Updated April 1, 2020.
What is a cookie banner? What are the GDPR requirements for a cookie consent banner? And what does an unlawful cookie notice look like?
In this blogpost, we answer these questions and more, as we take a look at valid cookie banners in the EU.
Yes - if you have a website or blog with visitors from the EU, you need a cookie banner.
A comprehensive study from 2020 into website tracking shows the alarming truth that most website owners are unaware of –
72% of all cookies are set by fourth parties that are loaded by third parties, i.e. trojan horses that the website owner cannot be aware of without a deep-scanning consent management solution.
18% of all cookies are set by fifth parties or further (even deeper trojan horses).
50% of the additional parties loaded will change between repeated visits, i.e. rapidly dynamic tracking that is practically impossible for website owners to handle on their own.
99% of all cookies are used to track website visitors or to provide targeted ads.
The study was conducted by researchers from Ruhr University and the Institute for Internet Security and measured ten thousand websites and their relation to third parties and all the trojan horses that these load without the consent or knowledge of website owners or their end-users.
The study also found more alarming truths about the state of the web.
Subpages set 36% more cookies than front pages and landing pages. Subpages set an average of 78 cookies, where landing pages set an average of 55 cookies.
What does this mean for your website?
It means that you will need to employ the most thorough and deep-scanning consent management solution on the market, if you want to be sure that you do in fact find and control all cookies and trackers on your website, as required by the European GDPR and California’s CCPA.
Unless you have technology that can scan and find all cookies, and then present your website’s visitors with a cookie banner to obtain their prior consent, there is no way you can protect your end-users from privacy infringements and data abuse.
The study “underlines the dire need of privacy protection mechanism to limit cookie-based tracking.”
Cookiebot’s mission is to protect privacy in our digital infrastructures. We believe that no one should have their data abused by companies for profit. No one should lose control of their lives by simply being online.
Cookiebot’s technology works by deep scanning your website to find all and every cookie and similar tracking technology present. Cookiebot then blocks everything until your end-users have given their consent to which cookies and trackers, they will allow activated and what of their personal data they are willing to share.
Cookiebot's banner is a highly customizable cookie banner that empowers visitors to simply and swiftly make sense of cookie consent.
This is the foundation of real data privacy compliance in Europe as required by the General Data Protection Regulation (GDPR) and ePrivacy Directive (ePR).
Cookiebot's cookie banner for GDPR compliance.
Everything the Cookiebot scanner finds is shown in the cookie banner and grouped in four categories.
Here, we map the type, name, provider, duration and purpose of each and every cookie and tracker, so you can have control and your end-users security of what goes on.
Cookiebot’s cookie banner that is GDPR/ePR compliant showing detailed view of cookies, categories and purposes.
According to the ruling by the Court of Justice of the European Union (CJEU) on valid consent in the EU, cookie banners are not allowed to have pre-ticked checkboxes when end-users land on a website.
The only form of valid consent is explicit consent, according to the highest legal body in the EU.
The Cookiebot cookie banner shown above is compliant with this CJEU ruling, as well as the GDPR/ePR, so you can rest assured that your website operates legally.
Try Cookiebot for free today to ensure compliance on your website and privacy protection for your end-users.
A cookie consent banner is the cookie warning that pops up on websites when a user first visits to the site.
It's the website banner that declares the cookies and tracking present on a website and gives the users a choice of prior consent before their data is handled.
Cookie consent banners first started to show up on virtually every website in the EU in response to the ePrivacy Directive of 2002, popularly called “The cookie law”.
According to the Directive, all websites had to give a cookie disclaimer to their users about the fact that they set cookies on the user's browser.
The purpose of cookie consent banners therefore was to alert the users of the website about the cookies and get consent for setting them.
However, the EU legislation regarding cookies and personal data has changed.
The cookie notifications are still required, but the requirements have become a lot stricter.
A bad and illegal website banner in the EU.
The two major changes in the legislation are:
The General Data Protection Regulation that was enforced on 25 May 2018.
The GDPR is the most significant initiative regarding data protection in over 20 years.
