If your website uses cookies, you may need to be providing cookies notification messages. These simple pop-up boxes are important for legal compliance.

Not only do they let you give users adequate notice that you use cookies, but you can use them to get consent from users to place these cookies on their devices.

Here's what you need to know about when cookies notification messages are required and how to structure yours.

What are Cookies

What are Cookies

Cookies are small text files. When you visit a website, the website sends cookies to your computer, and your computer stores them in a file in your web browser.

Cookies are filled with information, and there are countless different types of cookies.

Some help keep track of your login information so you can store passwords to frequently-visited websites. Others keep track of how long you spend on a website or what items you have in your online shopping cart.

Generally, cookies are a helpful thing for both businesses and users.

Businesses benefit from using cookies for retargeting advertising and analytics purposes to reach potential customers, convert sales and have a solid insight into their website performance.

Users benefit by getting an optimized browsing experience. Shopping cart items are remembered, the webpage is displayed optimally according to the individual's computer and browser settings and you don't have to manually log in to every website you regularly use - unless you want to - all thanks to cookies.

However, not everyone loves cookies.

Because cookies track your browsing habits and are so discreet in nature, many people consider them to be intrusive to privacy. This has led to laws being developed around protecting user privacy and requiring specific disclosures and other requirements from businesses that use cookies.

In the past, websites could simply place cookies at will. Now, however, notice and consent are both required before a website can place cookies on a user's device.

Cookies Laws

Cookies Laws

There are a number of laws that affect cookies, such as the following.

The EU Cookies Directive applies to websites that are:

  • Owned by EU businesses, or
  • Directed towards EU citizens

The main requirements under this directive are that:

  • Users are informed about your cookies usage, and
  • You get consent to place cookies before doing so

The General Data Protection Regulation (GDPR) out of the EU takes things a little further.

The GDPR applies to businesses that:

  • Offer products and services to citizens of the EU, or
  • Collect personal information from citizens of the EU

The GDPR applies regardless of where your business is headquartered or located.

It considers using most cookies to be collecting personal information. Cookies used for advertising, analytics and functional services (such as chat tools) are some of the cookies that are covered by the GDPR.

The GDPR requires that:

  • You get active consent to place cookies. Implied consent will not be sufficient.
  • Users are able to easily withdraw consent and opt-out of cookies placement

This means that your safest bet to stay compliant with these privacy laws and their cookies coverage is to:

  • Provide notice that you use cookies
  • Obtain active consent before placing cookies
  • Provide an opt-out method for users

You can accomplish this easily by providing cookies notification messages to users.

Cookies Notification Messages

Cookies Notification Messages

A cookies notification message is a pop-up notice that users will get the first time they visit your website.

You need to place one on every page of your website since not all users will land on your homepage first.

The cookies notification message is where you'll do three things:

  • Let users know that your website uses cookies
  • Provide users with more information - This can link to your Privacy Policy/Cookies Policy, and information about how a user can change settings/opt-out
  • Get active consent to use cookies

Here's an example of a cookies notification message with all three of these components:

jQuery cookies notification message

Here's each component broken down with more detail and with examples.

Your Website Uses Cookies

The main point of your cookies notification message is to let users know that you use cookies.

It's best to do this in a short, concise sentence or two. This will keep your notification simple and easy to understand without overwhelming a user.

Here's an example of a simple notification message. It lets users know that the website uses cookies to offer relevant information and for optimal performance:

Blueconic cookies notification message

Here's an example of a more lengthy message about cookies being used:

NHS Lothian cookies notification message

Note that neither example links to its Privacy Policy or Cookies Policy where a user could find out more information and specifics about cookies usage. This is not recommended.

Here's why:

Your cookies notification is meant to be just that - a notice that you use cookies. The notification box has limited space and should be short and simple. That's where links come in.

You should link to your Privacy Policy/Cookies Policy in your cookies notification message.

After giving a user a short sentence or two about your use of cookies, he may wish to find out more about your practices. Linking to your policy makes this easy for a user to do before consenting.

Here's an example of a policy link provided in a cookies notification message:

Great Ormond Street Hospital Children

Some businesses choose to include a link to their Policies as a "Learn More" or "More Info" link.

Here's a "More info" link example:

Cookie Consent cookies notification message

And here's another method of the same approach:

Gosh cookie consent notice with Learn More link highlighted

You should also provide a link to information about how users can manage cookies settings.

This opt-out information should be included and linked to in one of your website policies, as seen below from Spotify's Cookies Policy:

Spotify Cookies Policy: How to Manage Your Cookie Preferences clause

However, providing a direct connection to instructions or a settings page in your notification box will be helpful to users, such as the "Manage" button shown here:

Channel 4 cookie consent notice with Manage button highlighted

Here's another example of including a link to change settings directly within your notification message:

Blueconic cookies notification message with Change Settings link

The EU Cookies Law requires you to get consent before placing cookies. So does the GDPR. However, the GDPR is making the consent requirement more strict.

While the EU Cookies Law allowed for passive consent, the GDPR requires active, clear consent.

A great example of what active, clear consent would look like can be seen in this example from the BBC:

BBC permissions to show personalized ads and store and access information - Consent notice

The labeling of the buttons as "Do Not Consent" and "Consent" make it very clear to users that they are in fact giving or refusing to give consent here.

Business Insider labels its buttons differently, but it does mention consent in the first sentence of the pop-up, and the button that says "I'm OK with that" will show that a user who clicks on it is giving the green light for cookie placement:

Business Insider cookie consent notice

BuzzFeed uses "Agree" and "Disagree" statements to obtain consent, which is an active way of obtaining it. It makes it very clear that clicking the Agree button means a user is agreeing to what's stipulated in the rest of the notice:

BuzzFeed cookie consent notice - updated

Passive consent - also known as browsewrap - for cookies notification messages would be when a user is told that if she continues to use the website, consent to place cookies will be implied.

Here's an example of a cookies notification message that uses passive consent. Just by using the website, a user is considered to be consenting to cookies:

Mirror UK: Notification on website cookies

This passive consent notice simply tells users that cookies are being used, and doesn't link to any options or request any consent:

NHS Lothian cookie banner using browsewrap

Here's a passive consent notice that goes a bit above the last example by informing users that they can opt out, while also linking to "Manage Settings" options. While it still isn't getting valid, clickwrap levels of active consent, it's slightly better than just telling users that cookies are in use:

WeTransfer cookie banner - Browsewrap with settings options

The more enhanced active consent - known as clickwrap - requires that users do something more to show that they consent. An active step, such as clicking a checkbox, is required.

Here's an example of a cookies notification message that gets very clear and active consent from users:

ICO cookies notification message with clear clickwrap consent

Before cookies are placed, a user must check a box that explicitly says it's for accepting cookies from the website. Additionally, a user must also then click a "Continue" button.

This double-active method is a strong way to get consent and is sure to be compliant with current privacy and cookies laws.

Here's how EY presents its cookie consent notice:

EY Cookie consent notice

Users can also customize which cookies they consent to from the Cookie Settings page linked to the notice:

EY Cookie Settings page


The perfect and compliant cookies notification message will contain the following elements:

  • A short statement that you use cookies,
  • A link to your Privacy/Cookies Policy,
  • A link to where or how users can change their settings, and
  • A requirement that a user do something active to show consent (such as a checkbox or toggle buttons)

Make your cookies notification message pop up on every page of your website for first-time visitors.

Make sure the notification message stays showing until the user accepts it.

Don't place cookies unless you get consent.

Not only will this make your cookies notification message compliant with existing laws, but it keeps up with changes like we're seeing with the enhanced GDPR legislation, and like we're sure to see in the future.