0
BLOG | CCPA | June 22, 2022

Cookie Banner Gallery: GDPR, CCPA, CNIL, and TCF 2.0 Examples

The data privacy & regulatory landscape is rapidly evolving which has made it difficult to determine how a website is deemed...

Post Featured Image

The data privacy & regulatory landscape is rapidly evolving which has made it difficult to determine how a website is deemed ‘compliant’. If you operate a website, you must notify site visitors of your use of cookies and/or collect consent in order to meet requirements set by GDPR, ePrivacy, CCPA, LGPD, CNIL, IAB’s TCF Framework, and more.

Organizations of all sizes are looking for a simple solution that ensures their website’s compliance while also giving them the freedom to customize what their consent notice looks like, how consent is collected & recorded, and how their website behaves based on the visitor’s consent preferences. Additionally, organizations want to ensure they’re able to reach compliance while providing a personalized user experience that doesn’t limit data collection.

To help you build your cookie consent strategy, the CookiePro team built a Cookie Banner Gallery that allows you to preview and interact with various cookie banner, preference centers, and CMPs for GDPR, CCPA, and IAB TCF 2.0.

Let’s take a look at the cookie requirements from the GDPR, CCPA, and IAB TCF 2.0.

The GDPR went into effect on May 25, 2018. As regulations are directly applicable in each Member State, the goal of the GDPR was to harmonize the data protection framework across the European Union.

Consent in the context of electronic communications now needs to meet the requirements of the GDPR which has the following implications:

  • The implied consent approach is no longer valid. Simply visiting a site for the first time would not qualify as affirmative action, which means that loading cookies immediately on the first landing page would not be acceptable.
  • Advice to adjust browser settings is not enough. The GDPR says it must be as easy to withdraw consent as to give it. Telling people to block cookies if they don’t consent would not meet this criterion, since it would be difficult and ineffective in relation to non-cookie-based tracking and would not provide enough granularity of choice.
  • If there is no genuine and free choice, then there is no valid consent. The GDPR also says people who do not consent cannot suffer detriment because of their choice, which means that sites must provide some service to users who do not accept those terms.
  • Sites must implement an always-available opt-out mechanism. Even after getting valid consent, there must be a route for people to change their mind, thus fulfilling the requirement that withdrawing consent must be as easy as giving it.
  • Website publishers should give visitors an opportunity to act before cookies are set on the first visit to the site. Once fair notice is given, continuing to browse won’t be, in most circumstances, a valid consent obtained via an affirmative action.
  • Consent needs to be specific to different cookie purposes. Sites that use different types of cookies with different processing purposes will need valid consent mechanisms for each purpose.
GDPR Cookie Banner

The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. This law grants all consumers new rights to notice and choice about the personal information that businesses collect and how they use or sell their personal data. Unlike EU data protection law, CCPA covers only for-profit entities (‘businesses’). Overall, its scope is limited to commercial activities. CCPA can be interpreted to cover businesses that are established outside California if they collect or sell California consumers’ personal information.

The CCPA protects “consumers” who are natural persons and who must be California residents. Under this law, when businesses are collecting personal information of consumers based in California, they must disclose to consumers what information is being collected and for what purposes, whether they plan or intend to sell their personal information, to whom, etc. The operationalization of these new obligations varies depending on the context.

A CCPA cookie banner should include the following:

  • Information about cookie use that includes details about the purpose for the use of cookies on the site and whether the site shares the information with third-party companies.
  • A button to accept or decline cookies. Although the CCPA doesn’t require consumers to opt-in to cookies before the website can drop cookies, it’s considered best practice to still inform the user about the data it collects. The cookie banner can include a link to a cookie settings page where a user can choose to opt-in or out, as well as see exactly what cookies they’re consenting to.
  • The CCPA requires that businesses include a link or button to an opt-out form on your home page. The button should read “Do Not Sell My Personal Information.” The link needs to route to a “Do Not Sell” page on your website. The Do Not Sell page should include a link to a privacy policy and the option to opt-out of personalized advertisements. This button is not considered a cookie banner, but it can be on or near the cookie banner – see the example below. Read more about how to comply with the CCPA Do Not Sell Rule in this blog post.
  • The consumer must have the ability to withdraw consent for the sale of their personal information at any time in an easy-to-find spot on the website.
CCPA Cookie Banner

CNIL Cookie Banner & Preference Center

The Commission nationale de l’informatique et des libertés (CNIL) published the final version of its recommendations on the usage of cookies and other tracking technology and gave companies until March 31st, 2021 to comply. CNIL, The French Data Protection Authority, is an independent French administrative regulatory body, focused on ensuring the data privacy law is applied to the collection, storage, and use of personal data.

