Cookie Notice: Compliance With the GDPR & CCPA/CPRA

Websites use cookies to enhance the user experience, but they can also raise privacy concerns. As a website owner, it is up to you to build user trust, especially around data collection. This is where a website cookie notification comes in.

A cookie notice is a statement that informs visitors about how a site uses cookies. It is also used to obtain user consent to ensure your site complies with privacy regulations like the GDPR and other data protection laws.

Without a clear cookie notice, businesses risk significant penalties and damage to their reputation. To help protect your business, I’ll talk about what to include in your cookie notice and provide examples from successful websites.

KEY TAKEAWAYS:
  • Having a clear cookie notice shows you respect user privacy and helps you comply with GDPR, CCPA/CPRA, and other data protection laws.
  • Your cookie notice should be informative and transparent. Explain what cookies your site uses, why you use them, and how users can manage their preferences.
  • Don’t just rely on an “Accept” button. Offer options for users to reject cookies or manage their preferences.

Why Do You Need a Cookie Notice on Your Website?

You need a cookie notice on your website for two main reasons: compliance with data privacy law and building trust with your visitors.

By letting users know you’re setting or sending cookies on their devices, you show your commitment to protecting their personal data. This added benefit goes beyond just meeting compliance requirements; it fosters a positive user experience.

Moreover, some may think that the use of cookies provides no benefits to consumers. Essential cookies do help with basic site functionality, but it’s the non-essential cookies that personalize a user’s experience.

With a clear cookies privacy statement, you can let site visitors know the importance of each cookie and give them the chance to accept or reject them.

7 Key Components of a Compliant Cookie Consent Notice

An effective cookie notice is like a well-written contract – clear, concise, and outlining the terms. Here’s a breakdown of the essential elements your cookie consent banner should include:

1. Introduction to the Use of Cookies

Begin your cookie consent notice by explaining what cookies are and why they are used. A straightforward description helps demystify the concept for users who may not be tech-savvy.

2. Cookie Types Used

Mention the types of cookies used on your site, such as essential, performance, advertising, and analytics cookies. This transparency helps users understand the specific purposes of the cookies deployed.

Here, you can add a link to a more detailed privacy policy or privacy notice for users seeking deeper understanding.

3. Purpose of Cookies

Clarify the reasons for using each type of cookie, whether for site functionality, personalization, advertising, or analytics.

Users are more likely to consent to cookie use when they comprehend the benefits. A recent survey found that only 28% of respondents fully grasped how cookies work, highlighting the need for clear explanations.

When users know how cookies affect their browsing experience, they can confidently manage their preferences. It also enhances their sense of control and satisfaction with your website.

4. Affirmative Action to Consent

To ensure clarity and compliance, your cookie consent notice should require affirmative action from users to accept cookies.

Typically, this is done through an “Accept” button prominently displayed on the cookie banner. This method clearly communicates that by clicking, users actively agree to allow cookies on their devices.

It’s important to note that simply continuing to use the site after seeing the banner should not be assumed as consent. Here’s an example of that from Gymshark:

Gymshark's cookie notice on a white background.

While it includes a link to the site’s Cookie Policy, it doesn’t have an “Accept” button to allow users to give their explicit consent.

Relying on implied consent—assuming consent from users just because they continue browsing—does not meet the stringent requirements of many privacy laws, such as the GDPR.

5. Opt-Out and Withdrawal of Consent

Relying solely on an “Accept” button might seem simpler, but it can be perceived as limiting user control. People’s comfort levels with cookies can change, and offering an opt-out allows them to adjust their preferences as needed.

Here’s a good example of a cookie notice that doesn’t offer users the chance to opt out:

Tossware's cookie consent notice on a white background.

Just as users must actively consent to the use of cookies, they must also have the ability to opt out or adjust their cookie settings at any point during their engagement with your site.

This not only ensures compliance with privacy laws that mandate clear consent but also respects user autonomy over their personal data.

6. How to Manage Cookie Preferences

Your cookie consent notice should provide clear instructions on how users can accept cookie settings or modify their cookie preferences. This includes not only the initial acceptance via the cookie banner but also ongoing access to adjust settings as users see fit.

