01GDPR Cookie Banner
The General Data Protection Regulation (GDPR) is the privacy regulation in force in the EU. The regulation went into effect on May 25, 2018, so many website owners are already familiar with GDPR cookie banner requirements.
One of the central protections GDPR gives EU citizens is that they have the right to be informed when businesses collect data about them. Businesses must let individuals know why they are collecting the data, how long they keep the data for, and which organizations they will share the data with. Individuals also have the right to object to the processing of their personal data in some circumstances.
The right to be informed encompasses your obligation to provide ‘fair processing information’, typically through a privacy notice. It emphasizes the need for transparency over how you use personal data.
GDPR Compliant Cookie Banner Requirements
To comply with GDPR, websites with visitors from the EU must use a consent banner that provides EU citizens with these rights. Here is a look at what makes up a GDPR compliant cookie banner:
- Include a Button to Accept Cookies. Using an opt-in approach for cookie consent is the safest way for websites to stay GDPR compliant. With this approach, the website only drops cookies—other than ones essential to the running of the site—after the user has given their permission to receive them. The cookie banner must have a button to allow the user to accept cookies. The text in the cookie banner and the button must make it clear that by clicking the button the user agrees to the deployment of cookies.
- Alert the User if the Website Shares Data with Third Parties. If the website shares the data collected through cookies with third parties, for example, advertising or analytics partners, the cookie banner should explain this to the user. Additionally, many websites choose to link to a list of vendors they share this data with on the cookie banner.
- Include a Link to the Cookie Settings. Many websites that comply with the GDPR include a link to its cookie settings page on the cookie banner. This isn’t required under GDPR as long as users have the choice to reject all cookies. However, it does have the benefit of allowing users who would otherwise reject all cookies to permit some forms of data collection. For example, a user could reject cookies used for targeted advertising, but accept cookies used for website analytics.
GDPR Compliant Cookie Banner Example
The below image shows the cookie banner on the U.K. version of the website for GQ Magazine. It satisfies each of the five requirements listed above.
- It has a clearly labeled button that allows the visitor to accept cookies.
- The banner makes it clear that the website shares data with other parties. It includes a link to a list of partners.
- Users who do not want to accept cookies can go into the cookie settings and customize which cookies they will allow.
02CCPA Cookie Banner
The California Consumer Privacy Act (CCPA) is a privacy regulation that went into effect on January 1, 2020. It affects businesses that collect data about Californians that meet one of the following three conditions:
- The business earns $25 million-plus in revenue
- It processes data of 50K consumers, households, or devices
- It derives at least 50 percent of its annual revenue from selling the personal information of California residents
In terms of data collection, CCPA requires websites to inform users about the information they collect as well as how they process this information and which organizations they share it with.
However, websites don’t require users to opt-in before dropping cookies. This gives businesses more scope to use a less restrictive form of cookie consent. For example, the website can drop cookies when the user lands on a page, as long as it informs them about the categories of personal it collects and the purpose of the data collection.
One area where things get complicated is that CCPA requires opt-in consent to the sale of personal data for visitors 13 to 16 years of age. This means that unless the website can be sure no one under the age of 16 visits, it may be better off using an opt-in consent model.
CCPA Compliant Cookie Banner
Here is what a CCPA compliant Cookie Banner should include:
- A Button to Accept Cookies. While there is no opt-in requirement in CCPA, businesses can choose to include a link that allows the user to accept cookies. However, unlike GDPR, the website can drop cookies before the user accepts them as it provides information about the data it collects at the point of collection. The cookie banner can include a link to a cookie settings page where the user can choose to opt-in or out of accepting cookies.
CCPA Cookie Banner and Do Not Sell Button Examples
Opt-out Consent Cookie Banner
The difference is that when the user clicks “Cookie Settings,” the button for “First Party Analytics Cookies” is already checked, reflecting the opt-out model of cookie consent permissible under CCPA.
Implied Consent Cookie Banner
Implied consent cookie banners also satisfy the CCPA requirement of informing the website user of data collection at the point of collection. The website drops all cookies when the user lands on the site and provides information about cookie use in a cookie banner, as well as a link to cookie settings.
Below is an example of an implied consent cookie banner.
Do Not Sell Button or Link
The CookiePro website is an excellent example of how websites can implement a Do Not Sell My Personal Information link in a way that is compliant with CCPA.
