All Blog Posts

What is a cookie notice and why do you need one?

Everything you need to know to help you create a privacy-compliant cookie notice for your website.

Updated April 16, 2024.

Transparency about data use builds trust between a website’s operator and its users, between the people and “the Internet”. The intersection of this manifests with the cookie notice, cookie banner, or cookie pop-up.

Being transparent with visitors and meeting privacy compliance requirements doesn’t have to make for a poor browsing experience. The appearance and content of a cookie notice can be designed to blend seamlessly with your website experience while increasing trust with your users. It displays information that you may need to provide for regulatory compliance to individuals whose data you collect and process. Relevant privacy laws and frameworks like the General Data Protection Regulation (GDPR) and ePrivacy Directive.

Here’s everything you need about the importance of a cookie notice and how to create one.

A cookie notice, also known as a cookie banner, cookie popup, or consent banner, is a combination of notification and potential agreement. It appears on websites, apps, and other digital platforms where data is collected, and outlines the types of third-party cookies and other tracking technologies used on the site and what they’re used for. It also informs website visitors about the data collected via cookies, parties that may access the data, and other factors, depending on relevant privacy regulation requirements.

Under European rules like the GDPR and ePD, websites must comply with more than just notification requirements. When collecting users’ personal data, businesses have certain obligations regarding users’ privacy, like not disclosing or selling the data to third parties without prior consent from users in many cases. 

Due to requirements from regulations like the GDPR, California Consumer Privacy Act (CCPA), and other global privacy laws, a clear cookie notice is vital. It ensures organizations comply with privacy regulations but also serves as a best practice for user experience, independent of legal requirements. Furthermore, it helps build trust with users by transparently disclosing data usage practices.

The notice informs visitors about cookie usage for a variety of purposes, including improving site experience, optimizing personalization, and other functions. Users should be able to accept or reject all cookies or customize preferences. It’s important to note that some cookies do not require user consent — those deemed “necessary” or “essential” for the website’s correct function, for example — but they should still be listed. Users should also be able to access detailed cookie policy information.

Ultimately, a cookie notification aims to give users more control over their data by enabling them to better understand what data is collected, in what ways, what it’s used for, and by whom, and then enables them to choose what data use they will allow, if any.

While creating the cookie notice for your website, the cookie policy text should include a few key components.

For starters, always use clear and concise language. Avoid legal jargon that may confuse the readers, though you should consult with qualified legal counsel and/or a privacy expert in drafting your cookie policy and notice content. 

GDPR and CCPA/CPRA-compliant cookie notices should provide a clear explanation of what cookies are in use on the website, and how, as well as what data they collect, for which purposes, and third parties that may access it. Information also needs to be provided about users’ rights and how to exercise them, including consent options and contacting the company to make a data subject access request.

The notice should also include links to the website’s full privacy policy — of which the cookie policy may be a section if it’s not a separate document — as well as a link for users to opt out of the sale or sharing of their personal information, or use of it for profiling or targeted advertising if the website is subject to CCPA.

Optimize your WordPress website’s cookie consent texts for compliance and user trust. Learn how to create clear, transparent cookie notices that empower your visitors with informed choices by reading our blog on cookie text best practices.

Optimize your cookie texts for consent

We’ve established that a cookie notice is a policy statement on your website that discloses details about the cookies used by the site, their types, and their purposes. 

However, different regulations have specific requirements for your cookie notification, and you need to meet them for each regulation that’s relevant to your company’s operations and user base.

The GDPR and the ePrivacy Directive mandate that users be informed about how their personal data is collected and processed. As tracking cookies come under the scope of personal data under the GDPR, a cookie notice is required for websites of organizations that have visitors, customers, or users that reside in the European Union. It doesn’t matter if the company itself is located there,  what’s important is the location of the users whose data is being processed.

