What is cookie consent? Requirements and tools to comply with global data privacy laws

What is cookie consent?

Cookie consent is the interaction that takes place on your website between a visitor and a consent management platform (CMP). It enables visitors to decide whether they will allow all or some cookies to collect their personal data for various purposes.

Why do you need cookie consent?

Tracking cookies embedded on your domain by services like Google Analytics, Shopify, HubSpot, and social media plugins are a common way to collect personal data from visitors on your domain. Even after the end of third-party cookies, scheduled by Google for 2024, other tracking technologies, such as first-party cookies, pixels, or server-side tracking will still collect and process visitors’ personal data to power your domain’s analytics and marketing, as well as the data-driven engines of the digital economy at large.

Obtaining user consent to collect personal data is a legal obligation under many data privacy laws around the world, including:

• European Union’s General Data Protection Regulation (GDPR) and the ePrivacy Directive (also called the “cookie law”)
• Brazil’s General Data Protection Law (LGPD)
• South Africa’s Protection of Personal Information Act (POPIA)

Some other laws, including several US state-level data privacy laws, operate on an opt-out consent model. So while they may not require prior consent for many types of personal data use, they still require cookie consent when obtaining certain specific types of data, such as sensitive personal data or data that belongs to minors.

Cookie consent is no longer only a legal requirement, however, but has also become a consumer demand and a metric of brand reputation, with 65% of people saying the top reason they’d lose trust in a brand is if it misused their personal data.

What is a cookie consent policy?

A cookie policy or cookie declaration is a document that explains how your website uses cookies. This policy covers the types of cookies in use, the information they gather, how that information is used, who may have access to the information, and how users can manage their cookie preferences.

A cookie policy helps visitors understand what data is collected when they use your site, and informs them how they can change or withdraw consent in the future. Your website’s cookie policy can be part of its privacy policy or a separate policy document and is a legal requirement under laws like the GDPR and the California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA).

What is a cookie consent banner?

A cookie consent banner, also known as a consent banner, cookie banner or cookie notice, appears on websites when a user first visits, if they’ve cleared their browser settings, or if a legally required expiry of previous consent has passed. 

It is designed to inform them about the site’s use of cookies, and, where explicit consent is required, to ask for their consent to store these cookies on their device. This banner is a direct response to data protection regulations requiring websites to notify visitors and obtain informed consent before collecting any personal data through cookies.

The banner provides essential information about the types of cookies the site uses (such as preference, marketing, or analytics cookies) and possibly provides granular information on the actual cookies (also called data processing services) in use. The banner also provides information about what the cookies do and who may have access to data collected by cookies. It also plays a pivotal role in managing user consent. Depending on the relevant regulation’s requirements, they might be able to accept all cookies, reject non-essential cookies, or customize preferences based on cookie categories.

Most cookie consent banners also require you to link to your website’s privacy policy.

Cookie consent text examples

The cookie banner is the popup notification via which users record their consent preferences. The cookie text or cookie notice message is the specific wording on the cookie banner that provides users with information. It must be written in simple language that is easy for users to understand without requiring legal or technical knowledge.

GDPR-compliant cookie consent banner example:

CCPA-compliant cookie consent banner example:

Some data privacy laws require you to have specific language on the cookie consent banner, such as the CCPA’s “Do Not Sell or Share My Personal Information” link.

What is cookie consent rate?

Cookie consent rate refers to the percentage of website visitors who interact with the cookie consent banner and agree to accept cookies after being shown it. Some factors that influence cookie acceptance rate are:

• how clearly the purpose and use of cookies is explained
• the visual design and placement of the cookie consent banner
• how easy it is for users to give consent (though this should never be manipulated via nudging or dark patterns)

Actual consent rates can vary depending on the factors mentioned above, the geographic location of the website’s audience, and the industry the company is in. For example, websites with a large audience in locations that require opt-in consent like the EU might see different consent rates compared to those with an audience in regions with less stringent data protection laws.

Increasing awareness around data privacy can also influence consent rates, with more privacy-conscious users potentially being more selective about giving consent.

What are the requirements for cookie consent?

Cookie consent requirements depend on where your users are located. For users in the EU, websites need to follow cookie consent requirements under the ePrivacy Directive and GDPR. For users in the US, websites need to follow cookie consent requirements of the state in which the user resides, though a minority of US states have data privacy laws to date, and there is not yet a federal regulation.

Let’s take a closer look at cookie consent requirements under the GDPR and CCPA/CPRA specifically.

GDPR and cookie consent

The GDPR governs the processing of personal data — which can include anything from name and email address to purchase history and IP address — and which includes data collected via cookies.

