GDPR Compliant Cookie Banner
Last Updated: March 18, 2020
Since the General Data Protection Regulation (GDPR) came into force on May 25, 2018, websites operating in the EU have had to put in place policies to ensure they stay compliant.
Especially significant is the way websites deal with cookies. Sites now need to gain permission from users to drop all cookies other than those deemed strictly necessary to the way a website works.
There are many ways that websites can choose to gain this permission. However, to ensure GDPR compliance, an opt-in approach to cookie consent is the best option.
In this article, we will explore the various types of cookie consent websites can choose from, as well as show an example of how opt-in consent works in action.
Four Approaches to Cookie Consent
There are four main types of cookie consent. These vary in the amount of choice and protection given to customers. Websites can choose to use any of these options. However, if website owners choose one of the other options other than opt-in consent, they may be at risk of GDPR sanctions.
The user does not have to take action to accept the cookies and, in most cases, actually does not have the option to reject them; other than by not using the site. This approach does not comply with GDPR or ePrivacy regulation.
Websites that take an opt-out approach to cookie consent drop all their cookies when a user lands on the site. Opt-out consent differs from a notice only approach in that the cookie notice or banner allows the user to take action, including not receiving cookies.
The benefits of opt-out consent are that it doesn’t impact much on the user experience and it is easier to implement technically than some of the more comprehensive approaches. However, websites that choose this method are still at risk of falling foul of data protection regulations.
Websites that use an implied consent approach only drop strictly necessary cookies—those allowed under GDPR—when a user lands on the site. These sites then show a cookie banner that either asks the user to click to continue or tells the user the remaining cookies will be dropped if they continue browsing.
This approach is more comprehensive than the previous two methods we have discussed and is in use on many websites. However, there are still questions about whether or not websites that take this approach are fully compliant with GDPR.
The final—and most comprehensive—approach to cookie consent is opt-in consent. Websites that take an opt-in approach only drop the most necessary cookies when a user lands on the site. The site then displays a cookie banner that clearly details what each type of cookie is used for and requires the user to take a specific action, such as checking a box, to drop the remaining cookies.
This is the approach most in line with GDPR and it is likely to be what is required under ePrivacy. Businesses that take this approach to cookie permission stand little chance of falling foul of regulations.
The downside to the approach is there is a chance more users will reject cookies. However, websites can maximize opt-in rates by implementing a solution that gives users flexibility and the ability to customize which cookies they accept.
GDPR Compliant Cookie Banner Example
The next section of the article will detail how opt-in consent works on the CookiePro website.
When websites use an opt-in consent approach, it doesn’t drop cookies even if the user ignores the banner and continues to navigate the website. The cookie banner stays visible at the bottom of the webpage until the user selects “Accept All Cookies” or “Customize Settings.”
When a user selects “Customize Settings” they will be shown a menu that allows them to select which cookies they want to accept.
You can see in the pictures below that while strictly necessary cookies are set as “Always Active” by default, all other types need to be turned on by the user.
There is also an “Allow All” button to make it easy for users to accept all cookies if they choose.
Use Geo-Targeting to Adjust the Level of Consent Based On Location
All websites that operate in the EU are required to adhere to GDPR standards. However, many countries outside the EU don’t have such stringent data privacy regulations. Businesses that operate both inside and outside the EU can, therefore, benefit from location-specific cookie policies.
For example, they could pursue a notice only policy for general visitors and an opt-in policy for those in the EU. This would allow the website to stay compliant in the EU while still reaping the benefits of a lighter policy in other countries.
CookiePro Gives Website Owners a Free Way to Stay GDPR Compliant
Staying compliant with GDPR may seem like a confusing task. However, the whole process can be simplified through the use of a tool such as CookiePro.
CookiePro is free to sign up to and allows users to build and customize a cookie banner like the one in the example above for their site that will keep them GDPR compliant.
The program works by scanning the website to see what cookies are in use. It then produces a banner based on this information. The banner can be customized so it fits the design of the site it will be used on. Users who upgrade to a paid plan will gain access to extra benefits including the ability to only show the banner to users in the EU.
Click here to sign up for your free CookiePro account and begin to build GDPR compliant processes for your website.