If you use cookies, you must notify your users of this. While the specific requirements vary depending on what cookies you use and where you do business, the method used to notify users and get consent is quite consistent across the board. This method is a cookie consent notice.

In this article, we'll look at a variety of ways to notify users that you are using cookies on your website, and how to get their valid and legal consent to do so using cookie consent notices.

What You Should Not Do

To really know what you should do, it's necessary to look at what you shouldn't do.

It's helpful to consider what one study found when looking at steps businesses have taken to try to get around the GDPR's requirements. This information can provide insight into what you should NOT do.

In a research paper entitled (Un)informed Consent: Studying GDPR Consent Notices in the Field, researchers from the University of Michigan and Germany's Ruhr-University Bochum found that most businesses place their cookie notices at the bottom of the screen, only provided a confirmation button, and ensured the notice didn't interrupt normal web browsing behavior.

In other words, those business owners might as well not have a cookie notice at all because they provide zero choices to the consumer. They're essentially saying, "Oh, you're here on our site? Great. We put cookies on your computer. Click this button to continue using the site. And, never mind the man behind the curtain!"

Other companies try to manipulate their website visitors into giving consent for cookie placement by using techniques such as dark patterns, where they used one color to highlight the "agree" button while attempting to downplay the prominence of a link to "more options" by using colors that cause it to be less noticeable.

Ultimately, behaving in a shady manner can land your business in hot water if you do business in the European Economic Area because the GDPR does require obtaining cookie consent.

In America, the strictest data protection and privacy law is currently California's Consumer Privacy Act (CCPA). While it doesn't require obtaining consent, it does demand that you provide your website's visitors with notice that you collect data through your cookies and what you do with that data.

With that in mind, let's go back to the basics.

What are Cookies?

What are Cookies?

Cookies are data packets that computers send back and forth without altering or changing the data. They are also known as web cookies, an Internet cookie, a browser cookie, or an HTTP cookie. They consist of information sent to your computer when you visit a website.

Your computer stores that information in a file within your browser.

By and large, cookies are used to:

  • Help website visitors complete tasks, such as filling out forms (autocomplete, etc.) on the site without having to re-enter the information if the user visits the site again later
  • Remember a visitor's preferences
  • Recognize the visitor's device

Although cookies are usually meant to provide website visitors with a better user experience, they can also track users and their browsing habits across multiple sites. That information can then be used by marketers (and others) to create behavioral profiles that are then used to find out what advertisements or other online content the user has viewed.

What are Cookie Consent Notices?

Cookie consent notices are banners, screens, or pop-ups you place on your website to present visitors with your Cookies Policy. The notice allows website users to consent to your use of cookies.

Alternatively, a proper cookie notice should also allow the user to set cookie preferences or to deny your use of cookies altogether.

Your cookie notice should appear when visitors first land on your website. It should include information about your use of cookies, include links and further information, and request some sort of consent for the placement of the cookies.

Additionally, your cookie consent notice's content needs to be clear and easily understood by those who visit your website.

Take a look at the clear wording used by The New York Times in its old pop-up bottom banner cookie consent notice:

New York Times Cookie Notice - Tracker Settings

The text says:

"We use cookies and similar methods to recognize visitors and remember their preferences. We also use them to measure ad campaign effectiveness, target ads and analyze site traffic.

To learn more about these methods, including how to disable them, view our Cookie Policy. Starting on July 20, 2020 we will show you ads we think are relevant to your interests, based on the kinds of content you access in our Services. You can object. For more info, see our privacy policy.

By tapping 'accept,' you consent to the use of these methods by us and third parties. You can always change your tracker preferences by visiting our Cookie Policy."

Notice that while the New York Times cookie consent notice doesn't provide users with a means of blatantly rejecting the use of cookies by way of a button, it does provide a link that leads directly to where one can opt-out of non-essential trackers.

Of course, the New York Times notice does provide a means of explicitly consenting through the use of a button. Additionally, the notice links to both a complete version of the company's Cookie Policy and Privacy Policy.

Why are Cookie Consent Notices Needed?

Generally, you need to gain a user's consent to use cookies if you're an EU-based business, or if citizens from any EU member state interact with your website and your cookies are non-exempt according to the GDPR.