The CNIL has the general mission of informing individuals of their rights according to them by the French Data Protection Act and responds to requests made by individuals and companies. Any organization operating in France or targeting French data subjects must ensure their cookie banner complies with the CNIL cookie recommendations.

Here are some of the recommendations for CMPs to be compliant with CNIL’s final guidance:

  • Continued browsing with the cookie banner can no longer be considered a valid form of user’s consent, and consent validity requires a clear positive action  
  • The “Reject All” button is recommended to be on the cookie banner’s first layer
  • Each cookie purpose must be highlighted prominently on the first layer of the cookie banner
  • Users should always have easy access to manage their cookie preferences and withdraw their consent at any time, and companies should implement this through a static cookie icon as a best practice 
  • Cookie walls, which is the practice of blocking content for users who have not yet consented to the use of cookies, are likely to undermine the freedom of users to consent; therefore, while CNIL does not ban cookie walls, it highlights that the lawfulness of cookie walls must be assessed on a case-by-case basis
  • Users should have access to an up-to-date and structured list of third parties
  • Organizations that drop the cookie are also responsible for collecting a valid proof of consent – even towards third parties
  • Some trackers can be exempt from consent, including authentication cookies, audience measurement cookies, or cookies used to limit the access to free content on a website
CNIL Cookie Banner Example

IAB TCF 2.0 CMP

The TCF 2.0 is an industry framework delivered by the Interactive Advertising Bureau (IAB) Europe designed to help entities in the digital advertising ecosystem achieve transparency and downstream user choice to third parties. Publishers, advertisers, and CMPs can voluntarily apply to adhere to the technical specifications and policies of the framework.

The framework is dynamic and is updated according to the circumstances, and currently, we expect 2.0 of the framework to be fully implemented by August 15, 2020. Each party involved in the TCF has its own responsibilities for ensuring the proper implementation of the technical specifications, support of obligatory features and compliance with the policies.

Here are implementation guidelines for CMPs to be compliant with the TCF technical specification when collecting, storing and sharing user consent.

  • Collecting consent from users: The TCF defines a set of common purposes and features that vendors can act on. A CMP must collect the user consent for all purposes and vendors declared by the publisher. With the publisher’s agreement, a CMP can also collect consent for all purposes and vendors in the GVL.
  • Sharing consent with vendors: CMPs collecting consent from end users and vendors must follow standard APIs and formats. This API provides a unified interface for seamless interaction between the parties in the advertising industry. As a CMP, you will need to:
    • Collect consent from the end user that is compliant with the TCF Technical Specifications and Policy.
    • Generate an encoded data string, the TC String, containing the set of preferences expressed by the user
    • Share the TC String with vendors through the available APIs.
  • Storing Consent: Depending on the publisher’s preference and on the policy requirements, consent can be stored either locally or globally. When storing the consent globally, the consent will be stored in a shared cookie with the “TC String” format on the “consensu.org” domain.
  • Withdrawal of consent and other non-TCF policy: Signals sent through the IAB Europe framework should only indicate what the user status is at the time of the signal creation. While the CMP should also enable users to withdraw consent, the minimum requirement is to record the user’s preference at the time the signal is created.
  • CMP interface requirements: There are certain CMP UI requirements that publishers must follow. Visit the IAB Europe’s website to find the information that needs to be shown on the first screen and additional information on the second layer.
IAB TCF 2.0 CMP

Visit the cookie banner gallery to reference more examples of what your cookie banner, preference center, or CMP should look like.

For information on legal requirements from jurisdictions and local DPAs, download the Ultimate Cookie Handbook.

You Might Also Like

knowledge

10 Steps to Complete Google Data Safety...

View Resource
knowledge

Google Play Data Safety vs. Apple Nutrition...

View Resource
Datasheet

6 Step Checklist to Complete Google Play’s...

View Resource
Webinar | 45 minutes

Google Play Data Safety: What it Means...

View Resource
Onetrust All Rights Reserved