0

CookiePro Knowledgebase

dot-patten banner

Knowledgebase Cookies 101 Cookie Banner Guidelines for Each Global...Cookie Banner Guidelines for Each Global Privacy Regulation

Cookie Banner Guidelines for Each Global Privacy Regulation

In this article, we’ll look at cookie banner best practices according to GDPR, CCPA, ICO, CNIL, LGPD, and the Nevada Privacy Law (SB-220) to help websites stay compliant.

Last Updated: August 5, 2022

01GDPR Cookie Banner

The General Data Protection Regulation (GDPR) is the privacy regulation in force in the EU. The regulation went into effect on May 25, 2018, so many website owners are already familiar with GDPR cookie banner requirements.

One of the central protections GDPR gives EU citizens is that they have the right to be informed when businesses collect data about them. Businesses must let individuals know why they are collecting the data, how long they keep the data for, and which organizations they will share the data with. Individuals also have the right to object to the processing of their personal data in some circumstances.

The right to be informed encompasses your obligation to provide ‘fair processing information’, typically through a privacy notice.  It emphasizes the need for transparency over how you use personal data.

GDPR Compliant Cookie Banner Requirements

To comply with GDPR, websites with visitors from the EU must use a consent banner that provides EU citizens with these rights. Here is a look at what makes up a GDPR compliant cookie banner:

  1. Include a Button to Accept Cookies. Using an opt-in approach for cookie consent is the safest way for websites to stay GDPR compliant. With this approach, the website only drops cookies—other than ones essential to the running of the site—after the user has given their permission to receive them. The cookie banner must have a button to allow the user to accept cookies. The text in the cookie banner and the button must make it clear that by clicking the button the user agrees to the deployment of cookies.
  2. Provide Detailed Information About Cookie Use. According to the GDPR, websites need to provide enough information to the user about their cookie use so they can make an informed choice about whether to accept cookies. The cookie banner should contain information about why the website uses cookies. For example, does it collect data for analytics, advertising, or social media purposes?
  3. Alert the User if the Website Shares Data with Third Parties. If the website shares the data collected through cookies with third parties, for example, advertising or analytics partners, the cookie banner should explain this to the user. Additionally, many websites choose to link to a list of vendors they share this data with on the cookie banner.
  4. Link to the Website’s Cookie Policy. The cookie banner should contain a link to the website’s cookie policy (or cookie notice). Here the website will provide further information about the cookies in use on the site, including a list of all the cookies.
  5. Include a Link to the Cookie Settings. Many websites that comply with the GDPR include a link to its cookie settings page on the cookie banner. This isn’t required under GDPR as long as users have the choice to reject all cookies. However, it does have the benefit of allowing users who would otherwise reject all cookies to permit some forms of data collection. For example, a user could reject cookies used for targeted advertising, but accept cookies used for website analytics.

GDPR Compliant Cookie Banner Example

The below image shows the cookie banner on the U.K. version of the website for GQ Magazine. It satisfies each of the five requirements listed above.

GDPR

  1. It has a clearly labeled button that allows the visitor to accept cookies.
  2. It provides in-depth information about how the site uses cookies. This ensures anyone visiting the site in the EU can make an informed choice about whether to accept them.
  3. The banner makes it clear that the website shares data with other parties. It includes a link to a list of partners.
  4. It contains a clear link to the site’s cookie policy.
  5. Users who do not want to accept cookies can go into the cookie settings and customize which cookies they will allow.

02CCPA Cookie Banner

The California Consumer Privacy Act (CCPA) is a privacy regulation that went into effect on January 1, 2020. It affects businesses that collect data about Californians that meet one of the following three conditions:

  • The business earns $25 million-plus in revenue
  • It processes data of 50K consumers, households, or devices
  • It derives at least 50 percent of its annual revenue from selling the personal information of California residents

In terms of data collection, CCPA requires websites to inform users about the information they collect as well as how they process this information and which organizations they share it with.

