CookiePro Blog July 24, 2020

Cookie Banner Gallery: GDPR, CCPA, and TCF 2.0 Examples

The data privacy & regulatory landscape is rapidly evolving which has made it difficult to determine how a website is deemed ‘compliant’. If you operate a website, you must notify site visitors of your use of cookies and/or collect consent in order to meet requirements set by GDPR, ePrivacy, CCPA, LGPD, IAB’s TCF Framework, and more.

Organizations of all sizes are looking for a simple solution that ensures their website’s compliance while also giving them the freedom to customize what their consent notice looks like, how consent is collected & recorded, and how their website behaves based on the visitor’s consent preferences.

Cookie Banner Gallery

To help you build your cookie consent strategy, the CookiePro team built a Cookie Banner Gallery that allows you to preview and interact with various cookie banner, preference centers, and CMPs for GDPR, CCPA, and IAB TCF 2.0.

Let’s take a look at the cookie requirements from the GDPR, CCPA, and IAB TCF 2.0.

Cookie Banner Examples

GDPR Cookie Banner & Preference Center

The GDPR went into effect on May 25, 2018. As regulations are directly applicable in each Member State, the goal of the GDPR was to harmonize the data protection framework across the European Union.

Consent in the context of electronic communications now needs to meet the requirements of the GDPR which has the following implications:

  • The implied consent approach is no longer valid. Simply visiting a site for the first time would not qualify as affirmative action, which means that loading cookies immediately on the first landing page would not be acceptable.
  • Advice to adjust browser settings is not enough. The GDPR says it must be as easy to withdraw consent as to give it. Telling people to block cookies if they don’t consent would not meet this criterion, since it would be difficult and ineffective in relation to non-cookie-based tracking and would not provide enough granularity of choice.
  • If there is no genuine and free choice, then there is no valid consent. The GDPR also says people who do not consent cannot suffer detriment because of their choice, which means that sites must provide some service to users who do not accept those terms.
  • Sites must implement an always-available opt-out mechanism. Even after getting valid consent, there must be a route for people to change their mind, thus fulfilling the requirement that withdrawing consent must be as easy as giving it.
  • Website publishers should give visitors an opportunity to act before cookies are set on the first visit to the site. Once fair notice is given, continuing to browse won’t be, in most circumstances, a valid consent obtained via an affirmative action.
  • Consent needs to be specific to different cookie purposes. Sites that use different types of cookies with different processing purposes will need valid consent mechanisms for each purpose.
GDPR Cookie Banner

CCPA Cookie Banner & Preference Center

The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. This law grants all consumers new rights to notice and choice about the personal information that businesses collect and how they use or sell their personal data. Unlike EU data protection law, CCPA covers only for-profit entities (‘businesses’). Overall, its scope is limited to commercial activities. CCPA can be interpreted to cover businesses that are established outside California if they collect or sell California consumers’ personal information.

The CCPA protects “consumers” who are natural persons and who must be California residents. Under this law, when businesses are collecting personal information of consumers based in California, they must disclose to consumers what information is being collected and for what purposes, whether they plan or intend to sell their personal information, to whom, etc. The operationalization of these new obligations varies depending on the context.

A CCPA cookie banner should include the following:

  • Information about cookie use that includes details about the purpose for the use of cookies on the site and whether the site shares the information with third party companies.
  • A button to accept or decline cookies. Although the CCPA doesn’t require consumers to opt-in to cookies before the website can drop cookies, it’s considered best practice to still inform the user about the data it collects. The cookie banner can include a link to a cookie settings page where a user can choose to opt-in or out, as well as see exactly what cookies they’re consenting to.
  • The CCPA requires that businesses include a link or button to an opt-out form on your home page. The button should read “Do Not Sell My Personal Information.” The link needs to route to a “Do Not Sell” page on your website. The Do Not Sell page should include a link to a privacy policy and the option to opt-out of personalized advertisements. This button is not considered a cookie banner, but it can be on or near the cookie banner – see the example below. Read more about how to comply with the CCPA Do Not Sell Rule in this blog post.
  • The consumer must have the ability to withdraw consent for the sale of their personal information at any time in an easy-to-find spot on the website.
CCPA Cookie Banner


The TCF 2.0 is an industry framework delivered by the Interactive Advertising Bureau (IAB) Europe designed to help entities in the digital advertising ecosystem achieve transparency and downstream user choice to third parties. Publishers, advertisers, and CMPs can voluntarily apply to adhere to the technical specifications and policies of the framework.

The framework is dynamic and is updated according to the circumstances, and currently, we expect 2.0 of the framework to be fully implemented by August 15, 2020. Each party involved in the TCF has its own responsibilities for ensuring the proper implementation of the technical specifications, support of obligatory features and compliance with the policies.

Here are implementation guidelines for CMPs to be compliant with the TCF technical specification when collecting, storing and sharing user consent.

  • Collecting consent from users: The TCF defines a set of common purposes and features that vendors can act on. A CMP must collect the user consent for all purposes and vendors declared by the publisher. With the publisher’s agreement, a CMP can also collect consent for all purposes and vendors in the GVL.
  • Sharing consent with vendors: CMPs collecting consent from end users and vendors must follow standard APIs and formats. This API provides a unified interface for seamless interaction between the parties in the advertising industry. As a CMP, you will need to:
    • Collect consent from the end user that is compliant with the TCF Technical Specifications and Policy.
    • Generate an encoded data string, the TC String, containing the set of preferences expressed by the user
    • Share the TC String with vendors through the available APIs.
  • Storing Consent: Depending on the publisher’s preference and on the policy requirements, consent can be stored either locally or globally. When storing the consent globally, the consent will be stored in a shared cookie with the “TC String” format on the “consensu.org” domain.
  • Withdrawal of consent and other non-TCF policy: Signals sent through the IAB Europe framework should only indicate what the user status is at the time of the signal creation. While the CMP should also enable users to withdraw consent, the minimum requirement is to record the user’s preference at the time the signal is created.
  • CMP interface requirements: There are certain CMP UI requirements that publishers must follow. Visit the IAB Europe’s website to find the information that needs to be shown on the first screen and additional information on the second layer.

Visit the cookie banner gallery to reference more examples of what your cookie banner, preference center, or CMP should look like.

For information on legal requirements from jurisdictions and local DPAs, download the Ultimate Cookie Handbook.

Onetrust All Rights Reserved