Last updated on 21 May 2022 by Sara Pegarella (Law school graduate, B.A. in English/Writing. In-house writer at TermsFeed)
Here's what you need to know about when cookies notification messages are required and how to structure yours.
Cookies are small text files. When you visit a website, the website sends cookies to your computer, and your computer stores them in a file in your web browser.
Cookies are filled with information, and there are countless different types of cookies.
Some help keep track of your login information so you can store passwords to frequently-visited websites. Others keep track of how long you spend on a website or what items you have in your online shopping cart.
Generally, cookies are a helpful thing for both businesses and users.
Businesses benefit from using cookies for retargeting advertising and analytics purposes to reach potential customers, convert sales and have a solid insight into their website performance.
Users benefit by getting an optimized browsing experience. Shopping cart items are remembered, the webpage is displayed optimally according to the individual's computer and browser settings and you don't have to manually log in to every website you regularly use - unless you want to - all thanks to cookies.
However, not everyone loves cookies.
In the past, websites could simply place cookies at will. Now, however, notice and consent are both required before a website can place cookies on a user's device.
Right now, there are two main laws that affect cookies.
The EU Cookies Directive applies to websites that are:
The main requirements under this directive are that:
The General Data Protection Regulation (GDPR) out of the EU takes things a little further.
The GDPR applies to businesses that:
The GDPR applies regardless of where your business is headquartered or located.
It considers using most cookies to be collecting personal information. Cookies used for advertising, analytics and functional services (such as chat tools) are some of the cookies that are covered by the GDPR.
The GDPR requires that:
This means that your safest bet to stay compliant with these privacy laws and their cookies coverage is to:
You can accomplish this easily by providing cookies notification messages to users.
A cookies notification message is a pop-up notice that users will get the first time they visit your website.
You need to place one on every page of your website since not all users will land on your homepage first.
The cookies notification message is where you'll do three things:
Here's an example of a cookies notification message with all three of these components:
Here's each component broken down with more detail and with examples.
It's best to do this in a short, concise sentence or two. This will keep your notification simple and easy to understand without overwhelming a user.
Here's an example of a more lengthy message about cookies being used:
Here's an example of a policy link provided in a cookies notification message:
Some businesses choose to include a link to their Policies as a "Learn More" or "More Info" link.
Here's a "More info" link example:
And here's another method of the same approach:
You should also provide a link to information about how users can manage cookies settings.
This opt-out information should be included and linked to in one of your website policies, as seen below from Spotify's Cookies Policy:
However, providing a direct connection to instructions or a settings page in your notification box will be helpful to users, such as the "Manage" button shown here:
Here's another example of including a link to change settings directly within your notification message:
The EU Cookies Law requires you to get consent before placing cookies. So does the GDPR. However, the GDPR is making the consent requirement more strict.
While the EU Cookies Law allowed for passive consent, the GDPR requires active, clear consent.
A great example of what active, clear consent would look like can be seen in this example from the BBC:
The labeling of the buttons as "Do Not Consent" and "Consent" make it very clear to users that they are in fact giving or refusing to give consent here.
Business Insider labels its buttons differently, but it does mention consent in the first sentence of the pop-up, and the button that says "I'm OK with that" will show that a user who clicks on it is giving the green light for cookie placement:
BuzzFeed uses "Agree" and "Disagree" statements to obtain consent, which is an active way of obtaining it. It makes it very clear that clicking the Agree button means a user is agreeing to what's stipulated in the rest of the notice:
Passive consent - also known as browsewrap - for cookies notification messages would be when a user is told that if she continues to use the website, consent to place cookies will be implied.
Here's an example of a cookies notification message that uses passive consent. Just by using the website, a user is considered to be consenting to cookies:
This passive consent notice simply tells users that cookies are being used, and doesn't link to any options or request any consent:
Here's a passive consent notice that goes a bit above the last example by informing users that they can opt out, while also linking to "Manage Settings" options. While it still isn't getting valid, clickwrap levels of active consent, it's slightly better than just telling users that cookies are in use:
The more enhanced active consent - known as clickwrap - requires that users do something more to show that they consent. An active step, such as clicking a checkbox, is required.
Here's an example of a cookies notification message that gets very clear and active consent from users:
Before cookies are placed, a user must check a box that explicitly says it's for accepting cookies from the website. Additionally, a user must also then click a "Continue" button.
This double-active method is a strong way to get consent and is sure to be compliant with current privacy and cookies laws.
Here's how EY presents its cookie consent notice:
Users can also customize which cookies they consent to from the Cookie Settings page linked to the notice:
The perfect and compliant cookies notification message will contain the following elements:
Make your cookies notification message pop up on every page of your website for first-time visitors.
Make sure the notification message stays showing until the user accepts it.
Don't place cookies unless you get consent.
Not only will this make your cookies notification message compliant with existing laws, but it keeps up with changes like we're seeing with the enhanced GDPR legislation, and like we're sure to see in the future.