In any of these cases, you have to have a Cookies Policy according to the law. In fact, the GDPR regulations stipulate that you've got to provide your website visitors with a way for them to take action, which blatantly expresses their consent to the use of cookies.

There are a number of laws that affect cookies, such as the following.

The EU Cookies Directive applies to websites that are:

  • Owned by EU businesses, or
  • Directed towards EU citizens

The main requirements under this directive are that:

  • Users are informed about your cookies usage, and
  • You get consent to place cookies before doing so

The General Data Protection Regulation (GDPR) out of the EU takes things a little further.

The GDPR applies to businesses that:

  • Offer products and services to citizens of the EU, or
  • Collect personal information from citizens of the EU

The GDPR applies regardless of where your business is headquartered or located.

It considers using most cookies to be collecting personal information. Cookies used for advertising, analytics and functional services (such as chat tools) are some of the cookies that are covered by the GDPR.

The GDPR requires that:

  • You get active consent to place cookies. Implied consent will not be sufficient.
  • Users are able to easily withdraw consent and opt-out of cookies placement

This means that your safest bet to stay compliant with these privacy laws and their cookies coverage is to:

  • Provide notice that you use cookies
  • Obtain active consent before placing cookies
  • Provide an opt-out method for users

Your website visitors' consent can be obtained through actions such as clicking an opt-in button on your site or by replying to an email. A notice can be used (such as a pop-up or a banner placed in either the header or footer of your website) to inform visitors that the site uses cookies. Additionally, the notice can link to your Cookie Policy.

What Should Your Cookie Consent Notice Contain?

The cookies notification message is where you'll do three things:

  • Let users know that your website uses cookies
  • Provide users with more information - This can link to your Privacy Policy/Cookies Policy, and information about how a user can change settings/opt-out
  • Get active consent to use cookies

Here's an example of a cookies notification message with all three of these components:

jQuery cookies notification message

Here's each component broken down with more detail and with examples.

Your Website Uses Cookies

The main point of your cookies notification message is to let users know that you use cookies.

It's best to do this in a short, concise sentence or two. This will keep your notification simple and easy to understand without overwhelming a user.

Here's an example of a simple notification message. It lets users know that the website uses cookies to offer relevant information and for optimal performance:

Blueconic cookies notification message

Here's an example of a more lengthy message about cookies being used:

NHS Lothian cookies notification message

Note that neither example links to its Privacy Policy or Cookies Policy where a user could find out more information and specifics about cookies usage. This is not recommended.

Here's why:

Your cookies notification is meant to be just that - a notice that you use cookies. The notification box has limited space and should be short and simple. That's where links come in.

You should link to your Privacy Policy/Cookies Policy in your cookies notification message.

After giving a user a short sentence or two about your use of cookies, he may wish to find out more about your practices. Linking to your policy makes this easy for a user to do before consenting.

Here's an example of a policy link provided in a cookies notification message:

Great Ormond Street Hospital Children

Some businesses choose to include a link to their Policies as a "Learn More" or "More Info" link.

Here's a "More info" link example:

Cookie Consent cookies notification message

And here's another method of the same approach:

Gosh cookie consent notice with Learn More link highlighted

You should also provide a link to information about how users can manage cookies settings.

This opt-out information should be included and linked to in one of your website policies, as seen below from Spotify's Cookies Policy:

Spotify Cookies Policy: Options for managing cookies clause excerpt

However, providing a direct connection to instructions or a settings page in your notification box will be helpful to users, such as the "Manage" button shown here:

Channel 4 cookie consent notice with Manage button highlighted

Here's another example of including a link to change settings directly within your notification message:

Blueconic cookies notification message with Change Settings link

This will be covered in the final chapter of the article, but it's important to note that the point of a cookie consent notice is to give notice and request consent. This can be via an "I Agree" button or something similar.

Types of Cookie Consent Notices

If you don't look too closely, a lot of cookie consent notices appear to be incredibly similar to each other. Companies seem to be copying each other, vying to do as little as possible, and hoping they don't get caught.

After all, cookie consent requirements aren't the same across the board, and as noted above, the CCPA doesn't demand precisely the same things the GDPR does.

