When Europe's General Data Protection Regulation (GDPR) became a force for businesses to reckon with in 2018, it brought with it a slew of penalties and fines when companies didn't comply.

Business owners began racing to make sure they complied with all of the GDPR's regulations, which includes the need for businesses to obtain their website visitors' consent before placing cookies on their computers. After not much time, legal disclaimers began popping up to signal visitors of the business's intent to track them and acted as a public notification.

Other notices were more explicit and asked directly for permission to track the website visitor.

However, even today, in 2020, many business owners don't know what cookie notices are, why they are required, who must have them, what the main components of cookie notices are, or what best practices are when it comes to bringing their companies into compliance.

In this article, we'll be going over all of that.

What you should not do

It's helpful to consider what one study found when looking at steps businesses have taken to try to get around the GDPR's requirements. This information can provide insight into what you should NOT do.

In a research paper entitled (Un)informed Consent: Studying GDPR Consent Notices in the Field, researchers from the University of Michigan and Germany's Ruhr-University Bochum found that most businesses place their cookie notices at the bottom of the screen, only provided a confirmation button, and ensured the notice didn't interrupt normal web browsing behavior.

In other words, those business owners might as well not have a cookie notice at all because they provide zero choices to the consumer. They're essentially saying, "Oh, you're here on our site? Great. We put cookies on your computer. Click this button to continue using the site. And, never mind the man behind the curtain!"

Other companies try to manipulate their website visitors into giving consent for cookie placement by using techniques such as "dark pattern," where they used one color to highlight the "agree" button while attempting to downplay the prominence of a link to "more options" by using colors that cause it to be less noticeable.

Ultimately, behaving in a shady manner can land your business in hot water if you do business in the European Economic Area because the GDPR does require obtaining cookie consent.

In America, the strictest data protection and privacy law is currently California's Consumer Privacy Act (CCPA). While it doesn't require obtaining consent, it does demand that you provide your website's visitors with notice that you collect data through your cookies and what you do with that data.

With that in mind, let's go back to the basics.

What are Cookies?

Cookies are data packets that computers send back and forth without altering or changing the data. They are also known as web cookies, an Internet cookie, a browser cookie, or an HTTP cookie. They consist of information sent to your computer when you visit a website.

Your computer stores that information in a file within your browser.

By and large, cookies are used to:

  • Help website visitors complete tasks, such as filling out forms (autocomplete, etc.) on the site without having to re-enter the information if the user visits the site again later
  • Remember a visitor's preferences
  • Recognize the visitor's device

Although cookies are usually meant to provide website visitors with a better user experience, they can also track users and their browsing habits across multiple sites. That information can then be used by marketers (and others) to create behavioral profiles that are then used to find out what advertisements or other online content the user has viewed.

What are Cookie Consent Notices?

Cookie consent notices are banners, screens, or pop-ups you place on your website to present visitors with your Cookie Policy. The notice allows website users to consent to your use of cookies. Alternatively, a proper cookie notice should also allow the user to set preferences or to deny your use of cookies altogether.

Your cookie notice should appear when visitors first land on your website. It should be comprised of the following three main components:

  • A "Consent to Cookies" option - Your cookie consent notice must provide visitors with a way to explicitly consent to your cookies use. (i.e., a button or link).
  • A "Cookie Preferences" option - Your cookie consent notice must give users the ability to consent to or deny specific categories of cookies if you wish to be GDPR compliant.
  • A link to your Cookie Policy - Your cookie consent notice needs should link to your Cookie Policy, or at least to your Privacy Policy. One of these policies needs to outline the cookies you use, what category of cookies you use (i.e., social media), and how website visitors can manage the settings for their cookies.

Additionally, your cookie consent notice's content needs to be clear and easily understood by those who visit your website.

Unlike some of the shady practices we talked about earlier, take a look at the clear wording used by The New York Times in its pop-up, bottom banner cookie notice as seen in the screenshot below:

New York Times Cookie Notice - Tracker Settings

The text says:

"We use cookies and similar methods to recognize visitors and remember their preferences. We also use them to measure ad campaign effectiveness, target ads and analyze site traffic.

To learn more about these methods, including how to disable them, view our Cookie Policy. Starting on July 20, 2020 we will show you ads we think are relevant to your interests, based on the kinds of content you access in our Services. You can object. For more info, see our privacy policy.

By tapping 'accept,' you consent to the use of these methods by us and third parties. You can always change your tracker preferences by visiting our Cookie Policy."

Notice that while the New York Times cookie notice doesn't provide users with a means of blatantly rejecting the use of cookies by way of a button, it does provide a link that leads directly to where one can opt-out of non-essential trackers.