Consider the approach taken by PopSockets. Their cookie notice includes a link to their Cookie Preference Center, which is powered by OneTrust:

PopSockets' cookie preferences center with toggle buttons set to "Always Active."

This center allows users to manage their consent preferences in a detailed and user-friendly manner. They can see each cookie category and choose to accept or decline each. They can also revisit their preferences at any time to update their choices.

PRO TIP: Incorporating cookie consent tools like a fully featured consent management platform or a WordPress plugin can greatly simplify the management of user consent and preferences.

7. Link to Detailed Policies

An effective cookies pop-up should include links to your website’s full privacy policy and a simple cookie policy. These policies provide users with a deeper understanding of how their personal data is managed and what rights they have regarding its use.

The privacy policy should comprehensively detail all aspects of data handling, including the types of data collected, the purposes for collection, data storage practices, and information about data sharing with third parties.

Meanwhile, the cookie policy should focus specifically on the use of cookies, explaining in straightforward terms how cookies enhance site functionality, personalize ads, and improve user experience, as well as how users can manage their cookie preferences.

Ensure that your website’s cookie consent banner is not only compliant with legal standards but also prioritizes user experience and trust. This balance will make users more likely to engage positively with your consent process.

What Are the Requirements for a Cookie Notice?

Data protection authorities around the world are increasingly scrutinizing how websites collect and use user data. To ensure compliance with these regulations, your cookie notice needs to meet specific requirements.

Here are the cookie notice requirements of the two major regulations impacting website owners:

GDPR Requirements for Cookie Notice

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that applies to all entities operating within the EU and handling the personal information of EU residents.

It works in tandem with the ePrivacy Directive, often referred to as the Cookie Law, which specifically governs the use of cookies and similar technologies.

Together, these regulations dictate strict cookie consent requirements for over 100 countries. Here’s a quick overview of the key GDPR requirements for cookie notices:

  • Clear Information About Cookie Usage: The notice must inform users clearly about what cookies are active on the site, what their purposes are, and how they affect the user’s experience and privacy.
  • Opt-in Consent: GDPR cookie compliance includes a mandatory opt-in consent mechanism. This means that websites must obtain explicit and affirmative consent from users before any non-essential cookies are placed on their devices. Users must either tick a box or click a button to show consent.
  • Easy Access to Detailed Information: The cookie notice must link to a comprehensive privacy policy that explains the use of personal information and provides details on cookie usage.
  • Option to Withdraw Consent: Users should have the ability to easily change their cookie preferences at any time, including withdrawing previously given consent. This must be as easy as giving consent.
  • Granular Control: Users must be given control over different categories of cookies except for those strictly necessary for the website’s operation. They should be able to opt into each category independently.

These requirements ensure that the privacy rights of individuals are respected and that organizations take serious steps toward protecting the personal information of their users under the EU GDPR and the ePrivacy Directive.

CCPA/CPRA Requirements for Cookie Notice

The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) are regulations designed to enhance privacy rights and consumer protection for residents of California.

The CCPA and the CPRA (which enhanced the CCPA provisions) regulate how businesses around the world interact with California residents’ personal information.

These laws require transparency about the use of cookies and other tracking technologies on their websites, particularly how they collect, store, and use personal data.

Here’s a breakdown of the key CCPA/CPRA requirements for cookie notices:

  • Transparent Disclosure: Businesses must provide a clear and conspicuous “cookies warning” at the point of collection. This notice should explain what types of data are collected and how they are used.
  • Notice of Sale: If a business sells personal information collected from cookies or other tracking technologies, it must disclose this practice.
  • Consumer Rights Information: The cookie notice must include a link to the business’s privacy policy where additional information about users’ rights under the CCPA/CPRA is available. These rights include the ability to access, correct, delete, or opt out of the sale of their personal information.
  • Opt-Out of Sale Button: For businesses subject to CCPA requirements and engaging in the sale of personal information, a clear and easy-to-find “Do Not Sell My Personal Information” link must be included on the homepage.
  • No Discrimination: Businesses must not discriminate against users who exercise their privacy rights, including those who opt out of the sale of their personal information.

These requirements ensure that businesses respect the privacy of California residents and provide them with control over their personal information.

