Meet cookie banner requirements for GDPR, CCPA & more [with examples]

Whenever you visit a website, you will likely see a pop-up or website cookie notice notifying you that the site collects cookies (Internet cookies are unique texts that a website sends to a browser. Websites use cookies to remember users and help customize their browsing experience). 

That specific pop-up has a name; it is a cookie banner. They offer users the option to consent or decline to grant permission for the site to use their information for future communication purposes.

Is it a legal requirement to have a cookie banner?

Yes, it's often a legal requirement under laws like GDPR and ePrivacy Directive in the EU to have a cookie banner if your site uses non-essential cookies. It informs users and allows them to give or deny consent before tracking. In the US, CCPA requires disclosure but not necessarily a banner.

So, what requirements do you need to meet when setting up your cookie banner? Let's find out below.

How to meet the cookie banner requirements

Cookie banners are a requirement by data protection regulators. An example is the General Data Protection Regulation (GDPR) that sets standards in the European Union. The ePrivacy Directive, commonly called the Cookie Law, mandates website owners to display clear banners, maintain a cookie policy, and avoid distributing cookies without the user's approval.

Other regulators include the Brazilian General Data Protection Law (LGPD) and the California Privacy Rights Act (CPRA). The former covers privacy notices for websites created in Brazil and the Southern American region, while the latter is for web pages and applications originating in the United States.

Despite the slight regulation variations, most of the standards are similar. A one-size-fits-all requirement is impossible, but these broad standards guide web developers in creating a cookie banner.

Read more: What is consent management & why is it important?

What are the requirements for a cookie banner?

A cookie banner must have the following elements to comply with most standard regulations:

• Opt-in mechanism
• Cookies acceptance button
• Information on why a website or app needs cookies
• A link to a page where users can adjust their preferences
• Data sharing notification
• Cookie policy

Website visitors should consent to using cookies. This is critical since the shared data can seriously violate a user's privacy. As such, you will notice that the cookie consent banner always seeks your permission. Usually, the banner has a reject and an accept button. Its disruptive nature ensures that users can recognize the notification and take action. However, you could also opt to proceed by closing the banner. Cookie notifications are not on websites alone; other apps display them, too.

Cookie consent banners vary in layout, and a web owner can work with one that perfectly integrates with their website's design. A top header design features a banner displayed on the site's header. An Inline header appears on each page, while a footer banner displays at the bottom. The other type is the modal, which pops up and stays on a page until one clicks it.

On the other hand, one can adopt either of the two banner types, implicit and explicit. An implicit banner assumes automatic consent, while an explicit banner requires a user to activate it.

Having shed light on what cookie banners are, let's examine what to look for in a cookie banner in more detail.

‍

‍

Cookie banners and GDPR

The General Data Protection Regulation (GDPR) applies across EU member states. While each country has a data protection authority, GDPR banners follow similar characteristics as follows:

• Cookie consent: All GDPR banners must display an Accept and Reject button. These two options allow users to have their data shared with web browsers. One can switch between options, and we'll explore how in a subsequent GDPR guideline below.
• Cookie usage: There must be information stating why a website needs cookies. The banner should state the purpose in a simple language that every user can understand.
• Settings: Whether one has consented to cookie usage or not, a cookie banner should offer the option to change these preferences. These options are usually placed on a settings page. GDPR stipulates that a cookie banner should have a link that directs one to a page where they can modify their browsing preference.  
• Data sharing agreements with third parties: Some websites have adopted a data sharing practice that involves partnering with third-party data collectors. If such an arrangement exists, the banner must bring it to a visitor's attention.
• Cookie policy: GDPR compliance stipulates the establishment of cookie policies by businesses. These are explanations of the type of cookies a website uses. Also, the policy must state the duration the data mined remains active and how one can change these preferences.

While setting these cookie banner requirements, GDPR allows non-member EU states to apply them. An example is the UK, which still uses GDPR despite opting out of the European Union.