It sets strict regulations on how personal data must be handled, and comes with heavy fines for those who fail to comply.
The so-called ‘cookie law’, the ePrivacy Directive, is in the process of becoming an actual regulation.
It is currently being processed in the EU and will probably be implemented sometime in 2019 or in the beginning of 2020.
The two EU laws both have significant impact on the practice and use of cookie consent banners and the way in which we warn users about cookies and tracking.
With their enforcement, cookie consent banners on websites must change.
They have strict requirements as to how the website banners you use have to look like: what makes them non-compliant cookie warnings, and what makes them into compliant cookie consent banners.
In theory, only websites that collect user data by means of cookies need to get consent for doing so from their users.
However, virtually all websites set cookies that track users.
For example if the website is hosted, makes use of plugins, tools for analytics, or has social media-buttons.
You can take an audit of your website if you are in doubt whether or not your website sets cookies.
The free audit scans five pages of your website and sends you a detailed report of the cookies and online tracking on these pages, including information on their provenance, purpose and whether or not they are compliant.
Sign up to the Cookiebot solution, if you want a complete overview of the cookies and online tracking going on on all of your website.
The EU ePrivacy Directive requires prior, informed consent of your site users, while the General Data Protection Regulation (GDPR) requires you to document each consent.
To be compliant, the cookie notice or cookie banner should be one component of a cookie management solution for your website, that takes care of the following tasks:
1. To provide the website users with specific and accurate information on all cookies and other tracking technologies in use on the website.
2. To give the users the possibility to opt in and opt out of the various types of cookies, and to have access to their settings and make subsequent changes to them if they change their mind.
3. To make sure that the user consent is requested prior to the setting of cookies in the users’ browsers.
4. To make sure that the website functions properly even though the user has chosen to opt out of all but the strictly necessary cookies.
5. To keep a record of all given consents for documentation, and to make sure that this documentation is securely stored.
6. Ask for renewed consent every 12 months upon the user’s first revisit to the site.
Cookiebot does all of the above.
The easiest way to comply is to sign up to a GDPR compliant cookie solution, that takes care of all the necessary processes automatically.
Be careful to choose a truly compliant solution.
Because the laws are complex, and because they are in the process of changing, there unfortunately are a lot of non-compliant or only partially compliant cookie solutions on the market.
You can try to take an audit of your website to check what cookies are in use on it, and find out what it takes to make your site compliant.
Since the law requires you to have a cookie banner on your website, it's probably a good idea to get one.
There exists numerous ways of getting a cookie banner on your website.
If you have the skills, you may develop a cookie notice yourself, or else you can acquire a cookie consent plugin from one of many suppliers.
However, be careful and note that the vast majority of the actual cookie consent popup on the market are not compliant with the EU law the General Data Protection Regulation, which was enforced on the 25th of May 2018.
The fines for non-compliance are very heavy.
Sign up to Cookiebot and become compliant in three steps.
The service is user-friendly and non-obtrusive to the overall user experience on your website.
Here is an example of a non-compliant cookie banner:
A bad and illegal cookie banner in the EU.
The use of this type of cookie consent popup is widespread on the internet today.
It is very important that your cookie banner has an unambiguous and informative text at its center, for without it your users can't make a choice of prior consent.
Furthermore, the cookie banner above neglects the requirement of prior consent.
Here is an example of a GDPR and ePrivacy Directive compliant cookie consent banner:
A standard three button cookie banner from Cookiebot in GDPR compliance.
The user can swiftly opt in and out of the different types of cookies directly in the consent banner.
If they want to know more, they can scroll through detailed information on all the cookies, that fold out directly of the cookie banner:
Unfolded for details, this standard three button cookie banner from Cookiebot shows name, provider, purpose, duration and type of all cookies and trackers on your website.
There exists numerous cookie consent banner and cookie popup generators on the internet.
You can easily find a vast choice by submitting “cookie banner generator” or "cookie popup" as a search query.
However, keep in mind that a cookie notice is completely worthless if it does not comply with the requirements of the actual regulations.
Check out Cookiebot to find a fully GDPR and ePrivacy Directive compliant cookie solution for your website.