Cookies Notification Messages

Cookies Notification Messages

If your website uses cookies, you may need to be providing cookies notification messages. These simple pop-up boxes are important for legal compliance.

Not only do they let you give users adequate notice that you use cookies, but you can use them to get consent from users to place these cookies on their devices.

Here's what you need to know about when cookies notification messages are required and how to structure yours.


What are Cookies

Cookies are small text files. When you visit a website, the website sends cookies to your computer, and your computer stores them in a file in your web browser.

Cookies are filled with information, and there are countless different types of cookies.

Some help keep track of your login information so you can store passwords to frequently-visited websites. Others keep track of how long you spend on a website or what items you have in your online shopping cart.

Generally, cookies are a helpful thing for both businesses and users.

Businesses benefit from using cookies for retargeting advertising and analytics purposes to reach potential customers, convert sales and have a solid insight into their website performance.

Users benefit by getting an optimized browsing experience. Shopping cart items are remembered, the webpage is displayed optimally according to the individual's computer and browser settings and you don't have to manually log in to every website you regularly use - unless you want to - all thanks to cookies.

However, not everyone loves cookies.

Because cookies track your browsing habits and are so discreet in nature, many people consider them to be intrusive to privacy. This has led to laws being developed around protecting user privacy and requiring specific disclosures and other requirements from businesses that use cookies.

In the past, websites could simply place cookies at will. Now, however, notice and consent are both required before a website can place cookies on a user's device.

Cookies Laws

Right now, there are two main laws that affect cookies.

The EU Cookies Directive applies to websites that are:

  • Owned by EU businesses, or
  • Directed towards EU citizens

The main requirements under this directive are that:

  • Users are informed about your cookies usage, and
  • You get consent to place cookies before doing so

The new General Data Protection Regulation (GDPR) out of the EU takes things a little farther.

The GDPR applies to websites that:

  • Offer products and services to citizens of the EU, or
  • Collect personal information from citizens of the EU

The GDPR applies regardless of where your business is headquartered or located.

It considers using most cookies to be collecting personal information. Cookies used for advertising, analytics and functional services (such as chat tools) are some of the cookies that are covered by the GDPR.

The GDPR requires that:

  • You get active consent to place cookies. Implied consent will not be sufficient
  • Users are able to easily withdraw consent and opt-out of cookies placement

This means that your safest bet to stay compliant with these privacy laws and their cookies coverage is to:

  • Provide notice that you use cookies
  • Obtain active consent before placing cookies
  • Provide an opt-out method for users

You can accomplish this easily by providing cookies notification messages to users.

Cookies Notification Messages

A cookies notification message is a pop-up notice that users will get the first time they visit your website.

You need to place one on every page of your website since not all users will land on your homepage first.

The cookies notification message is where you'll do three things:

  • Let users know that your website uses cookies
  • Provide users with more information - This can link to your Privacy Policy / Cookies Policy, and information about how a user can change settings/opt-out.
  • Get active consent to use cookies

Here's an example of a cookies notification message with all three of these components.

jQuery cookies notification message

Here's each component broken down with more detail and with examples.

Your Website Uses Cookies

The main point of your cookies notification message is to let users know that you use cookies.

It's best to do this in a short, concise sentence or two. This will keep your notification simple and easy to understand without overwhelming a user.

Here's an example of a simple notification message. It lets users know that the website uses cookies to offer relevant information and for optimal performance.

Blueconic cookies notification message

Here's an example of a more lengthy message about cookies being used.

NHS Lothian cookies notification message

Note that neither example links to its Privacy Policy or Cookies Policy where a user could find out more information and specifics about cookies usage. This is not recommended.

Here's why:

Your cookies notification is meant to be just that - a notice that you use cookies. The notification box has limited space and should be short and simple. That's where links come in.

You should link to your Privacy Policy/Cookies Policy in your cookies notification message.

After giving a user a short sentence or two about your use of cookies, he may wish to find out more about your practices. Linking to your policy makes this easy for a user to do before consenting.

Here's an example of a policy link provided in a cookies notification message.

Great Ormond Street Hospital Children

Some businesses choose to include a link to their Policies as a "Learn More" or "More Info" link.

Cookie Consent cookies notification message

You should also provide a link to information about how users can manage cookies settings.

This opt-out information should be included and linked to in your Privacy Policy, as seen below from Spotify's Privacy Policy.

Spotify

However, providing a direct link to instructions or a settings page in your notification box will be helpful to users.

Channel 4 cookies notification message with link to manage cookies

Here's another example of including a link to change settings directly within your notification message.

Blueconic cookies notification message with Change Settings link

The EU Cookies Law requires you to get consent before placing cookies. So does the GDPR. However, the GDPR is making the consent requirement more strict.

While the EU Cookies Law allowed for passive consent, the GDPR requires active, clear consent.

Passive consent - also known as browsewrap - for cookies notification messages would be when a user is told that if she continues to use the website, consent to place cookies will be implied.

Here's an example of a cookies notification message that uses passive consent. Just by using the website, a user is considered to be consenting to cookies.

Mirror UK: Notification on website cookies

The more enhanced active consent - known as clickwrap - requires that users do something more to show that they consent. An active step, such as clicking a checkbox, is required.

Here's an example of a cookies notification message that gets very clear and active consent from users.

ICO cookies notification message with clear clickwrap consent

Before cookies are placed, a user must check a box that explicitly says it's for accepting cookies from the website. Additionally, a user must also then click a "Continue" button.

This double-active method is a strong way to get consent and is sure to be compliant with current privacy and cookies laws.

Here's another example of active consent to place cookies.

Before being allowed to continue with the service, WeTransfer requires that users click an "I Agree" button to agree to the use of Cookies.

WeTransfer: I agree button

Links are provided to the Cookie Policy so a user can review the Policy before agreeing, if he wishes to.

To summarize:

The perfect and compliant cookies notification message will contain the following elements:

  • A short statement that you use cookies,
  • A link to your Privacy/Cookies Policy,
  • A link to where or how users can change their settings, and
  • A requirement that a user do something active to show consent

Make your cookies notification message pop up on every page of your website for first-time visitors.

Make sure the notification message stays showing until the user accepts it.

Don't place cookies unless you get consent.

Not only will this make your cookies notification message compliant with existing laws, but it keeps up with changes like we're seeing with the enhanced GDPR legislation, and like we're sure to see in the future.

Sara P.

Sara P.

Law school graduate, B.A. in English/Writing. In-house writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.