28 June 2019
Here's what you need to know about when cookies notification messages are required and how to structure yours.
Cookies are small text files. When you visit a website, the website sends cookies to your computer, and your computer stores them in a file in your web browser.
Cookies are filled with information, and there are countless different types of cookies.
Some help keep track of your login information so you can store passwords to frequently-visited websites. Others keep track of how long you spend on a website or what items you have in your online shopping cart.
Generally, cookies are a helpful thing for both businesses and users.
Businesses benefit from using cookies for retargeting advertising and analytics purposes to reach potential customers, convert sales and have a solid insight into their website performance.
Users benefit by getting an optimized browsing experience. Shopping cart items are remembered, the webpage is displayed optimally according to the individual's computer and browser settings and you don't have to manually log in to every website you regularly use - unless you want to - all thanks to cookies.
However, not everyone loves cookies.
In the past, websites could simply place cookies at will. Now, however, notice and consent are both required before a website can place cookies on a user's device.
Right now, there are two main laws that affect cookies.
The EU Cookies Directive applies to websites that are:
The main requirements under this directive are that:
The new General Data Protection Regulation (GDPR) out of the EU takes things a little farther.
The GDPR applies to websites that:
The GDPR applies regardless of where your business is headquartered or located.
It considers using most cookies to be collecting personal information. Cookies used for advertising, analytics and functional services (such as chat tools) are some of the cookies that are covered by the GDPR.
The GDPR requires that:
This means that your safest bet to stay compliant with these privacy laws and their cookies coverage is to:
You can accomplish this easily by providing cookies notification messages to users.
A cookies notification message is a pop-up notice that users will get the first time they visit your website.
You need to place one on every page of your website since not all users will land on your homepage first.
The cookies notification message is where you'll do three things:
Here's an example of a cookies notification message with all three of these components.
Here's each component broken down with more detail and with examples.
It's best to do this in a short, concise sentence or two. This will keep your notification simple and easy to understand without overwhelming a user.
Here's an example of a more lengthy message about cookies being used.
Here's an example of a policy link provided in a cookies notification message.
Some businesses choose to include a link to their Policies as a "Learn More" or "More Info" link.
You should also provide a link to information about how users can manage cookies settings.
However, providing a direct link to instructions or a settings page in your notification box will be helpful to users.
Here's another example of including a link to change settings directly within your notification message.
The EU Cookies Law requires you to get consent before placing cookies. So does the GDPR. However, the GDPR is making the consent requirement more strict.
While the EU Cookies Law allowed for passive consent, the GDPR requires active, clear consent.
Passive consent - also known as browsewrap - for cookies notification messages would be when a user is told that if she continues to use the website, consent to place cookies will be implied.
Here's an example of a cookies notification message that uses passive consent. Just by using the website, a user is considered to be consenting to cookies.
The more enhanced active consent - known as clickwrap - requires that users do something more to show that they consent. An active step, such as clicking a checkbox, is required.
Here's an example of a cookies notification message that gets very clear and active consent from users.
Before cookies are placed, a user must check a box that explicitly says it's for accepting cookies from the website. Additionally, a user must also then click a "Continue" button.
This double-active method is a strong way to get consent and is sure to be compliant with current privacy and cookies laws.
Here's another example of active consent to place cookies.
The perfect and compliant cookies notification message will contain the following elements:
Make your cookies notification message pop up on every page of your website for first-time visitors.
Make sure the notification message stays showing until the user accepts it.
Don't place cookies unless you get consent.
Not only will this make your cookies notification message compliant with existing laws, but it keeps up with changes like we're seeing with the enhanced GDPR legislation, and like we're sure to see in the future.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.