Cookie Notice for GDPR and CCPA/CPRA

When you hear the term “cookie notice,” what comes to your mind? One that pops up on your screen when you visit a new website and one that’s embedded in the footer of every page.

Well, we’re here to give you the lowdown on what “cookie notices” are and why they are important for GDPR and CCPA/CPRA compliance.

 A cookie notice is a statement about the use of cookies on a website.

The term cookie notice is interchangeable with the term cookie consent banner or pop-up. While it is quite a confusing term, we cannot completely disregard it as wrong. The US data protection law, California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA) requires websites to display ‘notice at collection’ at or before the point of personal information collection. This requirement comes close to defining a cookie consent banner. However, even in this case, most examples of notice at collection are privacy notices rather than cookie consent pop-ups. Many websites that are subject to CCPA have a dedicated ‘notice at collection page linked on their homepage. 

Besides, cookie banners are more about an agreement between a website and its users to use cookies other than notifying them about it. So,  in that terms, the cookie banner is a cookie consent notice.

Therefore, a cookie notice can be defined as a policy statement on a website that discloses details about cookies set by the site, its types, and their purposes. It gives information about how the users can opt out of non-necessary cookies and manage cookie preferences. 

 If your website uses cookies, and if it gets visitors from the EU or EEA member states, then you must have a cookie notice on your site. The GDPR and the ePrivacy Directive (or the EU cookie law) require websites to disclose details about how they use personal data, and why they use it. Therefore, a website cookie notice is required by the EU laws.

Furthermore, the CCPA/CPRA also requires websites to disclose these details as well.

Therefore, a cookie notice is required if your website uses cookies, especially those that are set by third parties like Google Analytics, YouTube, Hotjar, Facebook, etc., and those that track your visitors across other websites for advertising purposes. It’s more like an open channel of communication with your users about how you will use their data.

The GDPR and the ePrivacy Directive mandate that users are informed about how their data is collected and processed. Article 13 and Article 14 of the GDPR require that any information or communication relating to the processing of personal data is easily accessible and is available in clear and plain language. As cookies come under the scope of personal data, a cookie notice is required for websites in the EU, or websites that cater to users in the EU.

The cookie notice must be displayed on every page of a website where cookies are used, and it must include information about the cookies used by the website. This includes:

• a clear explanation of what cookies are used for;
• the purposes for which they will be used (e.g., to remember your login details, to analyse your use of an online service);
• the name(s) of any third party companies whose cookies are being used on the website; and
• an indication that visitors can refuse cookies and how to do it.

CCPA/CPRA does not require a separate cookie notice page. Businesses in the US, however, are required to have a privacy policy/notice that covers their use of cookies.

Websites are required to inform users on how they collect, use, share, and protect their personal information. Cookies fall under the scope of privacy disclosures and should be included in the privacy policy.

The policy page must include predominantly the following information :

• category of personal information the site collects or sells
• category of third parties where the information will be disclosed to
• rights of users
• opt-out options available to users

At the outset, you have to keep in mind while creating the cookie notice for your website to use concise, clear, and plain language. You should avoid legal jargon that may confuse the readers. 

The simpler the explanation, the better they will understand and trust you.

A GDPR and CCPA/CPRA-compliant cookie notice should include the following sections:

• The disclosure that you use cookies and what cookies are.

Many people visiting your website may have only little or no knowledge of internet cookies. This part will be useful to them. 

• Description of the types of cookies used by your site.

Now, this is the part where you have to list all the cookies that your website uses and what are their properties (type, primary function).

• An explanation of the purpose of these cookies.

You must provide what is the site’s purpose to use these cookies. It is a crucial part of the cookie notice, as it tells the users what happens to their data and how it is being processed by your site. This section could also explain who sets these cookies; if they are first-party or third-party cookies.

We recommend that you use a tabular format to list the different types of cookies and provide their details. E.g.

However, you can use your discretion to present the details in a format and template most convenient and that is compatible with your website’s design.

• Details on how users can opt out or set their cookie preferences.

Your visitors may want not to share their personal data or have their browsing activities tracked by you or third parties. You are liable to provide them with an option to opt out of such cookies.

In this part, you should mention various settings to manage or delete these cookies. The methods may include your website’s cookie consent settings, third-party website settings, and internet browser settings to block or remove such cookies.

Make sure your visitors are aware of their right to withdraw the cookie consent at any time.  

Apart from these, the best practices also include adding the last updated or effective date of the policy so that the users are aware of recent changes. You can also add the contact information if not already done in your site’s privacy notice. 

Watch how to add a cookie notice on a website using CookieYes:

Let us look at some good examples of cookie notices that are compliant with GDPR and CCPA/CPRA.

Siemens starts its cookie notice with a declaration that they use cookies and a brief but adequate description of what cookies are with different types of cookies. It also mentions the legal grounds for processing each type of cookie in layperson’s terms. 

Dow Jones’ cookie notice uses a tabular format to provide information about each type of cookie and its purposes.

Visa uses an accordion-style design for its cookie notice and specifically mentions that it does not collect any personally identifiable information. It also links to its privacy notice for further information.

CookieYes’ cookie notice has a dedicated section for details about managing cookie preferences. 

Here, you will find a button Cookie Settings clicking on which will open the cookie consent banner and the users can then set or change their consent preferences as shown:

It also gives links to browser settings for managing or deleting cookies.

Honeywell also gives links to various browser settings for managing cookies and to manage cookie settings (Privacy Preference Center). It also lists links to the other website settings to opt-out of third-party cookies.

A “cookie banner” is often used interchangeably with the terms “cookie notice” or “cookie consent notice.” These banners serve as the initial point of interaction between a website and its users regarding the use of cookies and are essential for compliance with various data protection laws like GDPR and CCPA/CPRA.

Through a cookie consent notice, websites can obtain consent from users for the use of cookies. This is particularly critical for cookies that track user activity or collect personal data for purposes such as analytics, advertising, and functional services.

Key elements of an effective Cookie Consent Notice:

1. Clear information: Provide a brief explanation of what cookies are and why they are used, presented in simple language.
2. Cookie types: The banner should categorize the cookies used (e.g., necessary, analytics, marketing) and offer an overview of their purposes.
3. Consent choice: Ensure options are available for users to accept all cookies, reject non-essential cookies, or customize their preferences.
4. Cookie Policy link: Include a link to the full cookie policy notice or privacy policy for users seeking more detailed information.
5. Accessibility: The banner should be prominently displayed without obstructing website navigation and be accessible to all users.

Compliance with legal requirements

• Under GDPR, explicit consent is required for non-essential cookies. The banner must enable users to make an informed choice, including the option to decline non-essential cookies.
• For CCPA/CPRA, while a separate cookie notice page is not specifically mandated, the use of cookies falls under privacy disclosures. It is crucial that cookie banners are aligned with these disclosures.