All Blog Posts

Cookie policy texts

Your website uses cookies and other tracking technologies. This is no secret; pretty much all websites do. But how you choose to communicate this fact to your users makes a world of difference.

Updated November 2, 2023.

Informing users of what cookies are active on your website, and what kind of personal data they collect, is legally required by both the European General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

The requirement of protecting user privacy can’t be left with users, but needs to be thought of as an integral part of your website.

Become compliant with Cookiebot consent management platform (CMP).

The cookie text or cookie message is the actual written content displayed by cookie consent banners that communicate to a website’s users about its use of cookies. It’s not the cookies’ text files themselves that are referred to here.

The cookie text is also not the same thing as a cookie policy text or cookie policy message, which are terms for policy statements about the overall strategy and position of a company regarding the privacy of its users. 

Here’s an example of a good and informative cookie notice text (on a GDPR-compliant banner):

Cookieboot Pop Up Banner - Cookiebot
The GDPR-compliant Cookiebot CMP cookie consent message and its cookie consent text.

The cookie consent banner is a familiar sight on many websites today, since the GDPR came into force in Europe and many other data privacy laws have been enacted around the world.

However, there are many ways that websites choose to declare their cookies and tracking. There are many different cookie messages on websites, too.

A cookies agreement message targeted at the EU for GDPR compliance should not only state that your website uses cookies and be accompanied only by an “okay” or “accept” button. That does not enable valid consent, as users do not have equal access to an option to decline cookie usage.

Many cookie messages (in fact many cookie banners as a whole) are still noncompliant with the GDPR or other laws because they leave no real choice of consent for the user and explain poorly how their personal data is collected by the website and used.

TheEuropean Data Protection Board (EDPB) is the leading authority on the GDPR in the EU, and its main job consists of adopting guidelines and making decisions on how the GDPR is to be interpreted and enforced by the national data protection authorities in each EU country.

The EDPB guidelines clarify that:

  • Pre-ticked checkboxes on cookie banners are noncompliant. Checkboxes must always be deselected by default, except for the use of strictly necessary cookies, which don’t require user consent.
  • Scrolling, ignoring a cookie banner, or other continued use of a website is not considered valid cookie consent. Users must give a clear and affirmative consent, not an implied or assumed consent.
  • Cookie walls (consent conditional for access to a website) are noncompliant.

Cookies text for GDPR compliance

The GDPR mandates that all websites that collect personal data from EU-based visitors have to:

  • obtain clear and unambiguous consent from users
  • consent must be obtained priorto any collection or processing of personal data
  • after specifying all types of cookiesand other tracking technologiespresent and operating on the site
  • use easy to understand language
  • enable users to consent and to change or revoke consenton each specific category of cookies at any time
  • safely, confidentially, and securely documenteach user consent
  • renew consent annually, or as often as required by relevant laws, e.g. some national data protection guidelines recommend more frequent renewal, like every 6 months

The “clear and unambiguous prior consent” is part of users’ option to opt-in or opt-out of the different cookie categories (preferences, statistics, marketing) at a granular level. Specifying all types of cookies is done in the cookie declaration and depository, which is the comprehensive overview of all known cookies and their purpose.

The GDPR also mandates that your website must inform its users in easy to understand ways and thus enable users to consent and to revoke consent.

This is where the cookies text or cookies message comes in. It is the point at which you must provide specific information about tracking cookies on your website and its purposes.

How you do it can make a real difference for your users, and empower them with real, informed choice of consent, building trust with your company.An example of our cookie scripts:

Cookie message scripts screenshot - Cookiebot
Cookie agreement message scripts load the cookie consent banner with its cookie notice text.

Cookies text for CCPA compliance

TheCCPA regulates how businesses are allowed to process and sell the personal data of California residents. It has been amended and expanded with the California Privacy Rights Act (CPRA) coming into effect in July 2023.

The CCPA/CPRA are different from the European GDPR because they don’t require organizations to obtain prior consent before the collection and processing of personal data in many cases. There are exceptions, like when the personal data is that of children, for example.