Of course, the New York Times notice does provide a means of explicitly consenting through the use of a button. Additionally, the notice links to both a complete version of the company's Cookie Policy and Privacy Policy.

Why are Cookie Consent Notices Needed?

Generally, you need to gain a user's consent to use cookies if you're an EU-based business, or if citizens from any EU member state interact with your website and your cookies are non-exempt according to the GDPR.

In any of these cases, you have to have a Cookies Policy according to the law. In fact, the GDPR regulations stipulate that you've got to provide your website visitors with a way for them to take action, which blatantly expresses their consent to the use of cookies.

Your website visitors' consent can be obtained through actions such as clicking an opt-in button on your site or by replying to an email. A notice can be used (such as a pop-up or a banner placed in either the header or footer of your website) to inform visitors that the site uses cookies. Additionally, the notice can link to your Cookie Policy.

If you don't look too closely, a lot of cookie notices appear to be incredibly similar to each other. Companies seem to be copying each other, vying to do as little as possible, and hoping they don't get caught.

After all, cookie consent requirements aren't the same across the board, and as noted above, the CCPA doesn't demand precisely the same things the GDPR does.

Now we'll discuss and provide cookie consent examples for each of the most commonly-used types.

This cookie consent notice model demands that you block all cookies until your website visitors take a specific action, such as clicking a confirmation button that signifies their consent. In this type, either the button or a prominent link should blatantly say something like, "I accept cookies."

A problem with this model is the fact that it can be hard to get people to click the "I accept cookies" button without disrupting their entire user experience on your website. This is because people tend to ignore notices that aren't essentially shoved in their faces.

To combat the tendency of users to ignore these types of notices, there was a move by companies in the Netherlands to erect "Cookie Walls," which forced visitors to click a consent button before they were taken to the main website.

Similar to the New York Times cookie consent notice, the Adidas UK website is a bit more aggressive and does exactly what the businesses in the Netherlands did.

In essence, when a visitor hits the site, Adidas throws up a full-screen pop-up, which blocks users from interacting with the website until they manage cookies or fully consent to their use:

Adidas UK cookie wall

The Guardian used to have a cookie consent notice that was similar to that of The New York Times. However, as seen in the screenshot below, it too now has a pop-up that essentially takes control of the website's homepage until the user either manages cookies or consents to their use:

The Guardian Cookie Consent Notice with options to agree and manage cookies

If a user clicks on The Guardian's "manage my cookies" button, they're taken to a screen where there's another pop-up. Inside that pop-up, users can adjust their cookie settings:

The Guardian Cookie Consent Notice: Manage cookies options screen

A cookie consent notice that uses implied consent isn't a good option if your business is subject to the GDPR. On the other hand, if you don't have to comply with Europe's laws, then you can obtain implied consent.

What this means is that when visitors come to your website, you simply make them aware of the fact that you use cookies and that by continuing to use your website, or by providing them with no other option than to accept all cookies, they are implicitly providing you with consent.

Here’s an example of getting implied consent for cookies placement:

Generic Cookie Consent Notice with implied consent

Note how consent here is implied when a user does something as simple as closing the banner, clicking a link on the website or simply browsing the site.

Consent notices like this are being used less and less as privacy laws become more strict, and as consumers demand more control over their privacy and personal information.

The Corner Box Method

There's at least one other method of providing users with GDPR-compliant cookie consent notices. This method is a bit less intrusive than a banner that takes up the entire footer of your page, or that aggressively prevents visitors from reaching your homepage until they consent to cookie usage.

A slide-in corner box or tool-tip style notice can do the trick just as easily and does so without the "in your face" feel of the other two styles we've discussed so far.

Consider how the Financial Times uses a minimalist corner box to provide the same GDPR-compliant information and consent options as the other styles mentioned above:

Financial Times Cookie Consent Notice

In Brief

Depending on where you do business, you may or may not need a cookies consent notice that's GDPR compliant. However, privacy laws are changing globally, and many feel that ensuring your business is compliant with the most stringent of privacy laws is a best practice.

There are many styles you can choose from to provide your website visitors with cookies consent options. These include banners, pop-ups, and corner boxes.

No matter what style you pick, you should ensure that your notice is prominently displayed in such a way that no one can miss it. Additionally, it's best to ensure that you obtain explicit consent from your site's users rather than relying on implicit consent.

You have a few options for how and where to display your cookie consent notice on your website. However, you need to make sure that it's displayed prominently.

Finally, make sure you link to any pages where users can manage their cookies preferences as well as a link to your Cookies Policy.