Now we'll discuss and provide cookie consent examples for each of the most commonly-used types.

Adding your cookie consent notice to your website footer is a universally smart move. Since most websites include important legal links in the footer, people know to look here for important things. When a notice is placed in the footer region, your users will be very likely to notice it and take it seriously.

Here's an example from Credit Agricole where the cookie consent banner is slightly transparent over the bottom of the homepage and stays static as a user scrolls, until a user selects options:

Credit Agricole homepage with cookie consent notice highlighted

Essentra has a fixed footer across all pages that notifies users about cookies usage and collection. The footer remains taking up the bottom portion of the website and remains there until a user clicks to accept and close. The Cookies Policy is linked to the notification so users can find out more information before deciding if they're ok with accepting Essentra's use of cookies:

Essentra Cookie Consent notice

There's a "More about GDPR" link that takes users to a page that discusses more about how the company strives for GDPR compliance. Because the GDPR focuses on transparency and user rights, a cookie notice like this that gets consent from users before placing cookies is a requirement of the GDPR when most cookies are used.

And here's how Lenovo adds a banner like this to the bottom of its website:

Lenovo Cookie Consent banner - small size

Top Header Notification

A top header notification will be displayed front and center at the top of your website. This means it'll be nearly impossible for a site visitor to miss. Websites notoriously put important messages at the very top including sale notifications and other things users know to watch for, so this is a smart area to place your cookie notice.

The Thomas Cook website was early to this method many years ago with displaying a notice at the very top of its site, above the main navigation menu:

Thomas Cook Cookies Notification in the Header

The notification doesn't disappear unless the visitor clicks a button to accept and close the notice. As usual, the Cookie Policy is linked to the notification so users can make an informed decision. (Note that the cookie consent notice the site now uses is different and less robust.)

Bank of Australia used to have a very basic top header notification that didn't offer any options to users. They can simply learn about cookies, but not make any settings through the banner. This method is not recommended:

Bank Australia website header with cookie statement with cookies link highlighted

Bank of Australia has since updated its notice.

Inline Top Header Notification

These types of notifications are much smaller and "in line" with the styling of the site for a minimalistic approach. Here's how Gov UK used to use an inline notification that was below the logo, but above the website content:

GOV UK Notification on Cookies

This worked really well with the design of the Gov UK website that's very minimalistic. The notice was slightly lighter color blue from the site background that fits well with the logo section line and the "Welcome to GOV.UK" section.

However, note that Gov UK has since updated its cookie consent notice to include more information as well as options for accepting and rejecting cookies. This makes it more of a standard header notification versus an inline header notification:

Gov UK cookie consent banner with Accept and Reject buttons

Box Notification

A box notification works by positioning a box on the website that is in a fixed position, regardless of how a user scrolls. To get the box to disappear, a user must select one of the available options or accept the terms presented in the box.

The BBC's Good Food site uses a box style cookie consent notice that blocks out access to the website until users agree or select custom options to agree to:

BBC Good Food cookie consent notice - 2023 update

This method works well on mobile devices since the box can display largely on the screen:

Express.co.uk: Privacy and Cookie notice mobile pop-up with Continue and Accept All button

And here's how the Financial Times blocks out the homepage to new vistors who have yet to choose cookie preferences yet:

Financial Times cookie consent notice - 2023 update

Obtaining Consent to Use Cookies

The EU Cookies Law requires you to get consent before placing cookies. So does the GDPR. However, the GDPR is making the consent requirement more strict.

This cookie consent notice model demands that you block all cookies until your website visitors take a specific action, such as clicking a confirmation button that signifies their consent. In this type, either the button or a prominent link should blatantly say something like, "I accept cookies."

A problem with this model is the fact that it can be hard to get people to click the "I accept cookies" button without disrupting their entire user experience on your website. This is because people tend to ignore notices that aren't essentially shoved in their faces.

To combat the tendency of users to ignore these types of notices, there was a move by companies in the Netherlands to erect "Cookie Walls," which forced visitors to click a consent button before they were taken to the main website.

Similar to the New York Times cookie consent notice, the Adidas UK website is a bit more aggressive and does exactly what the businesses in the Netherlands did.