The CCPA/CPRA states that businesses must inform users of what categories of personal information their websites collect (e.g. through cookies), for what purpose and which third parties it may be shared with or sold to.

The CCPA/CPRA also requires websites to implement a “Do Not Sell or Share My Personal Information” link through which users can opt out of having personal information sold to third parties, like Google and Facebook. Users can allow access to their personal data, but if they change their minds later they must be able to revoke consent, and then sharing or sale of their personal data must cease.

The legal requirements are the same for the cookie text in California, i.e. informing users what cookies and tracking technologies are in use, for what purposes, and with whom it is shared.

Websites targeting Californian users for CCPA/CPRA compliance may not use a cookie consent banner (as shown above), but a cookie declaration including the required opt-out link.

Cookiebot CCPA compliant cookie declaration screenshot - Cookiebot
A CCPA/CPRA-compliant cookie text with the mandatory “Do Not Share Or Sell My Personal Information” link integrated by Cookiebot CMP.

Cookies message examples

The primary function of a cookies text is to inform the users of the following:

  • which cookies and trackers you use
  • why you use them
  • who you share personal with or which third parties you sell or disclose it to
  • how users can provide and revoke consent or opt out, depending on the law

The cookie text or cookie message is the main way of communicating to your visitors that you use analytics or marketing cookies, for example, to make your website and its services better and provide better user experiences, while at the same time protecting user privacy, giving them a real choice of how their data is used.

It is this balancing act that the cookie notice text is meant to express, making your users understand that you use cookies to optimize their website experience, while at the same time making sure that you protect their privacy.

Screenshot of Cookiebot CMP customizable cookie text - Cookiebot
Cookiebot CMP customizable cookie text.

Users might see it as a cookie warning message, but the intent is not to worry users, but rather to show how you respect their privacy and how it is integrated in your website’s functions, just as the advertisements and analytics are.

Keep the cookie text brief, accurate, and clear. Legal jargon is harder for the average user to understand and does not foster trust.

Your cookie text should comply with data privacy regulations and laws based on the location of the user whose data you’re collecting. Under the GDPR and Brazil’s General Data Protection Law (LGPD), it should comply with opt-in consent best practices. Under US data privacy laws like the CCPA and Virginia Consumer Data Protection Act (VCDPA), it should comply with opt-out consent best practices.

It’s important to be familiar with all relevant data protection laws in jurisdictions where your users reside, and many companies doing business globally may need to comply with multiple different laws. This can make geolocation functionality in a consent management solution very valuable.

Regardless of where the user is, there are some best practices that are common for all cookie banner text.

  • Keep it simple: Use straightforward language that any user can understand even without legal or technical knowledge. Keep the cookie text short so that users will read the whole thing to make an informed decision about allowing cookies or not.
  • Specify purposes: Explicitly state why you use cookies. Here is the Cookiebot™ website’s cookie consent message example that says, “We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services.” The cookie text makes it clear that Cookiebot™ uses marketing cookies (personalizing content and ads, personalizing social media features) and analytics cookies (analyzing site traffic), and that it shares the data collected with third-party partners.
  • Use clear labeling: For valid consent, the option, like a button, to consent to data collection should be unambiguous, like displaying “Accept”. Note that if the user is being asked to “Accept/Allow all”, they must be able to easily learn what “all” cookies they’re agreeing to, and also have the option of providing granular consent, rather than to “all”.. Similarly, the button to reject data collection should say “Reject” or “Deny”. Both the “Accept” And “Reject” options must be equal in appearance and accessibility to be valid consent options.
  • Link to policy: Like the information about cookie usage on your website, the link to your cookies policy should also be written in clear language so that users know where the link will take them.
  • Opt out information: Users must have the right to withdraw consent at any time, and the cookie banner text should inform them of the procedure to do this.
  • Do not sell information: The CCPA requires the specific language “Do Not Sell or Share My Personal Information” to be included on the cookie banner. This is mandatory for cookie consent from California residents.

