Creating Compliant Cookie Banners
Noyb, a well-known privacy group campaigning for better GDPR compliance across the internet, recently lodged over 500 complaints to different businesses around the world.
According to Noyb, these companies are failing to get free and informed consent before they install cookies on user devices - a clear breach of both the GDPR and the ePrivacy Directive ("Cookie Law").
The main problem? These companies believe they are, in fact, using compliant cookie banners, which suggests there's some confusion over what the law actually requires from businesses using cookies.
To help ensure you don't fall short of what the law requires, here's a breakdown of what's required and how to meet the requirements.
- 1. What are Cookies?
- 2. What Does EU Privacy Law Say About Cookies and Personal Data?
- 3. 9 Steps to Creating a GDPR-Compliant Cookie Banner
- 3.1. 1. Describe the Purpose of the Banner
- 3.2. 2. Avoid Notice-Only Cookie Banners
- 3.3. 3. Consider Placement Carefully
- 3.4. 4. Provide Accept and Reject Buttons
- 3.5. 5. Use Unchecked Boxes Only
- 3.6. 6. Don't Use Cookie Walls
- 3.7. 7. Do Not Bundle Consent
- 3.8. 8. Get Clear Third Party Cookie Consent
- 3.9. 9. Don't Use Confusing Buttons
- 4. What Happens if You Don't Comply With Cookie Banner Requirements?
- 5. Conclusion
What are Cookies?
First, let's clarify what cookies actually are.
Cookies are just small data files which can be installed on someone's browser when they visit a website. They can be temporary, meaning they only last for however long the user browses your website, or they can be permanent, meaning they stay on a user's device after their session expires.
Cookies can be used to collect "personal data," or personal information from users. Let's take a look at why this could be a problem.
What Does EU Privacy Law Say About Cookies and Personal Data?
Under the GDPR, you need someone's express and informed consent to collect their personal data for marketing or tracking purposes. This means someone must take an affirmative action to give consent e.g. clicking a marketing cookies checkbox.
While cookies can be used for many purposes, including ensuring website functionality, they can also be used to monitor a user's browser behavior or offer them tailored ads based on their preferences.
In other words, cookies are capable of collecting personal information from people, which means you can't use them without getting formal consent.
To get consent, you must provide users with a cookie consent notice, such as a cookie banner. The banner should:
- Give people the option to reject or accept cookies depending on their preferences
The main problem with many cookie banners, according to Noyb, is that they're confusing and make it difficult for users to withdraw consent. In fact, out of the 500 complaints they issued, they found that:
- 91% of banners made it tricky for people to withdraw consent
- 81% of banners failed to include an obvious "reject" button
- 15% of banners used pre-checked boxes which means users must opt out rather than opt in
Some companies have claimed that it's tricky to comply with the rules because they're overly complicated. However, in reality, it's fairly simple to create a compliant cookie banner. You must learn to do it or else there's a real risk a complaint could be lodged against you by an organization like Noyb or a private individual.
So, here's how to do it.
9 Steps to Creating a GDPR-Compliant Cookie Banner
A compliant cookie banner must be clear and user-friendly. Above all, it must offer visitors a clear choice between accepting or rejecting cookies once they've had the opportunity to learn more about them.
Here are 9 key steps you should take when you're designing a legally suitable cookie banner.
1. Describe the Purpose of the Banner
First, make sure it's obvious that it's a cookie notice, rather than an advertising popup.
It might help to add "Cookie Notice" to your banner so it's even more clear.
2. Avoid Notice-Only Cookie Banners
Here's an example of a notice-only cookie banner from CSS Script. Although it notifies users about cookies, the only option is to click the "Got it" button:
There are two problems here. First, it's unclear whether clicking the button means you're accepting or rejecting cookies. Second, there's no option to refuse consent, which is contrary to EU privacy law.
Notice-only cookie banners don't comply with the GDPR because it must be possible for people to engage with the banner and set their preferences.
3. Consider Placement Carefully
You should make sure that the banner is placed somewhere noticeable (although there's no need for it to take over the whole page).
The Book Depository, for example, places its large cookie banner across the bottom of the page, so it's obvious when people browse the site:
Hollister's banner, for example, is a gray color, which blends in very easily with the website background, so it's hard to detect:
There are a few problems with this banner, but for now, just remember you should use clear color schemes to differentiate your banner from your site. Otherwise, even if your notice otherwise complies with the GDPR, you could fall short of the rules.
4. Provide Accept and Reject Buttons
As noted earlier, out of 500 cookie banner complaints made by Noyb, 81% involved a failure to provide a clear reject or opt-out button. If there's no free choice, then by the GDPR standards, there's no free consent, which means it's a non-compliant banner.