To obtain GDPR-compliant cookie consent, your cookie notice should include the following:

  • Obtain explicit consent: Ask users for permission before activating non-essential cookies. Consent must be a voluntary and active choice, with no pre-selected options or barriers.
  • Provide clear information: Clearly explain the types of cookies used, their purposes, and whether personal data is shared with third parties in an easy-to-understand manner.
  • Offer granular control: Enable users to choose which types of cookies, or even which specific cookies, to accept or reject, rather than an all-or-nothing approach. Users should be able to withdraw consent or change their preferences easily.
  • Ensure accessibility: Make the required notice and consent options easy to find and use, e.g. a consent banner centered on the page when users arrive at the site, or clear and prominent in the footer of every page, depending on regulatory requirements.
  • Block cookies before consent: Only activate essential cookies before the user gives consent. Non-essential cookies and trackers should be blocked until then.
  • Maintain an audit trail: Keep a secure record of users’ consent information. This enables users to change their preferences later on. And it is also necessary to provide in the event of an audit by data protection authorities, or data subject access request.
  • Renew consent periodically: Renew user consent regularly. The required time period for consent expiry will be different depending on relevant laws. Get new consent independent of time if your processing purposes or other key operations change.
  • Ensure compliance with third-party cookies: Some third-party cookies can be tricky to access, but the controller (website owner) is responsible for their compliance, too. Ensure that any third-party cookies or tracking technologies set by other companies also adhere to the cookie notice requirements.

It’s worth noting that cookie walls, a cookie popup that asks website users to accept cookies before they can access a website, do not usually constitute valid consent because they do not give users a free choice regarding cookies. Also, users who choose not to provide consent cannot be denied access to sites, services, or other functions because of that choice, and must be provided as similar a website experience as possible to consenting visitors.

Requirements for a CCPA-compliant cookie notice

Under the CCPA, businesses are required to disclose to consumers the usage of cookies and other tracking technologies on their websites. The CCPA also empowers consumers with specific rights to manage the personal data collected by businesses, while also imposing legal obligations on these businesses to limit and protect this data.

Unlike the GDPR and many other international privacy laws, the CCPA — and other US state-level laws — does not mandate explicit prior consent for cookie usage. Users must only have opt-out options, and data collection and processing must stop right away if they exercise them. However, businesses are still accountable for informing users about cookies in all circumstances.

Moreover, the CCPA streamlines the requirement for cookie policy information and advises integrating a comprehensive cookie policy section into the broader, and likely already existing, privacy policy. This approach helps ensure transparency and fulfill legal obligations regarding cookie usage under the CCPA.

Here’s what you need to include to create a CCPA-compliant cookie notice:

  • Opt-out mechanism: While the CCPA doesn’t mandate prior consent, the website must offer an opt-out option for users to decline the sale or sharing of their personal information gathered via cookies, or use of their data for profiling or targeted advertising (as of the effective date of the CPRA). This is typically provided through a prominent “Do Not Sell Or Share My Personal Information” link. There may be additional requirements if sensitive personal information is collected.
  • Detailed cookie/opt-out policy: Alongside the privacy policy, the website should have a dedicated cookie policy or “Opt-Out Preferences” page. This page should offer in-depth details about the types of cookies used, their purposes, and how users can exercise their opt-out rights.
  • Accessibility: The opt-out mechanism, like the “Do Not Sell” link, should be easy to find and use, usually located in the website footer. Other ways to exercise rights, like requesting a copy of personal information, should also be easy to do.
  • Consent for minors: If the website collects personal information from children under 16, it must obtain consent from a parent or guardian before collecting or selling that data.
  • Compliance monitoring: A website should keep track of and securely maintain records of users’ consent information to demonstrate CCPA compliance when necessary.

Cookie notices can have a variety of appearances, though there are certain best practices to follow when creating a consent banner to ensure that it is transparent, clear, and provides people with granular control while being user-friendly.

Cookie banner text should inform users about the cookies the website is using and their purpose(s). It doesn’t have to provide all the information in the first layer. Granular details can be included in the second layer if it’s easily accessible to interested parties. 

Users’ options need to be equal, so if there’s an “Accept” button, there has to be a “Reject” one as well, and both need to be comparable in size, location, appearance, and accessibility.

