All Blog Posts

Cookie banner: legal requirement or best practice?

Think back to the last time you visited a new website. Do you remember seeing a popup message about the site’s use of cookies? That’s a cookie banner.

Updated November 2, 2023.

It’s not just a formality. Data privacy laws and regulations, such as the European Union’s General Data Protection Regulation (GDPR) and Brazil’s General Data Protection Law (LGPD) mandate that companies must inform users about their data collection practices through cookies and obtain user consent. Failure to comply with these requirements can have costly consequences for companies, including substantial fines, legal ramifications, and a decline in user trust.

In this blog post, we’ll take a deep dive into cookie banners, including the types of cookie banners (or privacy banners) based on mode of consent, whether and why you need one, and cookies banner best practices that safeguards user privacy and complies with regulations.

A cookie banner is a display notice that appears when users visit a website for the first time, or when new consent information is required. It is also known as a cookie consent banner or cookie notice. Cookies banners have two purposes:

  • to inform users that the website uses cookies
  • to obtain users’ consent for the collection of their personal data

Cookie banners most commonly appear as a popup on a portion of the screen, or covering much of the screen, commonly known as a cookie wall. They can also appear as a floating bar at the top or bottom of the screen. The interactive features enable visitors to learn information about cookie and data use and make consent choices so they have control over their personal information. Users choose whether to consent or decline the collection of their data.

An increasing number of websites around the world need a cookie consent banner. Pretty much every website uses cookies—with some very rare exceptions—and data privacy laws that regulate personal data collection and use, user consent and privacy, and cookie use are coming into force in more and more countries.

Privacy banners today are unlike the early, simple cookie consent popups that only had an “Ok” button.

Now, your websites’ end-user consent solutions need to meet more strict cookies banner requirements, the demands of more educated consumers, evolving technology.Here are three key reasons why your website likely needs a cookie banner.

Emerging data privacy laws around the world are increasingly focused on end-user consent, from the EU’s GDPR, to Brazil’s LGPD, South Africa’s POPIA, Thailand’s PDPA, Malaysia’s PDPA, and many others on the horizon. However, each law has specific requirements and nuances.

Consent is the new standard for the evolving privacy-focused Internet, and nowhere is this more apparent than on a website’s cookie consent banner.

Your website is a dynamic system making use of the personal and sometimes sensitive data of real people through cookies and similar tracking technologies.

Your website is just one domain among the millions, but balancing data privacy and a data-driven internet economy starts small. Data privacy regulations aren’t generally based on how big a website or company is, and consumers are increasingly concerned about access to their data everywhere.

It matters that your website’s consent banners are the best in the industry. Additionally, data privacy enforcement is growing teeth, and legal liability for ignoring the consent rights of end-users has become a risky business around the world and for websites, apps, and connected devices.

Cookie consent is no longer just a tiresome chore from a dusty EU directive. It’s recognized as a consumer demand almost as much as a legal requirement, with 80% of consumers saying they’ve left a brand because it was using their data without their consent.

Akin to sustainability markings on product packaging, a high quality consent management solution on a website now signals respect for privacy, good customer relations, and data protection awareness. Metrics that help build brand reputation in an increasingly digital world where nearly all companies are also digital companies.

Balancing your website’s need for data and conversions against the growing public and legal demand for data protection and privacy can be difficult.

But as a world-leading consent management platform, Cookiebot CMP automates the compliance process for you, balancing data privacy and data-driven business with trusted and reliable technology that is intuitive and easy to use for your end users.

Google Consent Mode is a new core feature that enables your website run all its integrated Google services, like Google Tag Manager, Google Tag Manager 360 and Google Analytics, based on the consent state of your end user. It provides conversion modeling and basic measurements for your website even if users say no to cookies and trackers via your consent banner.

The launch of Google Consent Mode and Google’s plans to stop using third-party cookies in Chrome are clear signals that the adtech industry is moving away from unconsented mass harvest of personal data towards a model that not only respects end-user consent but puts it at its center of operations.

Making sure that you can provide the best consent banners for your end users is important, since cookie consent banners are becoming central mechanisms for controlling analytics, ads, and marketing services across the digital ecosystem.

Making sure that your website has the best consent management platform available on the market — one that integrates seamlessly with Google Consent Mode — is vital to thrive in a sustainable internet economy based on end-user consent.

Learn more and achieve privacy compliant user consent.

Get started with Google Consent Mode and Cookiebot CMP today

A cookie consent banner plays a dual role in privacy compliance and data collection. It shares information with users and enables them to take action regarding their personal data.

