Legal and data protection research writer at TermsFeed.
On this page
- 1. What You Should Not Do
- 2. What are Cookies?
- 3. What are Cookie Consent Notices?
- 4. Why are Cookie Consent Notices Needed?
- 5. What Should Your Cookie Consent Notice Contain?
- 5.2. "More Information" Links
- 5.3. A Request for Consent to Place Cookies
- 6. Types of Cookie Consent Notices
- 6.1. Fixed Footer Notification
- 6.2. Top Header Notification
- 6.3. Inline Top Header Notification
- 6.4. Box Notification
- 7.1. Explicit Consent
- 7.2. Implied Consent
- 8. In Brief
In this article, we'll look at a variety of ways to notify users that you are using cookies on your website, and how to get their valid and legal consent to do so using cookie consent notices.
Use our Cookie Consent all-in-one solution (Privacy Consent) for cookies management to comply with GDPR & CCPA/CPRA and other privacy laws:
- For GDPR, CCPA/CPRA and other privacy laws
- Apply privacy requirements based on user location
- Get consent prior to third-party scripts loading
- Works for desktop, tables and mobile devices
- Customize the appearance to match your brand style
Create your Cookie Consent banner today to comply with GDPR, CCPA/CPRA and other privacy laws:
Start the Privacy Consent wizard to create the Cookie Consent code by adding your website information.
At Step 2, add in information about your business.
At Step 3, select a plan for the Cookie Consent.
You're done! Your Cookie Consent Banner is ready. Install the Cookie Consent banner on your website:
Display the Cookie Consent banner on your website by copy-paste the installation code in the
</head>section of your website. Instructions how to add in the code for specific platforms (WordPress, Shopify, Wix and more) are available on the Install page.
What You Should Not Do
To really know what you should do, it's necessary to look at what you shouldn't do.
It's helpful to consider what one study found when looking at steps businesses have taken to try to get around the GDPR's requirements. This information can provide insight into what you should NOT do.
In a research paper entitled (Un)informed Consent: Studying GDPR Consent Notices in the Field, researchers from the University of Michigan and Germany's Ruhr-University Bochum found that most businesses place their cookie notices at the bottom of the screen, only provided a confirmation button, and ensured the notice didn't interrupt normal web browsing behavior.
In other words, those business owners might as well not have a cookie notice at all because they provide zero choices to the consumer. They're essentially saying, "Oh, you're here on our site? Great. We put cookies on your computer. Click this button to continue using the site. And, never mind the man behind the curtain!"
Other companies try to manipulate their website visitors into giving consent for cookie placement by using techniques such as dark patterns, where they used one color to highlight the "agree" button while attempting to downplay the prominence of a link to "more options" by using colors that cause it to be less noticeable.
Ultimately, behaving in a shady manner can land your business in hot water if you do business in the European Economic Area because the GDPR does require obtaining cookie consent.
In America, the strictest data protection and privacy law is currently California's Consumer Privacy Act (CCPA). While it doesn't require obtaining consent, it does demand that you provide your website's visitors with notice that you collect data through your cookies and what you do with that data.
With that in mind, let's go back to the basics.
What are Cookies?
Cookies are data packets that computers send back and forth without altering or changing the data. They are also known as web cookies, an Internet cookie, a browser cookie, or an HTTP cookie. They consist of information sent to your computer when you visit a website.
Your computer stores that information in a file within your browser.
By and large, cookies are used to:
- Help website visitors complete tasks, such as filling out forms (autocomplete, etc.) on the site without having to re-enter the information if the user visits the site again later
- Remember a visitor's preferences
- Recognize the visitor's device
Although cookies are usually meant to provide website visitors with a better user experience, they can also track users and their browsing habits across multiple sites. That information can then be used by marketers (and others) to create behavioral profiles that are then used to find out what advertisements or other online content the user has viewed.
What are Cookie Consent Notices?
Additionally, your cookie consent notice's content needs to be clear and easily understood by those who visit your website.
Take a look at the clear wording used by The New York Times in its old pop-up bottom banner cookie consent notice:
The text says:
Why are Cookie Consent Notices Needed?
There are a number of laws that affect cookies, such as the following.
The EU Cookies Directive applies to websites that are:
- Owned by EU businesses, or
- Directed towards EU citizens
The main requirements under this directive are that:
- Users are informed about your cookies usage, and
- You get consent to place cookies before doing so
The General Data Protection Regulation (GDPR) out of the EU takes things a little further.