Cookieboot Pop Up Banner - Cookiebot
Example of a GDPR-compliant cookie notice that is clear, detailed if desired, and enables proper consent from the website’s visitors without any pre-ticked checkboxes.

Once someone sets their cookie preferences, they should be able to modify them at any time or withdraw consent as easily as they gave it, via a prominent link or a button on each page.

Additionally, customize the consent banner to match your brand’s visual identity. A cookie consent banner that fits in with your brand — in terms of colors, fonts, and language — feels more personal and intentional than one that hasn’t been customized at all, and improves user experience.

Optimizing Consent Data and User Trust with Usercentrics Whitepaper

Lear more

Cookie consent notice plugins for WordPress

WordPress is the world’s most popular website builder and website management platform. Therefore, there are a variety of cookie notice WordPress plugins that will do most of the work for you.

A cookie notice plugin is built specifically for a hosting system such as WordPress and provides templates for appearance, information about the cookies in use, and consent options. This way you enable transparency between your site and visitors, providing informed consent choices.

As people become more aware of the implications of sharing personal information online, incorporating cookie consent tools into your website helps ensure visitors feel in control over their personal data. It also helps you comply with ever-evolving regulatory requirements.

Cookiebot CMP is a comprehensive cookie consent management platform (CMP) that delivers the following: 

  • helps achieve compliance with data privacy regulations and frameworks like the GDPR, ePrivacy Directive, and CCPA
  • automatically scans websites and detects all cookies and trackers in use and updates your implementation
  • enables you to generate a customized cookie consent banner to notify users and obtain consent
  • helps achieve and maintain compliance with privacy laws
  • provides centralized cookie management from a single dashboard 

Cookiebot CMP also integrates seamlessly on websites with other tools and plugins such as Google Consent Mode and Google Tag Manager. Making it a convenient solution for implementing robust cookie consent across an entire website while enabling you to continue with other marketing operations.

Don’t just take our word for it, experience it for yourself. We offer a free 14-day trial!

Start your free trial of Cookiebot CMP!

FAQ

What is the GDPR?

The GDPR — or General Data Protection Regulation — is a data privacy law that regulates personal data processing for residents of the European Union. It grants users rights to consent to, reject, rectify, delete, and access their data. Consent under the GDPR must be freely given, specific, informed, and unambiguous.

What are cookies?

Cookies are small files that are stored on a user’s browser when they visit a website. They can be used for everything from marketing operations to making the website work correctly. Cookies often collect information like browsing activities, IP addresses, or Unique IDs that make it possible for websites to identify and recall individual users upon repeated visits.

What is personal data?

The GDPR defines personal data as any kind of information that can be related, directly or indirectly by inference, to a living individual. This includes names, addresses, social security and passport numbers, emails, phone numbers, location data, IP addresses, browser and search history, and more.

Resources

Visit Cookiebot CMP for a compliant and wholesome cookie notice solution.

Inform yourself on rules and implications of the European GDPR and how it impacts your website.

Learn more about the EDPB guidelines for valid consent in the EU

Update yourself on the repercussions of the Facebook/Cambridge Analytica scandal , one year later.

Get a comprehensive overview of the Russian interference in the 2016 US presidential election .

Take a look at “Ad Tech Surveillance on the Public Sector Web” , Cybot’s detailed and revelatory report into the hidden tracking of EU citizens.

Read about the US political debate around breaking up of tech giants .

How does targeted ads actually work ? Here’s a cool and explanatory investigation into the science behind targeted ads by the New York Times.

    Stay informed

    Join our growing community of data privacy enthusiasts now. Subscribe to the Cookiebot™ newsletter and get all the latest updates right in your inbox.

    By clicking on “Subscribe” I confirm that I want to subscribe to the Cookiebot™ newsletter. I can easily cancel my Cookiebot™ newsletter subscription and revoke consent to use my data by clicking the unsubscribe link or I can write to [email protected] to make the request. Privacy policy.