Updated January 17, 2022.
A cookie disclaimer and a cookie consent banner is not the same thing. The difference is that one is GDPR compliant and the other is not.
The GDPR and EDPB guidelines on valid consent clarify how your website is allowed to process personal data from users visiting your domain.
In this blogpost, we look at different examples of compliant and non-compliant cookie disclaimers and cookie consent banners on websites, so you can be sure to have the correct and compliant implementation for consent on your website.
Become compliant with Cookiebot consent management platform (CMP).
Cookie consent banners in brief
Valid consent is a –
- Freely given
- Unambiguous indication of a user’s wishes
EDPB guidelines on valid consent clarify that scrolling and continued browsing is not considered valid consent, nor are cookie banners with pre-ticked checkboxes or cookie walls (forced consent conditioned on website access).
Your website’s consent solution must present users with a real choice of consent that lives up to the GDPR requirements above.
About Cookiebot CMP
Our unmatched scanning technology detects all cookies and trackers in operation on your domain and blocks everything until the user has given their choice of consent.
User consents are obtained through a granular cookie banner that informs the user in detail of each cookie and enables them to easily withdraw consent again, should they choose to.
Cookiebot CMP cookie consent banner that makes your website fully compliant with GDPR and EDPB guidelines.
Cookiebot CMP documents each obtained consent securely and renews them at appropriate intervals, as required by the GDPR and clarified in the EDPB guidelines on valid consent.
Cookie consent banners in detail
What is a cookie disclaimer? What is cookie consent?
A cookie disclaimer is a thing of the past.
Or it should be, but in reality, the Internet is littered with archaic cookie disclaimers that not only leave the users confused and fatigued but are also not compliant with the existing data protection law of the EU – the General Data Protection Regulation (GDPR).
A cookie banner or cookie consent banner, on the other hand, is a sustainable and GDPR/ePR compliant approach to protecting the privacy of your website’s users – if it is done right, if it is implemented correctly.
A consent banner is the technology that enables your users to decide for themselves which categories of cookies and tracking they wish to consent to on your domain, and it is the technology that enables you, the website owner, to be fully compliant with the GDPR.
EDPB guidelines on valid consent
The European Data Protection Board (EDPB) is the lead supervisor of GDPR enforcement in the EU.
The job of the EDPB is to adopt guidelines and issue decisions on how the GDPR is to be interpreted and applied in each EU member country by the national data protection authorities.
On May 4, 2020, the EDPB adopted guidelines on valid consent that clarify what kind of user actions on websites constitute GDPR compliant consent.
The EDPB guidelines state that –
- Scrolling, swiping or continued browsing on websites by users do not meet the GDPR requirements for a clear and affirmative prior consent.
- Cookie banners are not allowed to have pre-ticked checkboxes for the same reason as above.
- Cookie walls – i.e. forced consent as a condition for access to the website – is a non-compliant way of obtaining consent, since the consent is not considered freely given (i.e. valid).
Cookie disclaimers and cookie consent – what does the law say?
The General Data Protection Regulation (GDPR) is a regulation (i.e. a uniformly binding legislation for all EU countries) that controls how companies, websites and other entities handle personal data.
GDPR rules that no processing of user data is allowed without prior consent. This means that your website is not legally allowed to automatically activate any cookies but the ones strictly necessary for the function of your website before obtaining user consents for each specific cookie and their different purposes and functions.
If your website processed personal data that was not sensitive data (such as health data or data about sexual or religious orientation), then implied consent was enough.
This meant that if users kept scrolling on that website, this behavior would constitute consent in the eyes of the law.
With the EDPB guidelines from May 2020, valid consent under the GDPR means that cookie banners that state that the continued use of a website is considered consent is non-compliant with the GDPR, just as cookie banners that are presented to the user with already ticked checkboxes are also non-compliant with the GDPR.
Cookie banner giving the illusion of a choice, but forces the user into a non-compliant choice of consent.
Your website, according to the EDPB guidelines, is also not allowed to force the users into a take-it-or-leave situation by making their prior consent conditioned on the access to your domain.
This way of forcing a consent from users in known as a cookie wall, and the EDPB guidelines clearly rule them out as an invalid way of obtaining user consent for the processing of personal data.
How do I make sure that my website is GDPR compliant?
For your website to be compliant with the GDPR, you must –
- obtain clear and unambiguous consent from your users (see EDPB guidelines for more),
- prior to any processing of personal data,
- after specifying all types of cookies and other tracking technology present and operating on its pages,
- with no pre-ticked checkboxes on any cookie categories except necessary,
- in easy-to-understand ways that enable users to consent and to revoke consent on each specific category of cookies,
- to then be able to safely and confidentially document each user consent,
- Consent must be renewed annually. However, some national data protection guidelines recommend more frequent renewal, e.g. 6 months. Check your local data protection guidelines for compliance.
Staying compliant with the GDPR is important, since it means protecting the privacy of your website’s users.
Being non-compliant with the GDPR can also be a costly affair, with maximum fines being €20 million or 4% of a company’s global annual turnover, whichever is higher.