How to show a cookies agreement message on your website

Subscribing to Cookiebot CMP enables easy, automatic privacy protection on your website for GDPR and CCPA/CPRA compliance.

Cookiebot CMP can be implemented on your website with a few lines of JavaScript.

Once employed, it will automatically scan and find all cookies and tracking technologies in use, then block all activation and data collection until the end users have given consent—in the case of GDPR compliance.

For CCPA compliance, the cookie declaration, which is the automated result of the deep scan listing all cookies and trackers uncovered, includes the required “Do Not Sell Or Share My Personal Information” link to enable users to exercise their rights to opt out.

Have you ever heard of the privacy paradox?

A recent study out of Harvard University tested the “privacy paradox”, i.e. how people express the importance of their privacy, yet act in ways that are in direct opposition to those supposedly strongly held beliefs.

The experiment found that people are, indeed, inconsistent about their privacy. They are willing to pay for privacy, but they are also willing to trade off their privacy for small amounts of money.

The study hints at an explanation too: people choose not to know about the consequences of their actions in order to obtain bonuses. It is known as “information avoidance.” People keep their heads in the sand and avoid information about how their behavior will affect their lives, even though on some level they know there are effects, which can be negative.

“Even people who are willing to pay to keep their Facebook data private also have a strong preference to avoid thinking about privacy in the first place”, Dan Svirsky, the researcher behind the study said to the New York Times and added that “lots of people don’t want to think about this stuff.”

Sign reading 'Please respect our neighbours' privacy' - Cookiebot
The “privacy paradox” makes it hard for us to keep our own privacy intact. Cookie notice texts and cookie agreement messages are real and concrete solutions here and now.

In other words, the users of your website do care about their privacy, they just don’t want to think about it all the time. This is an opportunity for companies to handle that work for users and build trust by doing so in a clear, easily accessible way.

The consent fatigue phenomenon is a clear symptom of information avoidance. Your users just click at whatever pops up out of exasperation of constantly having to interact with cookie banners, especially when faced with confusing, noncompliant cookie messages and cookie texts.

You, as the website owner, are undoubtedly aware of the weary and frustrated reaction of end users towards cookie banners online. “I just click accept, cause I’m so tired of seeing them”, is an all too common response in conversations on this subject matter.

Cookiebot CMP saw this problem many years ago.

That’s why we developed the solution we have today. One that puts choice and control in the hands of users, but manages the complexities of data privacy for them.

“Anything that relies on people taking it upon themselves to protect their data is doomed”, Svirsky argues to the New York Times.

To respect the agency and autonomy of your users without putting the burden on them to protect themselves is not only the balance that ad blockers and private search browsers fail to strike, it’s the very uniqueness of the Cookiebot CMP solution. The CMP not only enables data privacy compliance, it lies between website owners and visitors as an easily understandable badge of respect for privacy, transparency, and a demonstration of data compliance.

FAQ

What is personal data?

Under the GDPR, personal data is any kind of information that can identify a living individual, either directly or indirectly. This includes names, postal addresses, location data from phones, online identifiers such as IP addresses, unique IDs in cookies, search and browser history, etc.

Learn more about GDPR compliance

How can my website become GDPR-compliant?

Your website must inform end users of all personal data processing going on as well as make sure that no personal data is processed before the end users have given their consent to the specific processing purpose. Using a consent management platform can enable GDPR compliance for your website.

Resources

General Data Protection Regulation (GDPR)

EDPB guidelines on valid consent

California Consumer Privacy Act (CCPA)

Take a good, hard look at the privacy paradox study conducted at Harvard Business School

You Care More About Your Privacy Than You Think, says the NY Times

GDPR, cookies and consent

    Stay informed

    Join our growing community of data privacy enthusiasts now. Subscribe to the Cookiebot™ newsletter and get all the latest updates right in your inbox.

    By clicking on “Subscribe” I confirm that I want to subscribe to the Cookiebot™ newsletter. I can easily cancel my Cookiebot™ newsletter subscription and revoke consent to use my data by clicking the unsubscribe link or I can write to [email protected] to make the request. Privacy policy.