The GDPR applies to businesses that:
- Offer products and services to citizens of the EU, or
- Collect personal information from citizens of the EU
The GDPR applies regardless of where your business is headquartered or located.
It considers using most cookies to be collecting personal information. Cookies used for advertising, analytics and functional services (such as chat tools) are some of the cookies that are covered by the GDPR.
The GDPR requires that:
- You get active consent to place cookies. Implied consent will not be sufficient.
- Users are able to easily withdraw consent and opt-out of cookies placement
This means that your safest bet to stay compliant with these privacy laws and their cookies coverage is to:
- Obtain active consent before placing cookies
- Provide an opt-out method for users
What Should Your Cookie Consent Notice Contain?
The cookies notification message is where you'll do three things:
Here's an example of a cookies notification message with all three of these components:
Here's each component broken down with more detail and with examples.
It's best to do this in a short, concise sentence or two. This will keep your notification simple and easy to understand without overwhelming a user.
Here's an example of a more lengthy message about cookies being used:
"More Information" Links
Here's an example of a policy link provided in a cookies notification message:
Some businesses choose to include a link to their Policies as a "Learn More" or "More Info" link.
Here's a "More info" link example:
And here's another method of the same approach:
You should also provide a link to information about how users can manage cookies settings.
This opt-out information should be included and linked to in one of your website policies, as seen below from Spotify's Cookies Policy:
However, providing a direct connection to instructions or a settings page in your notification box will be helpful to users, such as the "Manage" button shown here:
Here's another example of including a link to change settings directly within your notification message:
A Request for Consent to Place Cookies
This will be covered in the final chapter of the article, but it's important to note that the point of a cookie consent notice is to give notice and request consent. This can be via an "I Agree" button or something similar.
Types of Cookie Consent Notices
If you don't look too closely, a lot of cookie consent notices appear to be incredibly similar to each other. Companies seem to be copying each other, vying to do as little as possible, and hoping they don't get caught.
After all, cookie consent requirements aren't the same across the board, and as noted above, the CCPA doesn't demand precisely the same things the GDPR does.
Now we'll discuss and provide cookie consent examples for each of the most commonly-used types.
Fixed Footer Notification
Adding your cookie consent notice to your website footer is a universally smart move. Since most websites include important legal links in the footer, people know to look here for important things. When a notice is placed in the footer region, your users will be very likely to notice it and take it seriously.
Here's an example from Credit Agricole where the cookie consent banner is slightly transparent over the bottom of the homepage and stays static as a user scrolls, until a user selects options:
There's a "More about GDPR" link that takes users to a page that discusses more about how the company strives for GDPR compliance. Because the GDPR focuses on transparency and user rights, a cookie notice like this that gets consent from users before placing cookies is a requirement of the GDPR when most cookies are used.
And here's how Lenovo adds a banner like this to the bottom of its website:
Top Header Notification
A top header notification will be displayed front and center at the top of your website. This means it'll be nearly impossible for a site visitor to miss. Websites notoriously put important messages at the very top including sale notifications and other things users know to watch for, so this is a smart area to place your cookie notice.
The Thomas Cook website was early to this method many years ago with displaying a notice at the very top of its site, above the main navigation menu:
Bank of Australia used to have a very basic top header notification that didn't offer any options to users. They can simply learn about cookies, but not make any settings through the banner. This method is not recommended:
Bank of Australia has since updated its notice.
Inline Top Header Notification
These types of notifications are much smaller and "in line" with the styling of the site for a minimalistic approach. Here's how Gov UK used to use an inline notification that was below the logo, but above the website content:
This worked really well with the design of the Gov UK website that's very minimalistic. The notice was slightly lighter color blue from the site background that fits well with the logo section line and the "Welcome to GOV.UK" section.
However, note that Gov UK has since updated its cookie consent notice to include more information as well as options for accepting and rejecting cookies. This makes it more of a standard header notification versus an inline header notification:
A box notification works by positioning a box on the website that is in a fixed position, regardless of how a user scrolls. To get the box to disappear, a user must select one of the available options or accept the terms presented in the box.
The BBC's Good Food site uses a box style cookie consent notice that blocks out access to the website until users agree or select custom options to agree to:
This method works well on mobile devices since the box can display largely on the screen:
And here's how the Financial Times blocks out the homepage to new vistors who have yet to choose cookie preferences yet:
The EU Cookies Law requires you to get consent before placing cookies. So does the GDPR. However, the GDPR is making the consent requirement more strict.
This cookie consent notice model demands that you block all cookies until your website visitors take a specific action, such as clicking a confirmation button that signifies their consent. In this type, either the button or a prominent link should blatantly say something like, "I accept cookies."
A problem with this model is the fact that it can be hard to get people to click the "I accept cookies" button without disrupting their entire user experience on your website. This is because people tend to ignore notices that aren't essentially shoved in their faces.
To combat the tendency of users to ignore these types of notices, there was a move by companies in the Netherlands to erect "Cookie Walls," which forced visitors to click a consent button before they were taken to the main website.
Similar to the New York Times cookie consent notice, the Adidas UK website is a bit more aggressive and does exactly what the businesses in the Netherlands did.
In essence, when a visitor hits the site, Adidas throws up a full-screen pop-up, which blocks users from interacting with the website until they manage cookies or fully consent to their use:
The Guardian used to have a cookie consent notice that was similar to that of The New York Times. However, as seen in the screenshot below, it too now has a pop-up that essentially takes control of the website's homepage until the user either manages cookies or consents to their use:
If a user clicks on The Guardian's "manage my cookies" button, they're taken to a screen where there's another pop-up. Inside that pop-up, users can adjust their cookie settings:
A cookie consent notice that uses implied consent isn't a good option if your business is subject to the GDPR. On the other hand, if you don't have to comply with Europe's laws, then you can obtain implied consent.
Here’s an example of getting implied consent for cookies placement:
Note how consent here is implied when a user does something as simple as closing the banner, clicking a link on the website or simply browsing the site.
Consent notices like this are being used less and less as privacy laws become more strict, and as consumers demand more control over their privacy and personal information.
While the EU Cookies Law allowed for passive consent, the GDPR requires active, clear consent.
A great example of what active, clear consent would look like can be seen in this example from the BBC:
The labeling of the buttons as "Do Not Consent" and "Consent" make it very clear to users that they are in fact giving or refusing to give consent here.
Business Insider labels its buttons differently, but it does mention consent in the first sentence of the pop-up, and the button that says "I'm OK with that" will show that a user who clicks on it is giving the green light for cookie placement:
You could also use "Agree" and "Disagree" statements to obtain consent, which is an active way of obtaining it. Just make it very clear that clicking the Agree button means a user is agreeing to what's stipulated in the rest of the notice.
Passive consent - also known as browsewrap - for cookies notification messages would be when a user is told that if she continues to use the website, consent to place cookies will be implied.
Here's an example of a cookies notification message that uses passive consent. Just by using the website, a user is considered to be consenting to cookies:
This passive consent notice simply tells users that cookies are being used, and doesn't link to any options or request any consent:
Here's a passive consent notice that goes a bit above the last example by informing users that they can opt out, while also linking to "Manage Settings" options. While it still isn't getting valid, clickwrap levels of active consent, it's slightly better than just telling users that cookies are in use:
The more enhanced active consent - known as clickwrap - requires that users do something more to show that they consent. An active step, such as clicking a checkbox, is required.
Here's an example of a cookies notification message that gets very clear and active consent from users:
Before cookies are placed, a user must check a box that explicitly says it's for accepting cookies from the website. Additionally, a user must also then click a "Continue" button.
This double-active method is a strong way to get consent and is sure to be compliant with current privacy and cookies laws.
Here's how EY presents its cookie consent notice:
Users can also customize which cookies they consent to from the Cookie Settings page linked to the notice:
Depending on where you do business, you may or may not need a cookie consent notice that's GDPR compliant. However, privacy laws are changing globally, and many feel that ensuring your business is compliant with the most stringent of privacy laws is a best practice.
There are many styles you can choose from to provide your website visitors with cookie consent options. These include banners, pop-ups, and corner boxes.
No matter what style you pick, you should ensure that your notice is prominently displayed in such a way that no one can miss it. Additionally, it's best to ensure that you obtain explicit consent from your site's users rather than relying on implicit consent.
You have a few options for how and where to display your cookie consent notice on your website. However, you need to make sure that it's displayed prominently.
Finally, make sure you link to any pages where users can manage their cookies preferences as well as a link to your Cookies Policy.