A cookie consent banner typically contains language that explains the website’s use of cookies, enabling users to make an informed choice regarding access to their personal data. The amount of information may vary depending on the different data privacy laws’ requirements, but some of the items they notify visitors about are:

  • that the website uses cookies
  • why it uses cookies, or the cookie type by purpose
    • essential cookies, without which the website won’t work as intended
    • non-essential cookies, including for statistics, user preferences and customizations, marketing and advertising and third-party
  • what choices the user has regarding their data
  • that the organization has a privacy policy, of which a cookie policy can be a part, with a relevant link

Taking action with a privacy banner

A cookie banner gives users a way to inform the website about whether or not it can collect their personal data, and often, at a granular level, which specific data and for what purposes it can be used. This is usually in the form of buttons with the following consent options:

  • Confirm or Accept
  • Decline or Reject
  • Customize or Manage Preferences

Once the user has chosen, their cookie preferences get recorded in a consent management platform and securely stored for future visits to the website, or in the event of an audit by data protection authorities.

There are two main types of cookie consent banners based on the data privacy regulations that they help organizations comply with: opt-in consent and opt-out consent.

Opt-in consent means that the user must explicitly allow the website to use cookies by selecting an “Accept”, “Confirm” or “Allow” option before any personal data is collected. The EU’s GDPR and ePrivacy Directive (EU cookie law), Brazil’s LGPD, South Africa’s POPIA and Thailand’s PDPA all require explicit consent from visitors before a website can collect their personal data. First time visitors to websites, apps, etc. from these countries must be presented with an opt-in function to collect their explicit consent to use cookies.

Opt-out consent doesn’t generally require a website or app to collect visitors’ explicit consent before it uses cookies. Under the opt-out consent model, a website can use cookies and collect personal data without obtaining user consent. Consent may be required if sensitive data or data belonging to children is collected. And users can opt out of having data shared, sold, or used for targeted advertising or profiling, depending on the law.

Most state-level data privacy laws in the US require a cookies banner that complies with the opt-out consent model, which applies to personal data collected from adults. Some laws require the data collector to give users the option to opt out of having their personal data collected at any time. Even though prior consent isn’t required, it is mandatory to notify visitors about data collection and usage as well as their rights.

Cookie banners must comply with the provisions under data privacy laws like the GDPR, ePrivacy Directive and California Consumer Privacy Act (CCPA), and the requirements for each can be different. Basic cookie consent requirements for banners are:

  • details about the website’s cookie usage, explained in simple, non-legal language that anybody should be able to understand
  • clear options for the user to accept or reject the website’s/app’s use of cookies if it’s an opt-in consent banner
  • a clear way for the user to opt out of the website’s use of cookies if it’s an opt-out consent banner
  • a link to the website’s privacy policy or cookie policy
  • contact information for the company, and, where relevant, how to exercise user rights under relevant regulations

Let’s take a closer look at what a GDPR cookie banner under the GDPR/ePrivacy Directive or the CCPA/California Privacy Rights Act (CPRA) should look like.

The GDPR and ePrivacy Directive are the two main regulations that govern data privacy for personal data collected from users in the EU. They apply to all companies who collect data from EU-based users, even if the companies are located outside the EU.

User consent must be explicit under the GDPR, which means EU-based users must receive an opt-in consent banner when they first visit a website, app, etc. Further, consent under the GDPR must be freely given, specific, informed and unambiguous.

Requirements for privacy banners compliant with the ePrivacy Directive and GDPR are:

  • Clear information about cookies: The cookie banner must clearly explain that the website uses cookies, the types of cookies it uses and for what purpose, and for how long they’ll be stored on their user’s device. It should also inform users that, if they allow the website to use cookies, they have the right to withdraw their consent at any time from the cookie settings. The cookie banner must be written in simple language that is easy for anyone to understand and should avoid legalese.
  • Explicit consent option: Users must actively consent to let the website use cookies, which means they should physically perform an action to opt in to data collection. This can be achieved with a button on the banner — clearly labeled “Accept”, “Allow” or “Confirm” — that they must click to give their consent. Pre-ticked boxes or presumed consent if they take no action are not valid forms of consent under EU laws.
  • Option to reject cookies: Users must be given the choice to reject cookies easily, with a “Reject” or “Decline” button beside the opt-in button. Both options must be comparable in appearance and equally accessible. Declining cookies should not result in any penalties and users should still be able to use the website.
  • Granular control over cookie preferences: For consent under the GDPR to be specific to a purpose, users must have the option to customize their cookie preferences if they wish. Some users may want to allow non-essential cookies for one purpose but reject non-essential cookies for another purpose. Offering granular choices on your GDPR compliant cookie banner enables users to have more control over how their personal information is used. Users must also be able to change or withdraw these choices in the future.

