Why do you Need a Cookie Banner?

It is highly unlikely that you have not seen a cookie banner the first time you visit a website. There has been a rise of websites that are asking their users to give consent to the use of cookies on the website using a cookie consent banner. This has come as a direct result of the ePrivacy Directive in the year 2002.

However, the ePrivacy Directive only required that the websites inform the usage of cookies to the users. But as the more stricter  General Data Protection Regulation coming into effect on May 25th, 2018, the requirements have changed and website owners have taken the cookie banners more seriously.

So, if you are a webmaster, you will probably be wondering if you need a cookie consent banner. If you have a website that gets visitors from any of the EU member states, then you need a cookie banner. So, regardless of the geographical location, you are required to comply with the law if you have visitors from the EU.

This article will explain why you will need a cookie consent banner on your website and how you can create one to help you comply with the law.

Why do you Need a Cookie Banner?

The obvious reason to implement a cookie banner to your website is to become compliant with the law. Over the rising privacy concerns online, it has become imperative for the websites to take the privacy laws seriously. It's not just to be on the good side of the law, but also to increase the credibility of the website. A website that does not take the privacy of its users seriously will have a hard time building trust with the users.

With the introduction of the law, data collection practices of websites are required to become more transparent. And the users are given more power over their data. Cookie banners are required to inform the users of the usage of the cookies in order for the website to be transparent about the data collection practices. Also, taking consent to be using the cookies at the point of data collection gives the users control over their data being collected by the website.

Another reason for you to have a cookie banner is to avoid the hefty fines that could be imposed if you don't comply with the law. If found not compliant with GDPR, the potential fee that could be imposed is up to €20 million or 4% of the annual turnover or whichever is higher.

What are Cookies and how Does it Come Under the Law?

Cookies are small text files that are added to the users' web browser by the website they visit. While some of the cookies set by a website are essential and must be used by the website so that it can function properly, others are used for tracking and analytics purposes.

Out of these, cookies that are absolutely necessary for the website to function need not have consent taken from the users to be used on the website. For the rest, cookies that may contain personally identifiable data, and cookies that are used to track the user behavior online, are required to have consent to be used on a website. You can read more about cookies and its different types from this article.

Transparency is the key in GDPR. Websites have to be transparent about their data collection practices and should collect data on a lawful basis. Cookies are one way that websites can collect data that can potentially identify them and can be used for automated profiling. 

The data stored in cookies can be considered as PII (Personally Identifiable Information). According to Article 4 in GDPR, Personally Identifiable Data can be defined as:

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Online identifiers, such as Unique cookie identifiers, IP addresses, data that can potentially identify an individual when used in combination of other data. The Recital 30 of Article 4 says:

Natural persons may be associated with online identifiers provided by their devices, applications, tools, and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

It is important to understand that GDPR is not a law that regulates the use of cookies on a website. GDPR is about transparency about the data collection of an organization.

What are the requirements to be using cookies?

GDPR along with the ePrivacy Directive requires you to take consent to be using any of the third-party tracking cookies on your website. And when you take consent from the users, it should be by informing the users and the consent should be with an explicit action performed by the user.

Since cookies come under the category of personally identifiable information (PII), the Cookie Law requires that informed consent be taken from the users. Without informed consent, you are not allowed to store cookies or collect data using them.

This means you need to implement a fairly noticeable cookie banner on the website that will be displayed at the users' first visit. Using the cookie notification banner, inform the users of the use of cookies on the website. You need to prepare a detailed cookie policy of your website to add further information about the cookies and the data they collect should be detailed in a privacy/cookie policy of the website. This helps in obtaining informed consent from the user.

Users should also be getting a real choice when it comes to giving consent. Even though the cookies are only used when they "Accept", the users should also have the option to "Reject" the cookies. Also, once they have given the consent to be using the cookies, they should have the option to come back anytime to reverse their consent.

Requirement of Consent

1. The consent should be freely given - The consent by the users for the use of cookies should be freely given to the website. The consent should not be obtained as a condition for the continued use of the website/service. Also, the user should be able to both accept and reject the use of the cookies.