The Jeffree Star website, for example, provides two buttons: "Accept" and "Preferences". This technically wouldn't be GDPR-compliant because there's no clear reject button:
Gymshark EU complies with the two-button requirement. You will see that there's a clear option to "Accept" and "Reject All" cookies. What's more, they explain what it means if you click "Accept," which means that users know what it means to accept cookies on their device. This is a great way to ensure you're getting informed consent:
Always include a clear choice for your users. Otherwise, you're failing to comply with GDPR consent requirements.
5. Use Unchecked Boxes Only
This one's really simple: under the GDPR, users must make a clear and affirmative action to give consent to personal data collection.
So, you can't use pre-checked boxes which users must "uncheck" if they want to reject cookies.
Here's an example from France 24. As you can see, the different cookie categories are set to red, or reject, as a default. This is compliant, because users must physically click "Agree" if they want to install certain cookie types:
6. Don't Use Cookie Walls
Cookie walls are where your notice won't go away until someone accepts your cookies. They might appear in the middle of the screen, but not always.
Here's an example from the UK's NetDoctor:
By using a cookie wall, you're denying someone access to your website unless they accept cookies designed to collect their personal data. This is, unsurprisingly, completely contrary to the EU privacy laws and could result in a complaint being filed against you.
What's more, you're discriminating against someone by failing to allow them access to your website unless they accept marketing or tracking cookies. Again, this could result in a complaint.
Remember, accepting or rejecting cookies must always be a free choice.
7. Do Not Bundle Consent
According to the precedent set in the Planet49 case, you must get clear, separate consent for separate things. This is known as granular consent.
In a cookie context, you can't assume that people will accept all cookies just because they accepted some cookies e.g. just because they accepted functional cookies doesn't mean they consent to marketing cookies.
Here's a good example from Holland & Barrett for how to get granular consent.
When users open the cookie notice, they can either accept all cookies, reject them all, or they can choose which specific cookies they're prepared to accept. So, it's obvious what they're consenting to and, in turn, this is a compliant way to get consent:
8. Get Clear Third Party Cookie Consent
It's important that you get clear consent to any cookies installed by third parties. However, you need to strike a balance between two things: detail and user-friendliness. While users need enough detail to give informed consent, you can't overwhelm them with overly time-consuming cookie notices, either.
For example, say you list every individual cookie used for third party "legitimate interest" purposes. It's not realistic to expect people to spend a few minutes engaging with every cookie. Otherwise, they'll just consent to get by the notice.
Frustrating your users into consent is not freely informed consent. In fact, organizations like Noyb could raise a complaint against your business if it looks like you're trying to confuse or frustrate your visitors.
Here's an example from the UK newspaper, The Sun. There's a clear "Reject All" button, so users don't need to engage with every single cookie before they can use the website (although, for GDPR compliance, these boxes should not be preset to "On"):
There's a clear difference between the website's own cookies, and cookies installed by "site vendors," or third parties, and you can quickly turn them all off.
9. Don't Use Confusing Buttons
Avoid using buttons like "Close" or "Dismiss" in your cookie banners. If someone sees this wording in your cookie notice, they might simply dismiss the banner and not realize that they're actually consenting to marketing and tracking cookies.
Similarly, you shouldn't include a "x" for people to just close the banner. Again, if someone just clicks the banner away, they're probably accepting cookies without realizing it, which is contrary to the law.
Remember, Noyb reported companies for failing to offer people a chance to reject cookies in the first layer of the notice, which is exactly what's happening here.
What Happens if You Don't Comply With Cookie Banner Requirements?
Failing to comply means that a complaint could be lodged against your business, either by a group like Noyb or someone else.
If you are found in breach of the ePrivacy Directive or the GDPR, you could face substantial financial penalties, and you may need to pay administrative fines to affected individuals depending on the nature of the breach.
Under Article 83(5) of the GDPR, you could be fined up to 20 million Euros or up to 4% of your annual turnover for violating the conditions for consent.
It's not just the financial penalties you should worry about. It's the potential reputational damage, too. If customers don't trust you to respect their privacy rights, then you may find it harder to grow your business.
If you're a business subject to the GDPR and the EU's ePrivacy Directive, then you must display a compliant cookie banner, or notice, when people land on your website.
Most importantly, you need someone's express, clear, and informed consent to using cookies. They must take some affirmative step to give you this consent. Implied consent is not enough.
To create a compliant cookie banner, you must:
- Tell people what the banner is and why it's required
- Give them a clear choice between accepting or rejecting cookies
- Place the notice somewhere noticeable
- Ensure that people can access your website even if they reject marketing cookies
- Avoid bundling consent
- Make it easy for people to understand what they're consenting to
- Keep your notices as clear and concise as possible. Frustrating people to the point they click "Accept" just to get rid of the banner isn't acceptable.
As we can see from Noyb's actions, there's a real demand to ensure that businesses take customer privacy seriously, and so if you're unsure how to comply with the rules, get legal advice in the first instance.