fbpx
Ultimate Guide to Cookie Banner

Guide to a GDPR Compliant Cookie Banner

Last updated on September 14, 2021|Published on August 18, 2021

Cookie banners have now become an indispensable part of the web browsing experience, thanks to privacy regulations like the GDPR and ePrivacy Directive in the EU, CCPA in the US, LGPD in Brazil, and similar privacy laws across the world. While cookie banners are necessary for compliance, in an increasingly privacy-conscious world, a cookie banner can also communicate your brand value and its alignment with users’ expectations.

This blog will detail the best practices for a compliant cookie banner, how to create one for your website and will answer oft-asked questions about cookie consent, cookie laws and how it affects websites in the EU and outside. 

What is a cookie banner?

A cookie banner is a notice often displayed on a user’s first visit to a website that informs them about the cookies and trackers the site uses and asks for the user’s consent to store cookies on their devices. 

Before the advent of data privacy laws, websites often used a notice-only cookie banner that informed about cookie usage but did not ask user’s permission to load cookies on their devices. 

A notice-only cookie banner.
A notice-only cookie banner that is not compliant with the GDPR.

But this started changing with the arrival of data privacy laws across the world, especially the European Union’s General Data Protection Regulation (GDPR).

GDPR complaint cookie banner from CookieYes

CookieYes is a cookie consent solution trusted by over 1 million websites to achieve cookie compliance. CookieYes empowers your website to give users a privacy-compliant and user-friendly consent mechanism through customizable cookie banners.

Custom design

You can implement a simple cookie banner on your website that is not intrusive and also aligns with your website’s branding. On the other hand, you can add advanced CSS customizations and branding and tailor your banner to your website’s design.

Minimalistic cookie banner from CookieYes.
A minimal banner from CookieYes with custom design and colours.
Cookie settings to give granular consent.
CookieYes cookie banner settings to customize the user’s cookie preferences.

Granular control

Usability and the ease of giving consent is another important factor for the effectiveness of a cookie banner. With CookieYes, users can easily control their cookie preferences with the toggles.

Cookie banner with cookie category preview.
CookieYes cookie banner with cookie category preview. 

Mobile-responsive

Cookie banners should also be optimized for different devices. CookieYes banners are intuitive and can be tailored for mobile and tablet users, to give them a user-friendly cookie banner.

Cookie banner settings in mobile view.
CookieYes cookie banner settings in mobile view.

GDPR and the ePrivacy Directive (or EU cookie law) are the two main laws that govern the use of cookies in the European Union. Cookie guidelines published by various data protection authorities like the French CNIL and Irish DPC are also applicable to websites that cater to the respective EU countries.

GDPR cookie consent

You may have come across the term ‘GDPR cookie consent’ concerning cookie banners. It refers to the consent requirements of the GDPR and how it extends to cookie usage on websites.

As per the GDPR, consent is one of the lawful bases for processing personal data in the EU. Websites use consent as the legal basis for storing and collecting data from cookies. What this means is that websites have to obtain consent from users before storing cookies in their devices. This is why cookie notifications are now oft-referred to as GDPR cookie consent banners.

According to Article 4 GDPR, consent should involve a clear affirmative action and should be freely given, specific, informed and unambiguous. Article 7 states additional requirements – proof of consent, ability to withdraw consent and that consent requests have to be easily accessible, use clear and plain language. To sum up, your website should display a GDPR compliant cookie consent banner.

The ePrivacy Directive or the EU cookie law is a set of rules that regulate the use of cookies. It requires that websites get users’ informed consent before storing cookies on their devices. The Directive makes an exception for strictly necessary cookies that are essential for the functioning of a website. The ePrivacy Directive supplements the GDPR and together comprises the EU cookie banner rules. 

GDPR compliant cookie banner checklist

A cookie consent banner is essential for compliance but is not sufficient on its own. Here’s a checklist that will help you implement a cookie consent mechanism on your website that is fully compliant with the GDPR.

  • Display a custom cookie consent banner as per your website’s design
  • Provide a user-friendly layout optimized for different devices
  • Inform users about cookie usage in plain and jargon-free language 
  • Display auto-translated banner according to user’s browser language
  • Showcase different cookie categories used on your website
  • Provide granular options to accept/reject different cookie categories
  • Display ‘accept’ and ‘reject’ buttons on the banner
  • Auto-block third-party scripts till users give consent
  • Link to a compliant cookie policy on the cookie banner
  • Display a revocable cookie banner so users can easily withdraw    consent
  • Record user consents for proof of compliance

Cookie banners can come in different layouts and styles according to the website’s design and branding. In terms of layout, the cookie banners should be simple and non-intrusive so that it does not interrupt the content or user experience of the website. 

These are the classic footer or header banners that are oft-used by websites. In a study of consent banners in the EU, close to 58% used bottom banners and 27 % used top banners, similar to a website header or footer (bar style).

A simple footer cookie banner with ‘accept’ and ‘reject’ buttons in equal emphasis.
The header banner is in sync with the website’s minimal design.

Boxed type

Boxed type layouts or popups are also seen on websites often placed in the left or right corner of the site. These types of banners are non-intrusive and can be aligned to the site’s aesthetic. 

