Guide to a GDPR Compliant Cookie Banner [Country-wise Guidelines]

Cookie banners have now become an indispensable part of the web browsing experience, thanks to privacy regulations like the GDPR in the EU and UK, CCPA in the US, LGPD in Brazil, and similar privacy laws across the world. While cookie banners are necessary for compliance, in an increasingly privacy-conscious world, a cookie banner can also communicate your brand value and align with users’ expectations of transparency.

A cookie banner is a notice often displayed on a user’s first visit to a website that informs them about the cookies and trackers the site uses and asks for the user’s consent to store cookies on their devices.  You must have noticed the cookie banner when you visited this site.

Before the advent of data privacy laws, websites often used a notice-only cookie banner that informed about cookie usage but did not ask users’ permission to load cookies on their devices, similar to the one shown below.

But this started changing with the arrival of data privacy laws across the world, especially the European Union’s General Data Protection Regulation (GDPR).

Cookie banners can come in different layouts and styles according to the website’s design and branding. It’s important that cookie banners are user-friendly and privacy-compliant. Here are a few examples of GDPR-compliant cookie banners, powered by CookieYes CMP, a consent management platform trusted by over 1.3 million websites for cookie compliance with privacy laws like the GDPR, CCPA, LGPD, PDPL (Saudi Arabia) and more.

Banner layout

Footer or header banners are oft-used by websites to request cookie consent. In a study of consent banners in the EU, close to 58% used bottom banners and 27 % used top banners, similar to a website header or footer (bar style). These banners are non-intrusive and do not interrupt the content or user experience of the website. 

Floating layout

Floating box layouts or popups are also seen on websites often placed in the left or right corner of the site. These types of banners are non-intrusive and can be aligned with the site’s aesthetic. 

Custom design

You can implement a simple cookie banner on your website that is not intrusive and also aligns with your website’s branding. On the other hand, you can add advanced CSS customizations and branding and tailor your banner to your website’s design.

Granular control

Usability and ease of giving consent are important for the effectiveness of a cookie banner. Users should be able to easily control their cookie preferences on the banner or on the second layer.

Multilingual banner

Cookie banners should be made available to users in the language of your website or should be auto-translated in the case of multi-lingual websites. This ensures that your users are making an informed choice about cookie consent.

Mobile-responsive

Cookie banners should also be optimized for different devices. CookieYes banners are intuitive and can be tailored for mobile and tablet users, to give them a user-friendly cookie banner.

Using CookieYes you will be able to implement a cookie consent banner on your website in minutes. You can create a personalized banner with custom branding or stick to a simple cookie banner. 

General Data Protection Regulation and the ePrivacy Directive (or EU cookie law) are the two main laws that govern the use of cookies in the European Union. Cookie guidelines published by various data protection authorities like the French CNIL and Irish DPC are also applicable to websites that cater to the respective EU countries.

A cookie consent banner is essential for compliance but is not sufficient on its own. Here’s a checklist that will help you implement a cookie consent mechanism on your website that is fully compliant with the GDPR.

• Display a custom cookie consent banner as per your website’s design
• Provide a user-friendly layout optimized for different devices
• Inform users about cookie usage in plain and jargon-free language 
• Display auto-translated banner according to user’s browser language
• Showcase different cookie categories used on your website
• Provide granular options to accept/reject different cookie categories
• Display ‘accept’ and ‘reject’ buttons on the banner
• Auto-block third-party scripts till users give consent
• Link to a compliant cookie policy on the cookie banner
• Display a revocable cookie banner so users can easily withdraw consent
• Record user consents for proof of compliance

This is the easiest part. With CookieYes CMP, you can implement a custom GDPR-compliant cookie banner within minutes.

Step 1. Sign up on CookieYes for free

The first step is to Sign up on CookieYes. It’s free for 14 days. You can cancel anytime. All you have to do is fill in your email address, your website domain and your password. You can get started with our cookie banner generator!

Step 2. Select and customize the template

On signing up, you will be directed to a setup screen. Here you can select a cookie banner template and fully customize it. Or you can select the default (GDPR-compliant) banner, preview it on your website and head to the next step.

If you want to add personalization to your banner, you can customize your cookie banner. You can read the detailed customization guide.

• Layout: Select a banner layout, including all the examples above, and more. You can choose from different consent types, but we recommend ‘explicit consent’ for GDPR compliance.
• Content: You can fully customize the cookie banner text, button texts, content of the audit table and also add a link to your privacy policy/cookie policy. You can choose multiple languages for an auto-translated cookie banner.
• Colour: You can customize the colour of the cookie banner as well as the text to match your site’s design.
• Behaviour: You can add a cookie widget to revisit consent, geo-target the banner, and display a cookie audit table.
• CSS customizations: To further stylize the banner and modify its functionality, you can add custom CSS.