GDPR cookie consent is a best practice requirement for websites developed in the European Union member states. It's the legislation governing personal data collection. Under GDPR requirements, websites can only collect cookies from users that grant permission. Likewise, website owners must ensure the lawful handling of the collected information.

GDPR compliant cookie banner requirements

A cookie banner is GDPR-compliant in the following ways:

• It seeks prior consent before activating cookies.
• Users should have the freedom to activate the cookies of their preference, also called granular consent.
• Cookie banners must not be forceful but allow one to accept or decline.
• One can withdraw their acceptance anytime, while the banner should state this option.
• The banner should be designed to allow website users to modify or revoke their acceptance easily.
• A GDPR-compliant cookie banner should state that all consent is legal.

Before deploying a cookie banner, ensure it has clear and concise language. Avoid long sentences and legal jargon. Web users don't have the time to read, and most scan through the content.

Additionally, outline the cookies that will be collected and explain the reasons why the business requires them. Cookies help enhance a user's experience. At the same time, a cookie banner should have an explanation or a lead on cookie preference management. There should be an opt-in and opt-out option displayed on the banner.

Cookie banner GDPR management also allows web owners to provide selective consent for different cookie categories. A privacy policy is most important; the banner should link to the policy page. It is also important to note that failure by a user to interact with a cookie banner does not translate to consent.

The right to obtain personal data and other user information is another GDPR compliance aspect. A cookie banner should state the process one should follow. However, GDPR rules are silent on the information disclosure method. Nonetheless, businesses can place a link at the foot of all web pages or provide an email where users can channel their requests.

Cookie banners and GDPR compliance converge at the point of explicit user consent. GDPR slaps exorbitant fines on businesses that fail to comply with these requirements. All enterprises, regardless of their size, must adopt cookie compliance. Non-conformity attracts fines of €20 million or 4% of a company's global turnover.

CPRA / CCPA cookie requirements

What are the requirements for the cookie banner under the CPRA?

Under the CPRA, a cookie banner must inform users about data collection, allow them to opt out of the "sale" or "sharing" of personal data, and provide a clear "Do Not Sell or Share My Personal Information" link. It should also update users on their rights and outline how data is used or shared with third parties.

‍

Cookie banner examples

Cookie banners can be at the web page's top, middle, or bottom, depending on a site owner's preference. Also, using fonts and colors that match the business brand captivates and grabs attention. Adding a logo is another stylistic choice. These stylistic features enhance a cookie banner's appeal, but the most important thing is to enhance visitor interaction.

‍

‍

Effective and compliant banners are not coercive or manipulative. They notify web users about the data collected by the websites they visit. An effective cookie banner template also describes what happens when one consents to cookies. To sum up, these are the features of an effective cookie banner. The best cookie banner examples have the following elements:

• Free consent: Websites can promote free consent by adding a clear message. A compelling cookie consent message example states why the website collects cookies. 
• Information: Compliant banners inform users that the website collects cookies to personalize ads, share localized content, or measure audience interaction.
• Affirmative action: Best cookie consent examples comprise clickable buttons that allow one to choose cookie categories. Consider a banner that lets people accept all cookies, continue browsing without acceptance, or customize their choice. The bottom line is that it meets all GDPR requirements.

‍

‍

Non-compliant or "bad" GDPR cookie banner examples are sometimes tricky to spot. An example of a bad cookie banner features only a notice with no user consent option. Instead, it has an "okay" or "got it" button. This type of banner misses the mark by not seeking a person's approval and contravenes GDPR.

GDPR rules are clear on consent being specific and granular. Website visitors must have a choice and information on the cookies they'll consent to. To improve this banner, a web developer should replace the okay button with "accept" and "deny." Furthermore, the cookie banner should have a link to a policy notice.

Read more: 

• ‍‍What are some GDPR cookie consent examples?
• Ketch's consent management

Go further: Try out Ketch Free and start collecting consent in 5 minutes or less

‍