Examples of non-compliant cookie disclaimers for websites
Archaic, bad and illegal cookie disclaimer found somewhere on the web.
A cookie disclaimer is exactly that – a disclaimer and nothing more.
Cookie disclaimers leave no real choice of consent for the user, as they don’t expose the cookies and tracking in operation on the website, their purpose and properties, or a choice of consenting to some cookies and not to others.
Users meeting this cookie disclaimer on a website has no choice but to hit the previous page button, or blindly accept and go forward onto the site.
Users might also already have noticed that this cookie disclaimer gives no guarantee that non-essential cookies, such as third-party marketing cookies, haven’t already been set and activated upon arrival on the landing page.
They most likely have on a website with this cookie disclaimer.
A cookie message without any choice of prior and informed consent is not a cookie message that really protects the privacy of your users, nor does it live up to the requirements of the GDPR.
The following cookie disclaimers are non-compliant because they rely on the now-illegal implied consent or soft opt in, clarified as unlawful by the EDPB guidelines of valid consent.
A non-compliant cookie disclaimer using the unlawful implied consent.
This cookie disclaimer used to be compliant with the GDPR but is unlawful after the EDPB guidelines on valid consent that specify that consent must be granular, specific, freely given and easily withdrawable.
The cookie disclaimer relies on the implied consent of the user by their continued scrolling and browsing on the site. However, the EDPB guidelines state clearly that this does not meet the requirements for valid consent.
Examples of cookie consent banners, done wrong
Cookie consent banners are different from cookie disclaimers, because they are designed to meet the different GDPR requirements that together constitute a valid consent.
However, cookie consent banners can also be implemented wrongly so that users are in fact not protected by prior consent and your website not actually GDPR compliant.
The following examples are non-compliant cookie consent banner implementations.
The cookie consent banner above is a Cookiebot CMP banner, but it has been implemented in a way that leaves the user without the possibility to deselect the already pre-ticked cookie categories, violating the GDPR’s principle of consent being freely given and specific that has been cemented by the EDPB guidelines 05/2020.
Such an implementation also violates the principle of prior consent, because when the cookie categories are pre-ticked, the cookies will already be in operation, when the user lands on the website, and therefore already be processing personal data even though the user has not consented to this yet.
According to the GDPR and the EDPB guidelines, websites must have preference cookies, statistics cookies and marketing cookies un-ticked as a default so that users have to opt in themselves. Only necessary cookies are allowed to be pre-ticked.
In the following cookie consent banner, also one of Cookiebot CMP, all three cookie categories of cookies are pre-ticked when the user lands on the website, meaning that marketing cookies are already processing their personal data even though they haven’t clicked the “OK” button yet.
Another cookie banner from Cookiebot CMP with non-compliant pre-ticked checkboxes.
We offer a high level of customization and autonomy for our customers when it comes to layout and make-up of the cookie banners. It is designed to be used in many different contexts, as well as live up to different national privacy laws and regulations.
To make sure that you use Cookiebot CMP in full GDPR compliance, you must leave all cookie categories deselected by default (except necessary cookies), so that users can exercise a clear and affirmative prior consent.
Cookiebot CMP cookie banners, done right
Every day we fight to protect privacy, and so the correct and compliant implementation of our technology is something we care about.
A Cookiebot CMP consent banner that is compliant with the GDPR/ePR and the CJEU ruling.
This cookie banner is compliantly implemented because –
- deselected cookie categories by default
- granular consent options with three different buttons
- a no-nudging layout that enables consent to be freely given
- the option for a detailed overview of type, provider, purpose and duration of each cookie
- an easy-to-understand text informing users of the personal data processing operations
The good thing about being compliant with the European data protection law is that it means that you protect the privacy of your users in a sustainable way.
What is a cookie consent banner?
A cookie consent banner is a way for websites to be compliant with the EU’s GDPR, which requires that websites obtain the prior consent of users in order to legally process their personal data, e.g. through cookies and trackers. Cookie consent banners are found on most websites today and come in various types and designs, only some of which are actually compliant with the GDPR.
What are the rules for cookie banners?
The GDPR and EDPB guidelines on valid consent specify that user consents must be obtained prior to the activation of any cookies or trackers (apart from those strictly necessary for the basic function of your website) that process personal data. Cookie banners must have easy-to-understand text that informs users in detail about each cookie in operation. Cookie banners are not allowed to have pre-ticked checkboxes or nudge users into making one choice rather than another. Cookie banners must be granular, i.e. users must be able to select some cookies rather than others, and consent needs to be as easily withdrawn as given.
What is personal data?
What are cookies?
Cookies are small text files that websites use to identify and remember individual users. Cookies are stored on users’ browsers and often contain personal data that can be used to re-identify a user upon repeated visits. Different cookies exist, some that are strictly necessary for a website’s basic function, some that are exclusively for marketing purposes. GDPR requires that your website obtain user consents before any processing of personal data for non-necessary purposes, which means that you must ask user for permission to activate cookies that are for preference, statistics or marketing purposes.