Step 3. Activate your cookie banner

Now that you are happy with how your banner looks, you can activate it on your website. You have to copy the script and paste it between the <head> and </head> tags on your website.

Complicated? Access the CMS setup guides, follow the instructions and you will have a GDPR-compliant cookie consent banner on your website!

Territory	Cookie Guidelines
European Union	Give equal prominence to ‘accept’ and ‘reject’ buttons. Inform users of cookies and its purposes in plain language. Include a link to the cookie settings so users have granular control over cookies. Include a link to the cookie policy. Keep cookie consent separate from other terms and conditions. Cookie walls are not acceptable as consent cannot be conditional. Keep cookie consent separate from processing for other purposes.      Source: EDPB
United Kingdom	Give equal prominences to “accept” and “reject” options. Inform users of cookies and its purposes in plain language. Provide access to cookie settings so users have granular control over cookies. Include a link to the cookie policy. Keep cookie consent separate from other terms and conditions. The opt-in consent for cookies must not be pre-enabled. (eg pre-checked boxes) Don’t use cookie walls that block access to the website if the user doesn’t give cookie consent. Consent choices should have a shelf life, after which websites should ask for consent again. Implied consent is not acceptable (e.g. consent implied from the continued use of the website.)      Source: ICO
Germany	Provide both ‘accept’ and ‘reject’ buttons at the same level. Inform users of cookies, including third-party cookies and its purposes in plain language. Information in the banner should be aligned with the information in the privacy/cookie policy. If using cookie popups that block access to content, provide an explicit ‘reject’ button. Scrolling the website, clicking or similar actions cannot be taken as consent and hence cookies cannot be set. Nudging is not valid consent, for eg. when rejecting cookies requires more clicks than accepting them. Link your privacy policy on the banner so that users have easy access to it. The opt-in consent for cookies must not be pre-enabled. (eg pre-checked boxes) Provide a callback widget to review or change consent in an easy manner. Store users’ consent choices so that the banner does not reappear at every visit.      Source: DSK (in German)
France	Give equal prominences to ‘accept’ and ‘reject’ buttons. Inform users of cookies and its purposes in plain language. Provide access to cookie settings so users have granular control over cookies. Include a link to the cookie policy. Keep cookie consent separate from other terms and conditions. The opt-in consent for cookies must not be pre-enabled. (eg pre-checked boxes) Don’t use cookie walls that block access to the website if the user doesn’t give cookie consent. Consent choices, whether accepted or rejected, must be stored for at least 6 months. Obtain users’ consent individually for different site, if cookies are used for cross-site tracking. Flexible consent exemptions for using analytics cookies.      Source: CNIL (in French)
Italy	Give equal prominence to ‘accept’ and ‘reject’ buttons in same colour, font and size. Inform users of cookies and its purposes in plain language. Provide a close (X) button on the top-right corner so users can dismiss the banner. Inform users of what closing the banner would mean. Include a link to the cookie settings so users have granular control over cookies. Include a link to the privacy policy/cookie policy or a second layer with detailed information. Ask for cookie consent only if at least after 6 months have elapsed since the banner was last shown. Scrolling the website cannot be taken as consent and hence cookies cannot be set. A callback widget to review or change consent in an easy manner.      Source: GPDP (in Italian)
Spain	Use layered banners to avoid information overload. Identify the website publisher’s name in the cookie banner. Inform users of cookies, including third-party cookies and its purposes in plain language. Include a clear, visible link to the cookie settings that is directed to the second layer so users have granular control over cookies. When third-party cookies are used, their information (name or trademark) should be displayed in the cookie policy or in the second layer. Re-ask for cookie consent after no longer than 24 months have elapsed since consent was last taken. Scrolling the website cannot be taken as consent and hence cookies cannot be set. Provide easy access to remove/withdraw consent.      Source: AEPD

Are you still wondering if your site needs a cookie banner that adheres to GDPR? Most certainly, yes. If you are a website that functions in any of the EU countries or has visitors from the EU, you require a consent banner to comply with the GDPR and the ePrivacy Directive. 

Data privacy laws often have extraterritorial scope meaning they can cover businesses beyond their geographical boundaries. If your website has visitors from the EU, the UK etc. you can be subject to the respective privacy regulations. Therefore, it is the best practice to implement a compliant cookie banner for your website.

Yes. In the EU, non-compliance with the GDPR can attract substantial GDPR fines. As the lawful basis for processing is one of the core principles of the GDPR, violations of consent can inflict monetary penalties. 

The French regulator CNIL fined Google and Amazon a total of €135 million for placing advertising cookies on users’ devices without obtaining prior consent and for not providing adequate information about the use of cookies. The CNIL also issued fines against Carrefour for similar cookie violations.