2. The consent should be revokable - Once the user has given their consent to be using any of the cookies on the website, they should be able to come back later in time till the consent is valid and reverse their consent.

3. It should be informed and explicit - The consent given by the users should be well informed. This means that users should be presented with all the details that will help them to make an informed decision. This would require the website owner to put in place a cookie policy that details about the cookies and the data collection.

The users should be aware of what cookies are used, what data they collect, how long they are stored for, who the data is shared with, etc.

The consent should also be obtained by the means of positive affirmative action. There should be an explicit action from the user that can be considered as consent like clicking on a button or ticking a checkbox, etc. Implicit actions continuing the use of the website or navigating to another page of the website cannot be considered as consent from the users.

4. Consent should be taken prior to any data collection - There should be no data collection before the users have given their consent. If the users have not consented or rejected the use of the cookies, there should be no data collection taking place on the website. Even when the user has withdrawn his consent from the website, there should be no data collection from the point where the consent has been revoked.

Why use Cookie Banners?

Most cookies on the websites are set when the website is loaded. For any type of data collection on the website, the user's should be informed at the point of data collection. For cookies, the users should be made aware of it at the site load. 

Cookie banners are the most effective way to inform users of the usage of cookies on the website and get consent from them. They are hard to miss when a website is loaded and users will record their consent when they are asked to. Since the cookie banner comes in the middle of the content of the website, users are more likely to dismiss the banner by performing an action on the banner.

Cookie notifications can be in any form on a website. There are no rules as to how the cookie notification should look like. It can take any form that matches the aesthetics of the website. On some websites, they appear as a popup and on some, they appear in a classic banner layout. Some of the banners are designed in such a way that the users can't proceed to use the website without acknowledging the cookie notification.

What should be included in a cookie banner?

It is no longer sufficient to just inform the users that the website uses cookies. The purpose of the cookie banner now is not just to let the users know about the use of the cookies but also to provide more information about what cookies are used. 

The cookie banner also serves the purpose of collecting the consent from the user. So what are the things that need to be included in a cookie banner to make it according to the guidelines of the law?

  • The information should be provided in a plain and understandable language.
  • The users have a real choice about the consent that they give. If they have been provided a button to accept the cookies, then they should be able to reject the use of cookies as well.
  • Cookie banners can't detail all the information about the cookies of the website. To inform the users all about the cookies used on the website, the banner should provide a link to the website's cookie policy
  • Until the banner is dismissed with the consent from the user, the website should not use the cookies.
  • Once the banner is dismissed there should be a way for the users to change their consent. It could be a button that allows the users to bring back the banner and change the consent.
  • The banner should also provide the option to the users to granularly select what cookies they wan to keep and what they don't. 
  • There should not be any pre-checked boxes.

How CookieYes can Help

Complying with GDPR for the usage of cookies is not as hard as it sounds. If you need to display a cookie banner on your website and use cookies based on user consent, what you need to do is register your account with CookieYes and add the installation code to your website source code.

CookieYes helps to display a cookie banner easily on your website and manage user consent. After the installation code is added to the website, CookieYes makes any changes made to the design and functionality of the cookie consent banner reflected automatically on the website. All the details about setting up CookieYes is explained in detail in the setup guide.

Displaying the cookie banner with the cookie notification message is just a part of the process in complying with the law. After you have displayed the banner, for it to be fully functional it has to record the consent from the users. Based on this consent only should the cookies be added to the user's browser.

Displaying the cookie banner on the website is only half of the process. Next, what you need to do is implement prior consent for the cookies so that the non-essential cookies are only installed when the users have given consent. This article details how you can implement prior consent using CookieYes.

The cookie consent banner that can be created using CookieYes is easily customizable. There are different layouts of the banner that you can choose from and customize according to the look and feel of your website. Along with the look and feel of the website, you can easily manage the user consent and other related settings from CookieYes dashboard.