This cookie popup has a clean design and aligns with the site’s colour scheme.
This floating right-corner cookie popup stands out despite its simplistic design.

Like what you see? The cookie banner examples above are powered by CookieYes, a cookie consent solution trusted by over 1 million websites for cookie compliance with privacy laws like the GDPR, CCPA, and LGPD

Using a simple dashboard on CookieYes you will be able to implement cookie compliance for your website. You can create a personalized cookie banner design with custom branding or stick to a simple cookie banner. Remember the cookie banner checklist? You can achieve all that and more with CookieYes. 

How to add cookie banner to website

This is the easiest part. With CookieYes, you can implement a custom GDPR compliant cookie banner within minutes.

Step 1. Sign up on CookieYes

The first step is to sign up on CookieYes. It’s free. You don’t need a credit card. All you have to do is fill in your email address, your website domain and password. You can get started with our cookie banner generator!

Step 2. Select and customize the template

On signing up, you will be directed to a setup screen. Here you can select a cookie banner template and fully customize it. Or you can select the default (GDPR compliant) banner, preview it on your website and head to the next step.

Cookie banner setup screen.
Customize and preview your cookie banner.

If you want to add personalization to your banner, you can customize your cookie banner.

  • Layout : Select a banner layout, including all the examples above, and more. You can choose from different consent types, but we recommend ‘explicit consent’ for GDPR compliance.
  • Content : You can fully customize the cookie banner text, button texts, content of the audit table and also add a link to your privacy policy/cookie policy. You can choose multiple languages for an auto-translated cookie banner.
  • Colour: You can customize the colour of the cookie banner as well as the text to match your site’s design.
  • Behaviour: You can add a cookie widget to revisit consent, geo-target the banner, and display a cookie audit table.
  • CSS customizations: To further stylize the banner and modify its functionality, you can add custom CSS.

You can read the detailed setup and installation guide.

Step 3. Activate your cookie banner

Now that you are happy with how your banner looks, you can activate it on your website. You have to copy the script and paste it between the <head> and </head> tags on your website.

Complicated? Access the CMS setup guides and follow the instructions. You are all done! You now have a GDPR compliant cookie banner on your website.

Cookie banner setup screen with banner code.
Copy cookie banner code and paste it on your website to activate.

You can go to the CookieYes dashboard and enable the consent log in the ‘Site settings’. Consent logs are important so that you have a centralized record of user consents in case you have to demonstrate proof of consent to regulators.

CookieYes dashboard.
CookieYes has a simple dashboard to manage all your cookie compliance requirements.

CookieYes will also automatically block third-party scripts (Google Analytics, Facebook pixel etc.) till the user gives consent and will support the browser’s Do Not Track (DNT) setting. This means you can achieve complete GDPR compliance without time-consuming integrations.

You can also manage multiple websites in one account and implement a cookie banner on all major website CMS like WordPress, Magento, Shopify, Wix, Weebly, MODX, Drupal, Squarespace, and Joomla. (Read the CMS setup guides)

Do I need a cookie banner?

Are you still wondering if your site needs a cookie banner that adheres to GDPR? Most certainly, yes. If you are a website that functions in any of the EU countries or has visitors from the EU, you require a consent banner to comply with the GDPR and the ePrivacy Directive. 

Data privacy laws often have extraterritorial scope meaning they can cover businesses beyond their geographical boundaries. If your website has visitors from the EU, the UK etc. you can be subject to the respective privacy regulations. Therefore, it is the best practice to implement a compliant cookie banner for your website.

Are there fines for non-compliant cookie banners?

Yes. In the EU, non-compliance with the GDPR can attract substantial GDPR fines. As the lawful basis for processing is one of the core principles of the GDPR, violations of consent can inflict monetary penalties. 

The French regulator CNIL fined Google and Amazon a total of €135 million for placing advertising cookies on user’s devices without obtaining prior consent and for not providing adequate information about the use of cookies. The CNIL also issued fines against Carrefour for similar cookie violations.

The Spanish DPA fined Vueling Airlines and Twitter with a €30,000 fine not giving users the option to reject cookies or manage cookie preferences. In 2021, privacy watchdog NOYB has initiated a campaign to review the use of cookies on 10,000 most-visited EU websites and file complaints with regulators.

While the fines may sound alarming, there is no need to worry. With the right cookie consent manager like CookieYes, compliance can be a cakewalk. 

Do I need a cookie banner in the US?

There are two things to remember before considering a cookie banner for a US-based website. Firstly, while the US does not have a federal data privacy law like the EU directly affecting the usage of cookies, GDPR may apply to US websites. (Read GDPR checklist for US companies). Remember that even if your website is not based in the EU, but caters to users from the EU, you will have to comply with the GDPR. This means that your website is required to display a cookie consent banner. 

Secondly, state-level legislation in the US like the California Consumer Privacy Act (CCPA) and Virginia Consumer Data Protection Act (CDPA) establishes rules to protect users’ personal data and give them rights over it. The CCPA and CDPA give users the right to opt-out of processing of personal data for targeted advertising, sale of personal data and profiling. In this case, you may not require a cookie banner, but instead, have to display an opt-out cookie notice. 