GDPR cookie consent requirements

Here’s a list of the EU’s GDPR cookie consent requirements that must all be met for your website to be compliant. This is for companies that choose consent as the legal basis for data processing, though there are others outlined in the GDPR.

• Prior and explicit consent must be obtained from users before any activation of cookies, apart from necessary/essential cookies, which don’t require consent.
• Visitors must give consent through an intentional action, such as clicking “Accept All”; pre-checked boxes are not allowed and ignoring the banner or scrolling past cannot be considered valid consent.
• Granular consent must enable users to activate some cookie categories and not others.
• Consents must be freely given, i.e. not nudged or coerced in any way.
• Consent must be informed, i.e. users must have access to relevant cookie information and know what they are consenting to.
• Visitors must be able to change or withdraw consent as easily as they gave it.
• Websites must keep records of consents as evidence of compliance, including who consented, when, and what information they were provided with at the time of consent, this may be requested for an audit by data protection authorities or for a data subject access request.
• Consent must be renewed at regular intervals. Every 12 months is the common guideline, though the GDPR only stipulates that data should only be retained for as long as it’s needed to fulfill the stated purpose. Cookiebot™ retains data for 12 months. Some national data protection guidelines recommend more frequent renewal, e.g. every 6 months, and some are as long as 2 years. Check your local data protection guidelines for compliance requirements.
• Websites must publish a clear and accessible privacy policy or cookie policy that details its use of cookies, visitors’ rights information and how to exercise those rights, and contact information for the company or possibly the data protection officer.

GDPR cookie consent solutions

The EU’s strict GDPR cookie consent requirements require that you obtain cookie consent before tracking technologies can legally be used to collect and process personal data from users located inside the EU — no matter where in the world you or your website are located.

Most data privacy laws in the world empower end users with rights to transparency and control over how their data is handled. But enabling your end users to freely say yes or no to cookies is specifically central to the GDPR cookie consent requirements (and to similar core obligations in Brazil’s LGPD and South Africa’s POPIA).

Using a consent management platform (CMP) like Cookiebot CMP that enables you to display GDPR-compliant cookie banners and obtain explicit consent can help you achieve compliance with the GDPR’s cookie consent requirements. Publishing a detailed and regularly updated cookie policy also helps achieve compliance as it enables you to comply with the GDPR’s requirement for obtaining informed consent, and ensuring user notifications are kept updated.

CCPA and cookie consent

The CCPA/CPRA work on an opt-out consent model, meaning that websites aren’t required to obtain user consent before setting cookies and collecting data (known as “personal information” under the CCPA) in most cases. There are, however, exceptions for certain types of personal information.

CCPA cookie consent requirements

The CCPA/CPRA require businesses to obtain prior consent for the collection of sensitive personal information and personal information belonging to known children under 16 years of age.

The laws also mandate that users can opt out of the sale or sharing of any personal information — not just sensitive personal information — to third parties. If your website uses third-party cookies, you are required under the law to give users a way to opt out of the sale of their personal information. Of note, however, is that use of third-party cookies in browsers is being phased out.

CCPA cookie consent solutions

You can collect personal information from California residents through the use of cookies without their prior consent in most cases, but if you are a business to which the CCPA/CPRA applies, you must notify users of:

• your website’s use of cookies
• the purposes for which you’ll collect or use their personal information
• how long you’ll keep their personal information

The laws require you to provide two notices to users: “a notice at collection” and a CCPA-compliant privacy policy, which contain this information. Your cookie consent banner may function as a notice at collection. Both these notices must have a link to a web page that enables users to opt out of the sale or sharing of their personal information, and the link must have the specific words “Do Not Sell or Share My Personal Information”.

A CMP like Cookiebot CMP enables you to achieve CCPA compliance with an opt-out cookie banner on which you can share the mandated link. If the type of personal information you collect requires opt-in consent under the law, you can customize your cookie consent banner to display opt-in consent options as well.

Cookie consent with Google Consent Mode

Google Consent Mode controls your website’s Google services (such as Google Analytics and Google Ads) based on consent information from your end users. Google Consent Mode triggers these services to collect all relevant data when users opt in for these cookies, and to block them or collect anonymized data, which excludes personally identifiable information, when users opt out. Consent information is collected via a CMP, into which Consent Mode is integrated, and which then signals it to Google services.

With version 2, launched in November 2023, Google Consent Mode has evolved into a signaling tool to help website owners comply with global privacy laws while respecting end-user consent choices.

What is a cookie consent tool and how can you choose one?

