Now, itâs highly unlikely that you have never seen a cookie banner before. Over the past couple of years, there has been a huge rise in banners on websites informing visitors of cookies.
These pop-ups are a result of the 2002 ePrivacy Directive, also known as the European Cookie Law.But when asked:Â why you need a cookie banner, most people will probably refer to the GDPR.So, if youâre a webmaster or sitting in a marketing team wondering why you should have a cookie banner on your website, this article will explain just that.
A cookie banner is a pop-up on your website that tells your visitor that you are using cookies.
Fair enough, youâve seen them. âWe use cookies, if you continue, you acceptâ. But actually, a cookie banner isnât to be considered just a notice about cookies. Itâs to be considered a consent pop-up. Why? Because when using cookies and especially cookies which collect your usersâ personal data, there are a couple of privacy laws that kick into action.
Most of these laws regulate the processing of personal data. And thatâs what the bulk of cookies collect: Personal data about your visitor to be used for marketing purposes.
If you are unsure whether your website is GDPR compliant, get a free compliance check here!
First of all, letâs just take a quick look at what cookies really are and why they are covered by legislation. Cookies are small text files stored in your visitorâs browser by your website.  These files typically contain information about your visitorâs preferred language or shopping cart items but can store a wide range of information including personal identifiable information.
Cookies basically do two things: They can improve the visitorâs experience of your website and they can track the userâs behavior to build online retargeting profiles for marketing. Personal data includes online identifiers, device IDs, user IDs, IP addresses etc.
And typically, they are placed on your visitorâs computer and phones by some of the services that you use. And because cookies collect information about your user that can directly or indirectly identify the user, itâs considered personal information and is governed under law.
We have written more about cookies here:Â What is a cookie in detail
Do I really need a cookie banner? Yes, if your website uses cookies â both your own and from third parties â you need a cookie banner. The requirements largely come from the European ePrivacy Directive (aka the âcookie lawâ) from 2002 but the General Data Protection Regulation (GDPR) also has a say in this matter. Looking more closely at current privacy regulations, the ePrivacy Directive requires websites to collect an informed consent to cookies and other tracking technologies.
That means, you are only required to inform users of cookies before you set them.
However, the GDPR changed that game. Since most cookies collect your visitorsâ personal information (IP-address, location, device-ID, user-ID etc.) and process this data for primarily marketing purposes, the GDPR takes over.
The GDPR doesnât really talk about cookies, but the data cookies and other tracking technologies (e.g., fingerprinting) processes. And, according to the GDPR, you need to collect a valid consent before processing any personal data collected through e.g., cookies.
So, what should be in a cookie banner?
You can read more about EU cookie regulations here:
On November 1, 2019 the European Court of Justice ruled â in the case against German online lottery Planet49, that all websites using cookies must have a cookie banner that obtains valid consent before setting cookies.
Moreover, cookies cannot be pre-selected for the user.
Link: Europeâs top court says active consent is needed for tracking cookies.
First of all, the legal requirements for a cookie banner are quite simple.
The banner must provide the user with:
This information must also be available in your cookie policy.
And then â most importantly – the banner must give the user the option of either accepting or declining your use of cookies.
The user actually has to be able to say, âcookies, no thanksâ. Thatâs the whole point of consent.
When you have your userâs consent, you should of course make sure this consent is securely stored. Just in
case the Data Protection Authorities want to see it.
And they do check!
The French Data Protection Authority CNIL is very active.
Link:Â CNIL to enforce cookie rules
Yes!
The ePrivacy Directive (article 5(3)) requires prior informed consent for storage or access of information stored on a userâs terminal equipment.
In other words, you must ask your users if they agree to your cookies (and other tracking technologies), before your site places the cookies.
Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information (..) about the purpose of the processing.â
This, of course, shall not prevent you from using technical necessary cookies. That is, cookies that are necessary for the website to work.
How do I know which cookies my website uses?Â
However, the requirement for consent is strengthened with the GDPR. When your cookies collect usersâ personal data, you are required to collect valid consent before your site stores or gains access to any cookies.
We find that in Article 6(1)(a):
Processing is only lawful if:
The data subject [the user] has given consent to the processing of his or her personal data for one or more specific purposes.
Read more about prior consent to cookies here:
Link:Â What is prior consent?
The GDPR applies to anyone who wants to process the personal data of EU citizens regardless of whether the processing takes place in the EU or not.
In other words, you can have a website anywhere in the world – Italy, Russia, Chile, Togo â but if that website sells goods or offers services to EU citizens and in that activity also collects and processes the EU citizens personal data, then the rules of the GDPR apply.Â
But what do all the other international regulations say about cookies and cookies banners?
This Regulation [GDPR] applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behavior as far as their behavior takes place within the Union. 3.
The California Consumer Privacy Act (CCPA) is a Data Privacy law designed to increase privacy rights and consumer protection for residents of California, United States. The CCPA controls how businesses may collect, share and process personal information (PI) of Californian residents.
You can read more here:
Link:Â What is the CCPA?
The PDPA is Thailandâs new Personal Data Protection Act 2019. The legislation comes into force on June 1st, 2021. The PDPA is similar to the GDPR as it concerns the processing of the personal data that cookies collect and store on usesâ devices i.e., their computers, tablets and smartphones. PDPA set rules for how websites and app owners may collect and process their usersâ personal data e.g., through the use of cookies.
You can read more here:
Link:Â PDPA and cookies
The LGPD, or Lei Geral de Protecao de Dados, is Brazilâs new version of the EUâs General Data Protection Regulation (GDPR). The LGPD will apply to any business, organization or individual that processes the personal data of the people in Brazil, regardless of where that business, organization or individual may be located. This also applies to cookies and cookie banners.
You can read more about the LGPD here:
Link: What is the LGPD?
A cookie banner works by creating a pop-up when users visit the website for the first time.
It presents the user with information about the cookies your site uses. This information can be automatically scraped with a professional solution and updated daily or weekly.
A good banner also makes sure that you can comply with privacy regulations by preventing cookies from being stored on the userâs computer before the user has given consent.
You can use these consent data to optimize your banner to increase how many visitors accept cookies on your site.
We are one of Europeâs leading Consent Management Platforms providing our clients with premium and compliant cookie banners.
Our banners are consent pop-ups that comply with ePrivacy, GDPR, CCPA, LGPD, PDPA and all other privacy regulations.
The pop-ups are highly customizable, so you can add your company colors, logo, tone of voice when asking for consent to cookies.
What you get is a Consent Solution that ensures your compliance and builds trust with your users.
And now that we are Trusted Google Partners, you also get Consent Mode, so you can data even when users say no to cookies.
Link: What is Google Consent Mode?
The acceptance rate to cookies using our banner is on average 73.88%, but we have clients that are well over 90%. And with Googleâs new feature called Conversion Modeling using Consent Mode, Google can predict the ad-click-to-conversion path for up to 70% of all those users saying no to cookies.
Read more here.
RESOURCES
* Log into Consent Management to access your Website Consent Banner and Mobile App account. Log into Privacy & Compliance to access Data Discovery and Data Subject Request.