Opt-out notice

A CCPA compliant opt-out notice should:

  • Inform users about your websites use of third-party cookies
  • Inform users about their CCPA right to opt-out 
  • Have a ‘Do Not Sell’ button to allow consumers to opt-out of the sale of their personal information.
  • Auto-block third-party scripts till user opts out
  • Record user action for proof of compliance
A CCPA-out notice from CookieYes.
A CCPA-out notice from CookieYes.

CookieYes can help your website display an opt-out notice and geo-target the opt-out notice to only US visitors, or visitors in California

If your website caters to both EU and US users, you can geo-target your banner and display both a GDPR cookie banner and CCPA opt-out notice as per the user’s location.

Will cookie banner affect website SEO?

No. If implemented correctly cookie banners will not affect your SEO. If cookie banners are not intrusive, GoogleBot will be able to crawl your website. Google stresses avoiding intrusive interstitials and clarified that important notices like cookie banners will not negatively impact a site’s search performance.

Google’s John Mueller clarifies about cookie banners and SEO.

You should display your cookie banner on the top, side or footer of your page where it does not obstruct the content on the page. It should also be optimized for different devices so that banner does not take up half the screen, for instance on mobile devices.

Do I need a cookie policy on my website?

Most likely, yes because it’s good practice. It also depends on whether your website caters to visitors from the EU or the US. The GDPR and the ePrivacy Directive requires websites to inform users about how their data is collected and processed. As cookies are also part of GDPR’s definition of personal data, a cookie policy is important for websites in the EU, or websites that cater to users in the EU. You can create a separate cookie policy and link it to your cookie banner, so users can give their informed consent. 

In the US, CCPA requires websites to disclose the collection and use of personal information through cookies. The CCPA does not require websites to have a separate cookie policy, you can include it in your privacy policy.

How to create a cookie policy for my website?

Creating a custom cookie policy can be quick and easy with CookieYes. You can scan your website for cookies and automatically generate a cookie audit table that is added to your cookie policy.

If you’ve already signed up on CookieYes. Follow these steps: 

Step 1. Head to the CookieYes Dashboard.

Step 2. Scan website for cookies

Step 3. Click on Cookie Policy Generator

Step 4. Customize the content of the cookie policy 

Step 5. Preview and generate the cookie policy

You can now copy the text or HTML and paste it within your privacy policy or as a separate page on your website. You can then go ahead and link it to your cookie banner.

Is my cookie banner compliant?

Lastly, if your website has a cookie banner, here’s a quick checklist to see if it’s compliant. If your banner has any of the following characteristics, it needs a revamp.

  • There is no clear information on all the cookie categories used.
  • The purpose of cookie usage is not stated.
  • It has pre-ticked boxes for cookies other than strictly necessary ones.
  • It does not have a reject button or option to customize cookie settings.
  • It blocks the user from browsing the site till they accept it.
  • Buttons are designed to nudge users to accept.
  • It does not link a cookie/privacy policy.
  • There is no option to consent to specific cookie categories.
  • It does not automatically block third-party scripts.
  • The user consents are not systematically recorded.

Sign up on CookieYes and create a free cookie banner and see for yourself!

Why do cookies require consent?

Online identifiers like cookies, IP addresses, advertising IDs, pixel tags, account handles, device fingerprints, radio frequency identification (RFID) tags, can be used in combination and used to create profiles of individuals and identify them. Hence, cookies can be considered personal data and are subject to privacy laws like the GDPR, LGPD (Brazil), CCPA etc. 

What should a cookie banner say?

Cookie banners should state the website’s use of cookies and the purposes for which they are used. The cookie banner text should use crisp, jargon-free language. 

In the second layer of a cookie banner, it should include detailed information about the different cookie categories, the purpose of each cookie, the duration it will be stored in a user’s device and if the website shares the data collected with any third parties.

How do I know if my website uses cookies?

Most websites use cookies. The easiest way to find out if your site uses cookies is to conduct a cookie scan. You can use the in-built scanner in CookieYes or can use this free cookie scanner. The scanner will crawl through your websites, activate hidden cookies and trackers, identify and categorize them and generate a cookie audit report.

Cookie notice, cookie notification, cookie popup, cookie warning, cookie consent banner etc. are all different names for a cookie banner. The important thing to remember is, if your business falls under the scope of a privacy law that regulates cookies, you require a cookie banner on your website.

What are strictly necessary cookies?

Strictly necessary cookies are cookies that are exempt from cookie consent.  As the name suggests, they are essential for the website to function properly. For instance, they are cookies that are essential to access certain features of the website such as signing in, adding items to a shopping cart, or making online payments etc. 

What is valid consent?

For consent to be valid, it should  be:

  • Freely given: The user should have a genuine choice.
  • Specific and informed: You should explain the use of cookies, the purposes for which they are used, and how the user can withdraw consent at any time.
  • Unambiguous and affirmative: Consent should be given via a clear and positive action, such as clicking on the ‘Agree button’.

Start a 14-day free trial

Trials start with all our features enabled. Cancel anytime. No credit card required.