A cookie consent tool is a software solution that helps websites comply with data privacy laws such as the GDPR, CCPA, and others by managing how cookies are used on the site. They offer functionality for both obtaining consent in a manner that is clear and compliant with legal regulations and for securely storing and managing that consent effectively to accommodate users’ privacy preferences.

This includes obtaining explicit user consent before any non-essential cookies are activated and providing a clear and manageable way for users to alter or withdraw their consent at any time.

A consent management platform (CMP) is a cookie consent tool or cookie consent solution. When selecting a cookie consent tool, look at whether it:

• supports compliance with global data privacy laws, including opt-in consent, opt-out consent, and granular consent
• supports geotargeting to display the right cookie consent banner to users based on their location (ideally also supporting multiple languages for optimal user experience)
• integrates with different website platforms, content management systems, and third-party services
• automates cookie scanning to show you all the cookies in use on your website, and ideally automatically updates the CMP and cookie notice 
• includes an analytics dashboard or management interface that enables you review and manage consents, track interaction and consent rates, and generate compliance reports as needed
• offers multiple support options, such as a detailed knowledge base and technical support
• easy to set up, especially if the organization has limited technical resources, and get you started with collecting compliant consent

How can you implement cookie consent on your website?

You can use a CMP like Cookiebot CMP to implement cookie consent on your website. Cookiebot CMP is a cookie consent tool that is implemented on your domain straight from the cloud without any need for manual installation or on-site deployment. Drop the Cookiebot CMP script in the top of your source code and you’re good to go.

How Cookiebot CMP can help you comply with cookie consent requirements

Cookiebot CMP enables you to collect legally valid consent and comply with cookie consent requirements under multiple global data privacy laws.

1. Display a cookie consent banner based on location

Cookiebot CMP’s geotargeting setting enables you to display a cookie consent banner that obtains consent based on the location of your users. Cookiebot CMP can obtain consent meeting the requirements of major global data privacy laws, including the GDPR/ePrivacy Directive, CCPA/CPRA, LGPD, POPIA, and more.

Cookiebot CMP supports 47+ languages, so you can display the required cookie text on the banner in your users’ local language for better clarity and user experience.

2. Supports Google Consent Mode

Cookiebot CMP fully supports and integrates with the latest version of Google Consent Mode. If users don’t consent to statistical or marketing cookies, for example, Google Consent Mode and Cookiebot CMP enable your website to still retain vital aggregate and non-identifying measurements and modeling data. You can still display contextual ads rather than targeted ads, respecting user privacy while optimizing your website’s performance.

3. Integrates with multiple platforms

You can obtain compliant cookie consent on popular content management systems like BigCommerce, Dorik, Magneto, PrestaShop, Shopify, and WordPress.

4. Scans your website for cookies

Cookiebot CMP’s cookie checker tool scans your website to see what cookies are currently in use and your level of compliance risk. This enables you to set up the CMP to collect valid consent for all cookie types in use and keep your cookie policy updated and compliant.

Cookie consent tips

Here’s a concise checklist to guide you through setting up a cookie consent mechanism that complies with data privacy laws and respects visitors’ consent preferences.

• Determine your users’ geographic locations to understand which laws apply (e.g., the GDPR for EU residents, CCPA/CPRA for California residents, etc.)
• Scan your website and outline the types of cookies in use, e.g. necessary, functional, analytics, marketing.
• Outline your cookie policy that clearly explains what each cookie does, why it is used, who accesses the cookie data (e.g., third parties, internal departments), and how long the data is kept for.
• Implement a cookie banner or cookie consent popup that requires an affirmative action from users to give consent for cookie use.
• Ensure that consent options for non-essential cookies are not pre-ticked and that there are equal options to accept or deny consent.
• Enable granular choice where users can consent to different types of cookies separately.
• Make it simple for users to easily change or withdraw their consent at any time through the same interface where they initially gave consent.
• For CCPA requirements, ensure your cookie banner contains the mandated text phrase and link that enables users to opt out of the sale of their personal information.
• Maintain consent records that detail when and how consent was given, and log any consent withdrawals and changes to user preferences.
• Check your cookie consent practices at least once a year and update them as necessary.
• Adjust your practices based on updates to relevant regulations or website technology changes.
• Update your privacy policy regularly to reflect your cookie use and consent practices to meet legal requirements.
• Include a link to your privacy policy in your cookie consent banner.
• Use plain language and clear visual elements on your cookie banner that are easy for users to understand.
• Consider using a CMP like Cookiebot CMP to automate and manage consents efficiently.

Frequently Asked Questions