Link to policies: Users who want to know more about your detailed cookie or privacy policies must be able to access them with a clear link from the cookie consent banner.

EU laws compliant cookie banner example:

Cookieboot Pop Up Banner - Cookiebot

GDPR cookie banner checklist

Our GDPR-compliant cookie banner checklist can help you achieve compliance with EU laws. Download a copy to get started on legally collecting consent from users in the EU.

The CCPA and CPRA govern the personal data collected from residents of California and apply to businesses that:

  • have a gross annual revenue that exceeds US $25 million
  • receive, process, or transfer data from 100,000+ California residents annually, or
  • earn at least 50% of annual revenue from selling or sharing the personal data of California residents.

If a company that meets these thresholds collects personal data from California residents, it must display an opt-out cookie banner when users visit their website for the first time.

Requirements for cookie banners compliant with the CCPA/CPRA provide:

  • Information about cookie usage: The cookie banner must inform users about cookies the website uses and the intended purposes for collecting personal information. It must also inform users if the website shares any information with third parties.
  • Privacy policy link: The cookie banner must include a link that goes directly to the specific section of the business’s privacy policy that pertains to the use of cookies.
  • Option to opt out of personal data being sold: The CCPA/CPRA require a cookie consent banner to include a link with prescribed language that says “Do Not Sell Or Share My Personal Information”.

It’s vital to note that an organization can sell the personal information of a user under the age of 16 years only with explicit consent. If the organization knows that it is collecting data from a “known child”, i.e. a user under the age of 16, it must provide opt-in consent for the sale of personal information. Consent for access to children’s data must be provided by a parent or legal guardian. An opt-out button or link is not compliant with the CCPA for the sale of personal information belonging to users below the age of 16.

CCPA compliant cookie banner example

Good design makes it easy for users to understand the information on your cookie banner and take action to opt in (or out), making your cookie banner effective, user-friendly and more likely to be compliant. Your cookie banner should:

Cookie banner design do’s:

  • use fonts and text sizes that are easy to read
  • match your brand colors and style for visual consistency
  • include your corporate logo for easy visual recognition
  • use clear labels on buttons that make it apparent what users’ options are
  • display the banner prominently on the screen, without overtaking all of it
  • employ accessibility best practices, e.g. be compatible with screen readers and other assistive technologies

Cookie banner design don’ts:

  • use poorly contrasting colors that make the text illegible (especially the “Decline” option)
  • use pre-checked consent boxes for non-essential cookies
  • make the “Reject” setting difficult to find or hide it behind a link
  • use suggestive colors, sizes, or styles on buttons to encourage users to accept cookies
  • blur the website behind the banner so that users can’t browse without accepting cookies

Cookiebot CMP is a mature technology that has been evolving and improving for many years. Today, it’s the most powerful tool on the market for detecting tracking technologies in operation on websites and to control these based on genuine end-user consent.

Cookie use is a potential privacy risk and a legal liability for your website because they can track, store and share behavior about your end users.

Cookies used on a website are dynamic and often change. On average, a website has 20 cookies in use. It’s important to stay up to date on which cookies and other trackers are in use at any given time to comply with regulations and accurately inform users.

Here’s why it’s very difficult to control cookies and manage end-user consent on your website manually.

72% of all cookies are set by fourth parties and loaded by third parties, i.e. “trojan horses” that website owners cannot find without a deep-scanning technology like Cookiebot CMP.

18% of all cookies are set by fifth parties or deeper.

50% of “trojan horses” will have changed between visits, meaning that they can be different cookies altogether, collecting different data for different agents, and making the legal responsibility of the website owner impossible to live up to, without a consent management platform like Cookiebot CMP.

99% of all cookies are used to track website visitors or to provide targeted ads.

Source: Beyond the Front Page 2020

Do you know what cookies your website uses and how they affect privacy compliance?

Scan your website for free to see all cookies and trackers in use

Guide on how to configure the new cookie banners from Cookiebot CMP

Achieving compliance with global data privacy regulations can be complex. A consent management platform (CMP) such as Cookiebot’s™ simplifies the process, helping you collect cookie consent from users no matter where they’re located.

Cookiebot CMP is designed for anyone to use and doesn’t require a lot of technical expertise. Once you set up your account, you can be up and running in 3 simple steps:

  1. Add your website to the Cookiebot CMP.
  2. Customize your cookie consent banner — design, content and languages — or select a banner from one of our predefined options.
  3. Add the cookie banner and declaration to your website using a script or one of the available integrations.