The Spanish DPA fined Vueling Airlines and Twitter a €30,000 fine for not giving users the option to reject cookies or manage cookie preferences. In 2021, privacy watchdog NOYB has initiated a campaign to review the use of cookies on 10,000 most-visited EU websites and file complaints with regulators.

While the fines may sound alarming, there is no need to worry. With the right cookie consent manager like CookieYes, compliance can be a cakewalk. 

There are two things to remember before considering a cookie banner for a US-based website. Firstly, while the US does not have a federal data privacy law like the EU directly affecting the usage of cookies, GDPR may apply to US websites. (Read: GDPR checklist for US companies). Remember that even if your website is not based in the EU, but caters to users from the EU, you will have to comply with the GDPR. This means that your website is required to display a cookie consent banner. 

Secondly, state-level legislation in the US like the California Consumer Privacy Act (CCPA) and Virginia Consumer Data Protection Act (CDPA) establishes rules to protect users’ personal data and give them rights over it. The CCPA and CDPA give users the right to opt-out of processing of personal data for targeted advertising, sale of personal data and profiling. In this case, you may not require a cookie banner, but instead, have to display an opt-out cookie notice. 

CCPA opt-out cookie notice

A CCPA-compliant opt-out notice should:

• Inform users about your website’s use of third-party cookies
• Inform users about their CCPA right to opt-out 
• Have a ‘Do Not Sell’ button to allow consumers to opt-out of the sale of their personal information.
• Auto-block third-party scripts till user opts out
• Record user action for proof of compliance

CookieYes can help your website display a cookie opt-out notice and geo-target it for US or California users. If your website caters to both EU and US users, you can geo-target your banner and display both a GDPR cookie banner and CCPA opt-out notice as per the user’s location.

No. If implemented correctly cookie banners will not affect your SEO. If cookie banners are not intrusive, GoogleBot will be able to crawl your website. Google stresses avoiding intrusive interstitials and clarified that important notices like cookie banners will not negatively impact a site’s search performance.

Cookie banners are fine. The thing to avoid is replacing your page's content with an interstitial – then we just won't be able to index the content at all.

— johnmu likes 🥚 staplers 🥚 (@JohnMu) January 16, 2020

You should display your cookie banner on the top, side or footer of your page where it does not obstruct the content on the page. It should also be optimized for different devices so that the banner does not take up half the screen, for instance on mobile devices.

Cookie banner or cookie notice is an alert or popup displayed on a website to request consent from visitors on the use of cookies, as required by privacy regulations such as the GDPR, LGPD, and CCPA. The cookie banner will inform visitors that the website uses cookies and ask for the visitor’s permission to set cookies on their browser. 

Cookie policy is a detailed disclosure that explains a website’s use of cookies. It documents what cookies are, the types of cookies used on your website, why they are used and how these cookies are used to collect information from visitors. While privacy regulations may not explicitly require sites to have a cookie policy, it is often a standard practice adopted to respect user privacy and display transparency about data collection.

Most likely, yes because it’s good practice. It also depends on whether your website caters to visitors from the EU or the US. The GDPR and the ePrivacy Directive require websites to inform users about how their data is collected and processed. As cookies are also part of GDPR’s definition of personal data, a cookie policy is important for websites in the EU, or websites that cater to users in the EU. You can create a separate cookie policy and link it to your cookie banner, so users can give their informed consent. 

In the US, CCPA requires websites to disclose the collection and use of personal information through cookies. The CCPA does not require websites to have a separate cookie policy, you can include it in your privacy policy.

Creating a custom cookie policy can be quick and easy with CookieYes. You can scan your website for cookies and automatically generate a cookie audit table that is added to your cookie policy.

If you’ve already signed up on CookieYes. Follow these steps: 

Step 1. Head to the CookieYes Dashboard.

Step 2. Scan the website for cookies

Step 3. Click on Cookie Policy Generator

Step 4. Customize the content of the cookie policy 

Step 5. Preview and generate the cookie policy

You can now copy the text or HTML and paste it within your privacy policy or as a separate page on your website. You can then go ahead and link it to your cookie banner.

Lastly, if your website has a cookie banner, here’s a quick checklist to see if it’s compliant. If your banner has any of the following characteristics, it needs a revamp.

• There is no clear information on all the cookie categories used.
• The purpose of cookie usage is not stated.
• It has pre-ticked boxes for cookies other than strictly necessary ones.
• It does not have a reject button or option to customize cookie settings.
• It blocks the user from browsing the site till they accept it.
• Buttons are designed to nudge users to accept.
• It does not link a cookie/privacy policy.
• There is no option to consent to specific cookie categories.
• It does not automatically block third-party scripts.
• The user consents are not systematically recorded.

Sign up on CookieYes and create a cookie banner and see for yourself!

Why do cookies require consent?