Examples of a Powerful Website Cookie Banner

Understanding the legal requirements is just one piece of the puzzle. To truly excel at privacy compliance, your cookie notice needs to be user-friendly, informative, and transparent.

Let’s take a look at some real-world examples from websites that have mastered the art of using an effective cookie notice:

1. Princess Polly

First off is this cookie notice from Princess Polly:

Princess Polly's cookie banner on a white background.

It’s a good example because it is concise and clear about what accepting cookies entails — enhancing site navigation, analyzing site usage, and assisting in marketing efforts.

Plus, the three buttons offer users full control over their cookie preferences. This choice respects user autonomy and allows them to tailor their cookie interactions based on their comfort levels with privacy.

That said, while it is clear, it could benefit from a direct link to the privacy policy. This way, users who want to delve deeper into how their data is managed have an easier route to access more comprehensive information.

2. Native

Immediately, you’ll notice that Native provides a detailed explanation of the purposes behind the cookie usage:

Native's cookie consent banner on a white background.

The inclusion of direct links to the site’s Privacy Policy and Cookie Policy within the cookie notice offers users immediate access to deeper information, reinforcing transparency and aiding informed decision-making.

Clicking on Manage Cookies allows users to selectively enable or disable different categories of cookies based on their preferences.

Native's privacy preference center on a white background.

This granular control is a critical feature for user empowerment and privacy compliance. But to improve it, it would help to specify that users can change their preferences at any time through the cookie consent management platform.

3. Rothy’s

Rothy’s cookie notice is straightforward and succinct, clearly stating the purposes for storing cookies:

Rothy's cookie notice on a white background.

What’s more, the requirement for users to actively click a button to make a choice ensures that the consent provided is explicit and intentional, aligning with best practices in privacy compliance.

Although the consent options are well-presented, integrating direct links to the Privacy Policy and Cookie Policy within the initial notice could improve transparency. 

4. All Plants

All Plants’ cookie notice shares similarities with the notices from Princess Polly and Rothy’s in its clear and concise format and the inclusion of three action buttons: 

All Plants' cookie notice on a white background.

However, similar to the improvements suggested for previous examples, All Plants could enhance transparency by incorporating links to their Privacy Policy and Cookie Policy directly in the cookie notice.

5. Chubbies

Chubbies clearly states that cookies are used for functional, analytics, and advertising purposes right at the beginning of the notice. This direct approach helps users immediately understand the scope of cookie use:

Chubbies' cookie notice on a translucent background.

Clicking on “More choices” allows granular control:

Chubbies' cookie banner settings on a translucent background.

While this is beneficial for detailed consent, the absence of explanations for each cookie type is a significant drawback. Users may be unsure what they are consenting to without a description of how each cookie type affects their browsing experience.

Frequently Asked Questions

Is a cookie notice required?

Yes, a cookie notice is required for websites that track users’ data, especially under data privacy regulations.

Do I need to display a cookie notice on my website?

Yes, displaying a cookie notice on your website helps you comply with privacy laws.

What happens if I don’t use a cookie notice on my website?

Not using a website’s cookies notice risks fines and breaches of privacy laws. It undermines user trust and legal compliance.

Are cookie notices necessary for mobile apps?

Yes, dedicated cookie notices are necessary for mobile apps using cookies to track user data.

How often should I update my cookie notice?

Update your cookie notice regularly, especially if there are changes in your practices regarding cookies.

Can you use tools to create a cookie notice?

Yes, you can use cookie notice plugins for WordPress to create a cookie notice for your website. These tools simplify compliance and setup.

What does it mean to accept all cookies on a website?

Clicking “Accept Cookies” means you agree to let the website store all types of cookies on your device.

Gabriela Dascalescu
CS50L, FIP, CIPP/E, CIPM, CIPT
Gabriela is a privacy expert and data protection officer who focuses on translating legalese. She dedicates to staying updated on tech and digital law developments to help clients get compliant with privacy regulations and legal tech requirements. She provides clear and concise legal advice, considering business objectives and interdisciplinary expertise. She integrates knowledge from various legal fields to offer comprehensive solutions in today's interconnected world.