.

So, what should be in a cookie banner?

For a consent to be valid it must be:

You can read more about EU cookie regulations here:

Link: 3 EU cookie regulations you need to know about

EU Court of Justice' decision on cookies

On November 1, 2019 the European Court of Justice ruled – in the case against German online lottery Planet49, that all websites using cookies must have a cookie banner that obtains valid consent before setting cookies.

Moreover, cookies cannot be pre-selected for the user.

Link: Europe’s top court says active consent is needed for tracking cookies.

What should a cookie banner then say?

First of all, the legal requirements for a cookie banner are quite simple.

The banner must provide the user with:

This information must also be available in your cookie policy.

And then – most importantly – the banner must give the user the option of either accepting or declining your use of cookies.

The user actually has to be able to say, “cookies, no thanks”. That’s the whole point of consent.

When you have your user’s consent, you should of course make sure this consent is securely stored. Just in
case the Data Protection Authorities want to see it.

And they do check!

The French Data Protection Authority CNIL is very active.

Link: CNIL to enforce cookie rules

Here’s an example of how
a compliant cookie banner looks like.

Checklist to collecting valid consent to cookies.

Do I need to collect consent before using cookies?


The ePrivacy Directive (article 5(3)) requires prior informed consent for storage or access of information stored on a user’s terminal equipment.

In other words, you must ask your users if they agree to your cookies (and other tracking technologies), before your site places the cookies.

Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information (..) about the purpose of the processing.​

This, of course, shall not prevent you from using technical necessary cookies. That is, cookies that are necessary for the website to work.

How do I know which cookies my website uses? 

However, the requirement for consent is strengthened with the GDPR. When your cookies collect users’ personal data, you are required to collect valid consent before your site stores or gains access to any cookies.

We find that in Article 6(1)(a):

Processing is only lawful if:

The data subject [the user] has given consent to the processing of his or her personal data for one or more specific purposes.

Read more about prior consent to cookies here:

Link: What is prior consent?

Who does the GDPR apply to?

The GDPR applies to anyone who wants to process the personal data of EU citizens regardless of whether the processing takes place in the EU or not.

In other words, you can have a website anywhere in the world – Italy, Russia, Chile, Togo – but if that website sells goods or offers services to EU citizens and in that activity also collects and processes the EU citizens personal data, then the rules of the GDPR apply. 

But what do all the other international regulations say about cookies and cookies banners?

This Regulation [GDPR] applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behavior as far as their behavior takes place within the Union. 3.

Other major legislations for cookie banners

The California Consumer Privacy Act (CCPA) is a Data Privacy law designed to increase privacy rights and consumer protection for residents of California, United States. The CCPA controls how businesses may collect, share and process personal information (PI) of Californian residents.

You can read more here:

Link: What is the CCPA?

The PDPA is Thailand’s new Personal Data Protection Act 2019. The legislation comes into force on June 1st, 2021. The PDPA is similar to the GDPR as it concerns the processing of the personal data that cookies collect and store on uses’ devices i.e., their computers, tablets and smartphones. PDPA set rules for how websites and app owners may collect and process their users’ personal data e.g., through the use of cookies.

You can read more here:

Link: PDPA and cookies

The LGPD, or Lei Geral de Protecao de Dados, is Brazil’s new version of the EU’s General Data Protection Regulation (GDPR). The LGPD will apply to any business, organization or individual that processes the personal data of the people in Brazil, regardless of where that business, organization or individual may be located. This also applies to cookies and cookie banners. 

You can read more about the LGPD here:

Link: What is the LGPD?

How does a cookie banner work?

A cookie banner works by creating a pop-up when users visit the website for the first time.

It presents the user with information about the cookies your site uses. This information can be automatically scraped with a professional solution and updated daily or weekly.

A good banner also makes sure that you can comply with privacy regulations by preventing cookies from being stored on the user’s computer before the user has given consent.

You can use these consent data to optimize your banner to increase how many visitors accept cookies on your site.

Website Consent product from Cookie Information

How can Cookie Information help you?

We are one of Europe’s leading Consent Management Platforms providing our clients with premium and compliant cookie banners.

Our banners are consent pop-ups that comply with ePrivacy, GDPR, CCPA, LGPD, PDPA and all other privacy regulations.

The pop-ups are highly customizable, so you can add your company colors, logo, tone of voice when asking for consent to cookies.

What you get is a Consent Solution that ensures your compliance and builds trust with your users.

And now that we are Trusted Google Partners, you also get Consent Mode, so you can data even when users say no to cookies.

Link: What is Google Consent Mode?

The acceptance rate to cookies using our banner is on average 73.88%, but we have clients that are well over 90%. And with Google’s new feature called Conversion Modeling using Consent Mode, Google can predict the ad-click-to-conversion path for up to 70% of all those users saying no to cookies.

Read more here.

Link: What is Conversion modeling?