In essence, when a visitor hits the site, Adidas throws up a full-screen pop-up, which blocks users from interacting with the website until they manage cookies or fully consent to their use:

Adidas UK cookie wall

The Guardian used to have a cookie consent notice that was similar to that of The New York Times. However, as seen in the screenshot below, it too now has a pop-up that essentially takes control of the website's homepage until the user either manages cookies or consents to their use:

The Guardian Cookie Consent Notice with options to agree and manage cookies

If a user clicks on The Guardian's "manage my cookies" button, they're taken to a screen where there's another pop-up. Inside that pop-up, users can adjust their cookie settings:

The Guardian Cookie Consent Notice: Manage cookies options screen

A cookie consent notice that uses implied consent isn't a good option if your business is subject to the GDPR. On the other hand, if you don't have to comply with Europe's laws, then you can obtain implied consent.

What this means is that when visitors come to your website, you simply make them aware of the fact that you use cookies and that by continuing to use your website, or by providing them with no other option than to accept all cookies, they are implicitly providing you with consent.

Here’s an example of getting implied consent for cookies placement:

Generic Cookie Consent Notice with implied consent

Note how consent here is implied when a user does something as simple as closing the banner, clicking a link on the website or simply browsing the site.

Consent notices like this are being used less and less as privacy laws become more strict, and as consumers demand more control over their privacy and personal information.

While the EU Cookies Law allowed for passive consent, the GDPR requires active, clear consent.

A great example of what active, clear consent would look like can be seen in this example from the BBC:

BBC permissions to show personalized ads and store and access information - Consent notice

The labeling of the buttons as "Do Not Consent" and "Consent" make it very clear to users that they are in fact giving or refusing to give consent here.

Business Insider labels its buttons differently, but it does mention consent in the first sentence of the pop-up, and the button that says "I'm OK with that" will show that a user who clicks on it is giving the green light for cookie placement:

Business Insider cookie consent notice

You could also use "Agree" and "Disagree" statements to obtain consent, which is an active way of obtaining it. Just make it very clear that clicking the Agree button means a user is agreeing to what's stipulated in the rest of the notice.

Passive consent - also known as browsewrap - for cookies notification messages would be when a user is told that if she continues to use the website, consent to place cookies will be implied.

Here's an example of a cookies notification message that uses passive consent. Just by using the website, a user is considered to be consenting to cookies:

Mirror UK: Notification on website cookies

This passive consent notice simply tells users that cookies are being used, and doesn't link to any options or request any consent:

NHS Lothian cookie banner using browsewrap

Here's a passive consent notice that goes a bit above the last example by informing users that they can opt out, while also linking to "Manage Settings" options. While it still isn't getting valid, clickwrap levels of active consent, it's slightly better than just telling users that cookies are in use:

WeTransfer cookie banner - Browsewrap with settings options

The more enhanced active consent - known as clickwrap - requires that users do something more to show that they consent. An active step, such as clicking a checkbox, is required.

Here's an example of a cookies notification message that gets very clear and active consent from users:

ICO cookies notification message with clear clickwrap consent

Before cookies are placed, a user must check a box that explicitly says it's for accepting cookies from the website. Additionally, a user must also then click a "Continue" button.

This double-active method is a strong way to get consent and is sure to be compliant with current privacy and cookies laws.

Here's how EY presents its cookie consent notice:

EY Cookie consent notice

Users can also customize which cookies they consent to from the Cookie Settings page linked to the notice:

EY Cookie Settings page

In Brief

Depending on where you do business, you may or may not need a cookie consent notice that's GDPR compliant. However, privacy laws are changing globally, and many feel that ensuring your business is compliant with the most stringent of privacy laws is a best practice.

There are many styles you can choose from to provide your website visitors with cookie consent options. These include banners, pop-ups, and corner boxes.

No matter what style you pick, you should ensure that your notice is prominently displayed in such a way that no one can miss it. Additionally, it's best to ensure that you obtain explicit consent from your site's users rather than relying on implicit consent.

You have a few options for how and where to display your cookie consent notice on your website. However, you need to make sure that it's displayed prominently.

Finally, make sure you link to any pages where users can manage their cookies preferences as well as a link to your Cookies Policy.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy