Last updated on 22 March 2021 by William Blesch (Legal and data protection research writer at TermsFeed)
When Europe's General Data Protection Regulation (GDPR) became a force for businesses to reckon with in 2018, it brought with it a slew of penalties and fines when companies didn't comply.
Business owners began racing to make sure they complied with all of the GDPR's regulations, which includes the need for businesses to obtain their website visitors' consent before placing cookies on their computers. After not much time, legal disclaimers began popping up to signal visitors of the business's intent to track them and acted as a public notification.
Other notices were more explicit and asked directly for permission to track the website visitor.
However, even today, in 2020, many business owners don't know what cookie notices are, why they are required, who must have them, what the main components of cookie notices are, or what best practices are when it comes to bringing their companies into compliance.
In this article, we'll be going over all of that.
It's helpful to consider what one study found when looking at steps businesses have taken to try to get around the GDPR's requirements. This information can provide insight into what you should NOT do.
In a research paper entitled (Un)informed Consent: Studying GDPR Consent Notices in the Field, researchers from the University of Michigan and Germany's Ruhr-University Bochum found that most businesses place their cookie notices at the bottom of the screen, only provided a confirmation button, and ensured the notice didn't interrupt normal web browsing behavior.
In other words, those business owners might as well not have a cookie notice at all because they provide zero choices to the consumer. They're essentially saying, "Oh, you're here on our site? Great. We put cookies on your computer. Click this button to continue using the site. And, never mind the man behind the curtain!"
Other companies try to manipulate their website visitors into giving consent for cookie placement by using techniques such as "dark pattern," where they used one color to highlight the "agree" button while attempting to downplay the prominence of a link to "more options" by using colors that cause it to be less noticeable.
Ultimately, behaving in a shady manner can land your business in hot water if you do business in the European Economic Area because the GDPR does require obtaining cookie consent.
In America, the strictest data protection and privacy law is currently California's Consumer Privacy Act (CCPA). While it doesn't require obtaining consent, it does demand that you provide your website's visitors with notice that you collect data through your cookies and what you do with that data.
With that in mind, let's go back to the basics.
Cookies are data packets that computers send back and forth without altering or changing the data. They are also known as web cookies, an Internet cookie, a browser cookie, or an HTTP cookie. They consist of information sent to your computer when you visit a website.
Your computer stores that information in a file within your browser.
By and large, cookies are used to:
Although cookies are usually meant to provide website visitors with a better user experience, they can also track users and their browsing habits across multiple sites. That information can then be used by marketers (and others) to create behavioral profiles that are then used to find out what advertisements or other online content the user has viewed.
Your cookie notice should appear when visitors first land on your website. It should be comprised of the following three main components:
Additionally, your cookie consent notice's content needs to be clear and easily understood by those who visit your website.
Unlike some of the shady practices we talked about earlier, take a look at the clear wording used by The New York Times in its pop-up, bottom banner cookie notice as seen in the screenshot below:
The text says:
If you don't look too closely, a lot of cookie notices appear to be incredibly similar to each other. Companies seem to be copying each other, vying to do as little as possible, and hoping they don't get caught.
After all, cookie consent requirements aren't the same across the board, and as noted above, the CCPA doesn't demand precisely the same things the GDPR does.
Now we'll discuss and provide cookie consent examples for each of the most commonly-used types.
This cookie consent notice model demands that you block all cookies until your website visitors take a specific action, such as clicking a confirmation button that signifies their consent. In this type, either the button or a prominent link should blatantly say something like, "I accept cookies."
A problem with this model is the fact that it can be hard to get people to click the "I accept cookies" button without disrupting their entire user experience on your website. This is because people tend to ignore notices that aren't essentially shoved in their faces.
To combat the tendency of users to ignore these types of notices, there was a move by companies in the Netherlands to erect "Cookie Walls," which forced visitors to click a consent button before they were taken to the main website.
Similar to the New York Times cookie consent notice, the Adidas UK website is a bit more aggressive and does exactly what the businesses in the Netherlands did.
In essence, when a visitor hits the site, Adidas throws up a full-screen pop-up, which blocks users from interacting with the website until they manage cookies or fully consent to their use:
The Guardian used to have a cookie consent notice that was similar to that of The New York Times. However, as seen in the screenshot below, it too now has a pop-up that essentially takes control of the website's homepage until the user either manages cookies or consents to their use:
If a user clicks on The Guardian's "manage my cookies" button, they're taken to a screen where there's another pop-up. Inside that pop-up, users can adjust their cookie settings:
A cookie consent notice that uses implied consent isn't a good option if your business is subject to the GDPR. On the other hand, if you don't have to comply with Europe's laws, then you can obtain implied consent.
Here’s an example of getting implied consent for cookies placement:
Note how consent here is implied when a user does something as simple as closing the banner, clicking a link on the website or simply browsing the site.
Consent notices like this are being used less and less as privacy laws become more strict, and as consumers demand more control over their privacy and personal information.
There's at least one other method of providing users with GDPR-compliant cookie consent notices. This method is a bit less intrusive than a banner that takes up the entire footer of your page, or that aggressively prevents visitors from reaching your homepage until they consent to cookie usage.
A slide-in corner box or tool-tip style notice can do the trick just as easily and does so without the "in your face" feel of the other two styles we've discussed so far.
Consider how the Financial Times uses a minimalist corner box to provide the same GDPR-compliant information and consent options as the other styles mentioned above:
Depending on where you do business, you may or may not need a cookies consent notice that's GDPR compliant. However, privacy laws are changing globally, and many feel that ensuring your business is compliant with the most stringent of privacy laws is a best practice.
There are many styles you can choose from to provide your website visitors with cookies consent options. These include banners, pop-ups, and corner boxes.
No matter what style you pick, you should ensure that your notice is prominently displayed in such a way that no one can miss it. Additionally, it's best to ensure that you obtain explicit consent from your site's users rather than relying on implicit consent.
You have a few options for how and where to display your cookie consent notice on your website. However, you need to make sure that it's displayed prominently.
Finally, make sure you link to any pages where users can manage their cookies preferences as well as a link to your Cookies Policy.