The button floats in the bottom left corner of the page, meaning it is accessible at all times.
03ICO Cookie Banner
The UK’s Information Commissioner’s Office (ICO) is an independent body tasked with upholding the information rights of UK citizens. It recently released guidance about the steps websites can take to stay compliant with PECR and GDPR guidelines for consent on data collection.
ICO and GDPR Similiarities
There are many similarities with the general GDPR guidelines we covered in the section above. For example, the ICO confirmed that implied consent for cookies is not enough and that websites must require users to take explicit action to accept any non-essential cookies.
The ICO guidelines say a cookie banner must include information about which cookies the website will set and what the cookies will do. It also confirms that websites need to gain consent for analytics cookies. This is something that CNIL guidelines do not require; we discuss this decision in more detail below.
ICO also says that websites should not use “Cookie walls.” These are cookie banners that force users to accept cookies to browse the site.
ICO Cookie Banner Example
The cookie banner on the Coca-Cola U.K. website is a good example of an ICO compliant cookie consent model.
Importantly, the cookie banner doesn’t stop the user from interacting with the website if they choose to ignore the cookie banner, meaning it isn’t a cookie wall.
04CNIL Cookie Banner
The Commission nationale de l’informatique et des libertés (CNIL) is the French data protection authority. Earlier this year, it released guidelines for cookie banners based on article 5.3 of the e-Privacy directive. The instructions put forward a solution similar to that of the ICO and GDPR, with some subtle differences.
The most significant difference between the CNIL guidelines and other European guidelines is that CNIL mentions that websites do not need to gain consent to drop analytics cookies in certain circumstances.
These circumstances include that the collection doesn’t lead to targeting individuals, that location targeting must not go further than at city-level, and that the data isn’t cross-referenced with other data.
CNIL Compliant Cookie Banner Requirements
You can read more about the specific requirements relating to analytics cookies in our blog post on the updated CNIL guidelines. Here are the key requirements for a CNIL compliant cookie banner based on current guidelines.
- The cookie banner must provide users with a button to accept cookies. It must provide information about cookie use including what data is collected and why, as well as mention if it shares data with third-parties.
- It needs to inform the user about the use of analytics cookies before it drops them. It must also provide a way for the user to reject these cookies; this will usually come in the form of a link to the website’s cookie settings page.
There are expected updates to be made to the framework by summer 2020.
05LGPD Cookie Banner
The Lei Geral de Protecao de Dados (LGPD) is the Brazilian data protection regulation that is set to come into force in August 2020. It has a lot of similarities with GDPR – the cookie banner your website uses for LGPD is likely to be similar to the one it already uses for GDPR.
The enforcement date for LGPD isn’t in effect yet, but based on the regulation’s rights for data subjects, those looking to stay compliant with LGPD will likely have to create a cookie banner that includes:
- A statement that explains to the visitor that the website processes their data.
- Information about how and why the website processes data.
- Information about which parties (if any) the website shares data with.
- A statement telling the user that they can deny the consent of data collection and a button that allows them to do so.
06Nevada Privacy Law Cookie Banner
The Nevada Privacy Law (SB 220) went into effect on October 1, 2019. It has some similarities to GDPR and CCPA but doesn’t go as far as either regulation.
While the Nevada Privacy Law requires websites to provide users with the option to opt-out of having their data sold to third-parties, it does not require website visitors to opt-in to data collection, nor does it require websites to provide users with notice of their right to opt-out.
Essentially, this means that while websites with customers only in Nevada need to take steps to discover what information they collect and how they sell it, and that they need to provide a way for customers to opt-out of the sale of personal data, they are not required to implement a cookie banner.
Of course, websites based in Nevada but with customers in parts of the world that are covered by other privacy may still need to use a cookie banner on their site.
Complying with Global Regulations is an Ongoing Challenge
Different privacy regulations require different cookie banners. Websites with customers globally need a solution that can help them comply with multiple sets of rules.
As mentioned earlier, CookiePro can help websites achieve compliance by letting them customize their cookie banner depending on the location of the website user, targeting them with the banner most in-line with the regulation in their area. Not only does this help ensure compliance, but it also means websites that use targeted ads only have to give consumers the option to opt-in or out of them in locations where it is a legal requirement.