However, websites don’t require users to opt-in before dropping cookies. This gives businesses more scope to use a less restrictive form of cookie consent. For example, the website can drop cookies when the user lands on a page, as long as it informs them about the categories of personal it collects and the purpose of the data collection.

One area where things get complicated is that CCPA requires opt-in consent to the sale of personal data for visitors 13 to 16 years of age. This means that unless the website can be sure no one under the age of 16 visits, it may be better off using an opt-in consent model.

CCPA Compliant Cookie Banner

Here is what a CCPA compliant Cookie Banner should include:

  1.  Information About Cookie Use. A CCPA cookie banner should provide the website user with details about why the site uses cookies and, if it does, whether it shares the information collected with third parties.
  2. A Button to Accept Cookies. While there is no opt-in requirement in CCPA, businesses can choose to include a link that allows the user to accept cookies. However, unlike GDPR, the website can drop cookies before the user accepts them as it provides information about the data it collects at the point of collection. The cookie banner can include a link to a cookie settings page where the user can choose to opt-in or out of accepting cookies.
  3. Do Not Sell Button. One big difference between GDPR and CCPA is that the CCPA requires businesses to provide customers with the ability to opt-out of the sale of personal information. The regulation requires that users do this by including a link or button to an opt-out form on the home page. Websites should include a link or a button on their homepage with the title “Do Not Sell My Personal Information.” The “Do Not Sell” page should include a link to the website’s privacy policy, as well as a button that lets them opt-out of personalized advertisements. The “Do Not Sell” button is not a cookie banner. Nonetheless, it can be used alongside a cookie banner to help websites use cookies to process data in a way that is compliant with CCPA.

CCPA Cookie Banner and Do Not Sell Button Examples

Opt-out Consent Cookie Banner

In the cookie banner below, Accenture provides the user with information about how it uses cookies in a way that is similar to the GDPR banner.

The difference is that when the user clicks “Cookie Settings,” the button for “First Party Analytics Cookies” is already checked, reflecting the opt-out model of cookie consent permissible under CCPA.

Opt Out banner

CCPA preference center

Implied Consent Cookie Banner

Implied consent cookie banners also satisfy the CCPA requirement of informing the website user of data collection at the point of collection. The website drops all cookies when the user lands on the site and provides information about cookie use in a cookie banner, as well as a link to cookie settings.

The difference between an implied consent cookie banner and an opt-out cookie banner is that the former disappears once the user navigates to another page on the website. It will also contain phrasing like “If you accept the use of cookies, continue to use our site or click “accept cookies.”

Below is an example of an implied consent cookie banner.

Implied cookie banner

Do Not Sell Button or Link

The CookiePro website is an excellent example of how websites can implement a Do Not Sell My Personal Information link in a way that is compliant with CCPA.

The button floats in the bottom left corner of the page, meaning it is accessible at all times.

The button contains a link to the privacy policy, information about how the user can exercise their rights, and the option to opt-out of the sale of data by turning off personalized advertisements. Users can also access the button to opt back into personalized ads if they choose.

Do Not Sell button
Learn more about the CookiePro Do Not Sell Solution

03ICO Cookie Banner

The UK’s Information Commissioner’s Office (ICO) is an independent body tasked with upholding the information rights of UK citizens. It recently released guidance about the steps websites can take to stay compliant with PECR and GDPR guidelines for consent on data collection.

ICO and GDPR Similiarities

There are many similarities with the general GDPR guidelines we covered in the section above. For example, the ICO confirmed that implied consent for cookies is not enough and that websites must require users to take explicit action to accept any non-essential cookies.

Pre-ticked boxes also aren’t allowed. In fact, the guidelines go as far as to advise websites not to nudge users towards accepting consent, for example by emphasizing “agree” over “reject.”

The ICO guidelines say a cookie banner must include information about which cookies the website will set and what the cookies will do. It also confirms that websites need to gain consent for analytics cookies. This is something that CNIL guidelines do not require; we discuss this decision in more detail below.

ICO also says that websites should not use “Cookie walls.” These are cookie banners that force users to accept cookies to browse the site.