Online identifiers like cookies, IP addresses, advertising IDs, pixel tags, account handles, device fingerprints, and radio frequency identification (RFID) tags, can be used in combination and used to create profiles of individuals and identify them. Hence, cookies can be considered personal data and are subject to privacy laws like the GDPR, LGPD (Brazil), CCPA, etc. 

What is GDPR cookie consent?

As per the GDPR, consent is one of the lawful bases for processing personal data in the EU. Websites use consent as the legal basis for storing and collecting data from cookies. What this means is that websites have to obtain consent from users before storing cookies on their devices. This is why cookie notifications are now oft-referred to as GDPR cookie consent banners.

According to Article 4 of GDPR, consent should involve a clear affirmative action and should be freely given, specific, informed and unambiguous. Article 7 states additional requirements – proof of consent, the ability to withdraw consent and that consent requests have to be easily accessible and use clear and plain language. To sum up, your website should display a GDPR-compliant cookie consent banner.

What is the EU cookie law?

The ePrivacy Directive or the EU cookie law is another set of rules that regulate the use of cookies. It requires that websites get users’ informed consent before storing cookies on their devices. The Directive makes an exception for strictly necessary cookies that are essential for the functioning of a website. The ePrivacy Directive supplements the GDPR and together comprises the EU cookie banner rules. 

How do I add cookie banner to my website?

To add a cookie banner to your website, you need to sign up for free on CookieYes CMP.

1. Select a banner layout from the pre-built templates and customize it to your liking
2. Copy the cookie banner installation code
3. Paste the code on your website’s source code and publish

A cookie banner will be live on your website instantly! For detailed instructions to add a cookie banner to your website builder or CMS, follow these guides:

Cookie banner Wix, Cookie banner WordPress, Cookie banner Squarespace, Cookie banner Joomla, Cookie banner Shopify, Cookie banner Blogger, Cookie banner Weebly, Cookie banner Drupal, Cookie banner Magento, Cookie banner ImpressPages, Cookie banner Kajabi, Cookie banner Kartra, Cookie banner MODX

How do I add a cookie banner on Wix?

Implement a cookie banner on your Wix website in just 3 steps using CookieYes CMP, for free.

1. Sign up and select a banner layout for your site
2. Copy the cookie banner installation code
3. Paste the code on your Wix website

For step-by-step instructions, follow Cookie banner Wix

How do I add a cookie banner to my WordPress site?

You can easily add a cookie banner to your WordPress website in just 3 simple steps using CookieYes CMP. 

1. Sign up for free and select a cookie banner layout
2. Copy the cookie banner installation code
3. Paste the code on your website

For step-by-step instructions, follow Cookie banner WordPress

How do I add a cookie banner to Shopify?

To add a cookie banner on your Shopify website, sign up for free on CookieYes CMP, then: 

1. Select and customize a cookie banner layout
2. Copy the cookie banner installation code
3. Paste the code on your Shopify website’s source code

For step-by-step instructions, follow Cookie banner Shopfiy

How do I add a cookie banner to Squarespace?

Add a cookie banner on your Squarespace website easily with CookieYes CMP. 

1. Sign up for free and select a cookie banner layout
2. Copy the cookie banner installation code
3. Paste the code on your website’s source code

For step-by-step instructions, follow Cookie banner Squarespace

What should a cookie banner say?

Cookie banners should state the website’s use of cookies and the purposes for which they are used. The cookie banner text should use crisp, jargon-free language. 

In the second layer of a cookie banner, it should include detailed information about the different cookie categories, the purpose of each cookie, the duration it will be stored in a user’s device and if the website shares the data collected with any third parties.

How do I know if my website uses cookies?

Most websites use cookies. The easiest way to find out if your site uses cookies is to conduct a cookie scan. You can use the in-built scanner in CookieYes or can use this free cookie scanner. The scanner will crawl through your websites, activate hidden cookies and trackers, identify and categorize them and generate a cookie audit report.

Is cookie notice and cookie banner the same?

Cookie notice, cookie notification, cookie popup, cookie warning, cookie consent banner etc. are all different names for a cookie banner. The important thing to remember is, if your business falls under the scope of a privacy law that regulates cookies, you require a cookie banner on your website.

What are strictly necessary cookies?

Strictly necessary cookies are cookies that are exempt from cookie consent.  As the name suggests, they are essential for the website to function properly. For instance, they are cookies that are essential to access certain features of the website such as signing in, adding items to a shopping cart, or making online payments etc. 

What is valid consent?

For consent to be valid, it should  be:

• Freely given: The user should have a genuine choice.
• Specific and informed: You should explain the use of cookies, the purposes for which they are used, and how the user can withdraw consent at any time.
• Unambiguous and affirmative: Consent should be given via a clear and positive action, such as clicking on the ‘Agree button’.