Read our Getting Started guide for a more detailed explanation of the setup.

Why choose Cookiebot™?

Compliance and technology for a sustainable internet economy

Cookiebot CMP launched in Denmark in 2012 to help balance data privacy and data-driven business on websites around the world.

Today, Cookiebot CMP is a world-leading solution for websites to get true end-user consent. Its unrivaled website scanner and full cookie control enables compliance with major data privacy laws around the world, including the EU’s GDPR, California’s CCPA/CPRA, Brazil’s LGPD, South Africa’s POPIA and many others.

What sets Cookiebot CMP apart is its unmatched scanning technology that detects all cookies and trackers in use on your website.

Integrating with Google Consent Mode, available as a WordPress plugin and an Umbraco app, as a Google Tag Manager Standard Tag and in full compliance with the IAB’s TCF and CCPA Compliance Frameworks, Cookiebot CMP is your all-round solution for data protection compliance.

Used by small, medium and enterprise domains alike, as well as investigative researchers, the Cookiebot CMP scanning technology is unrivaled in its powers to uncover tracking on websites.

After finding all cookies, we empower end users with a genuine choice of consent through modern and easy-to-use cookie consent banners that offer granular cookie control and consent solutions to fit data privacy law requirements.To match the technology inside of Cookiebot CMP, the next generation of cookie banners bring a whole new level of ease of use and customizability with modern designs that integrate seamlessly with any website, no matter shape, size, or layout.

As part of our mission to make end-user consent as effortless as possible, the new generation of cookie banners come with the choice of controlling all cookie categories with toggles on the first and second layers. Easy and recognizable designs bring smoother end-user consent experience to your website.

Optimized for better usability and higher conversion rates

With a modern look and feel, the new generation of cookie banners from Cookiebot CMP make the user consent journey effortless and intuitive, to help obtain more data, as well as being fully WCAGcompliant (Web Content Accessibility Guidelines).

Cookiebot CMP balances data privacy and data-driven business to help your website respect and protect your users’ right to privacy, while also getting the data you need for marketing operations and ad revenue.

Fully flexible and customizable

The new generation of cookie banners are the most customizable cookie banners online, and come in three-button, two-button, and one-button versions to enable compliance with major data privacy laws around the world.

Cookie banners can be built to fit any color and design scheme on your website and can feature your business logo for seamless integration.

Optimized for mobile

Increasingly, domains are visited from smartphones and tablets, and it’s vital that your website’s cookie banner works just as well there as on the desktop version.

The new cookie banners are fully responsive and optimized for mobile use, so your end users are always presented with a great design and user experience, no matter how they visit your domain.

Achieve seamless compliance with major data privacy regulations

The cookie banners from Cookiebot CMP are the product of significant research and development to find the just right solution for a completely transparent cookie overview with true prior consent at its core.

Just like the old banners, the new cookie banners provide your website with plug-and-play compliance for major data privacy laws like the EU’s GDPR, California’s CCPA/CPRA, Brazil’s LGPD, South Africa’s POPIA and many others.

The new generation of cookie banners also support the IAB’s TCF and CCPA Compliance Framework.


Does the new banner support IAB’s TCF Framework?

All our banners always support the IAB TCF, including the latest version 2.2.

Learn more about IAB’s TCF

How do you make a GDPR banner?

A “GDPR banner” or cookie banner must be able to manage end-user consents and control all cookies and trackers in use on your website. Developing your own is difficult and risky, since 72% of all cookies are set by fourth parties that are loaded by third parties, which website owners cannot find without deep-scanning technology.

Scan your website for free to see what cookies are in use


Guide on how to configure the new cookie banners from Cookiebot CMP

Get started with Google Consent Mode and Cookiebot CMP

Why choose Cookiebot CMP?

Google is ending third-party cookie is Chrome – what does it mean for end-user consent?

Learn more about Google Analytics cookies and GDPR

Learn more about GDPR and cookie consent

Learn more about CCPA compliance with Cookiebot CMP

Learn more about NOYB’s cookie banner complaints

Learn more about US data privacy laws in the making

See current EDPB guidelines for valid GDPR cookie consent

    Stay informed

    Join our growing community of data privacy enthusiasts now. Subscribe to the Cookiebot™ newsletter and get all the latest updates right in your inbox.

    By clicking on “Subscribe” I confirm that I want to subscribe to the Cookiebot™ newsletter. I can easily cancel my Cookiebot™ newsletter subscription and revoke consent to use my data by clicking the unsubscribe link or I can write to [email protected] to make the request. Privacy policy.