ICO Cookie Banner Example

The cookie banner on the Coca-Cola U.K. website is a good example of an ICO compliant cookie consent model.

ICO cookie banner

The cookie banner contains information about why the website uses cookies. Users can gain access to more information about cookie use via the link to the cookie policy or cookie settings.

Importantly, the cookie banner doesn’t stop the user from interacting with the website if they choose to ignore the cookie banner, meaning it isn’t a cookie wall.

04CNIL Cookie Banner

The Commission nationale de l’informatique et des libertés (CNIL) is the French data protection authority. Earlier this year, it released guidelines for cookie banners based on article 5.3 of the e-Privacy directive. The instructions put forward a solution similar to that of the ICO and GDPR, with some subtle differences.

The most significant difference between the CNIL guidelines and other European guidelines is that CNIL mentions that websites do not need to gain consent to drop analytics cookies in certain circumstances.

These circumstances include that the collection doesn’t lead to targeting individuals, that location targeting must not go further than at city-level, and that the data isn’t cross-referenced with other data.

CNIL Compliant Cookie Banner Requirements

You can read more about the specific requirements relating to analytics cookies in our blog post on the updated CNIL guidelines. Here are the key requirements for a CNIL compliant cookie banner based on current guidelines.

  1. The cookie banner must provide users with a button to accept cookies. It must provide information about cookie use including what data is collected and why, as well as mention if it shares data with third-parties.
  2. It must have a link to the website’s cookie policy and cookie settings.
  3. It needs to inform the user about the use of analytics cookies before it drops them. It must also provide a way for the user to reject these cookies; this will usually come in the form of a link to the website’s cookie settings page.
  4. Websites cannot use cookie walls to block access to a page if the user doesn’t agree to the use of cookies.

There are expected updates to be made to the framework by summer 2020.

05LGPD Cookie Banner

The Lei Geral de Protecao de Dados  (LGPD) is the Brazilian data protection regulation that is set to come into force in August 2020. It has a lot of similarities with GDPR – the cookie banner your website uses for LGPD is likely to be similar to the one it already uses for GDPR.

The enforcement date for LGPD isn’t in effect yet, but based on the regulation’s rights for data subjects, those looking to stay compliant with LGPD will likely have to create a cookie banner that includes:

  1. A statement that explains to the visitor that the website processes their data.
  2. Information about how and why the website processes data.
  3. Information about which parties (if any) the website shares data with.
  4. A statement telling the user that they can deny the consent of data collection and a button that allows them to do so.

06Nevada Privacy Law Cookie Banner

The Nevada Privacy Law (SB 220) went into effect on October 1, 2019. It has some similarities to GDPR and CCPA but doesn’t go as far as either regulation.

While the Nevada Privacy Law requires websites to provide users with the option to opt-out of having their data sold to third-parties, it does not require website visitors to opt-in to data collection, nor does it require websites to provide users with notice of their right to opt-out.

Essentially, this means that while websites with customers only in Nevada need to take steps to discover what information they collect and how they sell it, and that they need to provide a way for customers to opt-out of the sale of personal data, they are not required to implement a cookie banner.

Of course, websites based in Nevada but with customers in parts of the world that are covered by other privacy may still need to use a cookie banner on their site.

07Conclusion

Complying with Global Regulations is an Ongoing Challenge

Different privacy regulations require different cookie banners. Websites with customers globally need a solution that can help them comply with multiple sets of rules.

As mentioned earlier, CookiePro can help websites achieve compliance by letting them customize their cookie banner depending on the location of the website user, targeting them with the banner most in-line with the regulation in their area. Not only does this help ensure compliance, but it also means websites that use targeted ads only have to give consumers the option to opt-in or out of them in locations where it is a legal requirement.

Get started today with a free website scan or request a demo.

Get Started with CookiePro

Create a Cookie Policy with CookiePro

Conduct deep website scans to discover trackers, privacy policies and cookie notices behind login pages

Pricing
Onetrust All Rights Reserved