Updated October 27, 2020.
A cookie disclaimer and a cookie consent banner is not the same thing. The difference is that one is GDPR compliant and the other is not.
The GDPR and EDPB guidelines on valid consent clarify how your website is allowed to process personal data from users visiting your domain.
In this blogpost, we look at different examples of compliant and non-compliant cookie disclaimers and cookie consent banners on websites, so you can be sure to have the correct and compliant implementation for consent on your website.
Valid consent is a –
EDPB guidelines on valid consent clarify that scrolling and continued browsing is not considered valid consent, nor are cookie banners with pre-ticked checkboxes or cookie walls (forced consent conditioned on website access).
Your website’s consent solution must present users with a real choice of consent that lives up to the GDPR requirements above.
Cookiebot is a consent management platform (CMP) that takes all the hard work out of protecting the privacy of your users by making your website compliant with the GDPR.
Our unmatched scanning technology detects all cookies and trackers in operation on your domain and blocks everything until the user has given their choice of consent.
User consents are obtained through a granular cookie banner that informs the user in detail of each cookie and enables them to easily withdraw consent again, should they choose to.
Cookiebot’s cookie consent banner that makes your website fully compliant with GDPR and EDPB guidelines.
Cookiebot documents each obtained consent securely and renews them at appropriate intervals, as required by the GDPR and clarified in the EDPB guidelines on valid consent.
If you’re in doubt whether your website handles its cookies and your users’ personal data in a legal way, try Cookiebot’s free GDPR compliance test.
Sign up to Cookiebot for free today… or forever if you have a small website.
A cookie disclaimer is a thing of the past.
Or it should be, but in reality, the Internet is littered with archaic cookie disclaimers that not only leave the users confused and fatigued but are also not compliant with the existing data protection law of the EU – the General Data Protection Regulation (GDPR).
A cookie banner or cookie consent banner, on the other hand, is a sustainable and GDPR/ePR compliant approach to protecting the privacy of your website’s users – if it is done right, if it is implemented correctly.
A consent banner is the technology that enables your users to decide for themselves which categories of cookies and tracking they wish to consent to on your domain, and it is the technology that enables you, the website owner, to be fully compliant with the GDPR.
The European Data Protection Board (EDPB) is the lead supervisor of GDPR enforcement in the EU.
The job of the EDPB is to adopt guidelines and issue decisions on how the GDPR is to be interpreted and applied in each EU member country by the national data protection authorities.
On May 4, 2020, the EDPB adopted guidelines on valid consent that clarify what kind of user actions on websites constitute GDPR compliant consent.
The EDPB guidelines state that –
The General Data Protection Regulation (GDPR) is a regulation (i.e. a uniformly binding legislation for all EU countries) that controls how companies, websites and other entities handle personal data.
GDPR rules that no processing of user data is allowed without prior consent. This means that your website is not legally allowed to automatically activate any cookies but the ones strictly necessary for the function of your website before obtaining user consents for each specific cookie and their different purposes and functions.
If your website processed personal data that was not sensitive data (such as health data or data about sexual or religious orientation), then implied consent was enough.
This meant that if users kept scrolling on that website, this behavior would constitute consent in the eyes of the law.
With the EDPB guidelines from May 2020, valid consent under the GDPR means that cookie banners that state that the continued use of a website is considered consent is non-compliant with the GDPR, just as cookie banners that are presented to the user with already ticked checkboxes are also non-compliant with the GDPR.
Cookie banner giving the illusion of a choice, but forces the user into a non-compliant choice of consent.
Your website, according to the EDPB guidelines, is also not allowed to force the users into a take-it-or-leave situation by making their prior consent conditioned on the access to your domain.
This way of forcing a consent from users in known as a cookie wall, and the EDPB guidelines clearly rule them out as an invalid way of obtaining user consent for the processing of personal data.
For your website to be compliant with the GDPR, you must –
Staying compliant with the GDPR is important, since it means protecting the privacy of your website’s users.
Being non-compliant with the GDPR can also be a costly affair, with maximum fines being €20 million or 4% of a company’s global annual turnover, whichever is higher.
Archaic, bad and illegal cookie disclaimer found somewhere on the web.
A cookie disclaimer is exactly that – a disclaimer and nothing more.
Cookie disclaimers leave no real choice of consent for the user, as they don’t expose the cookies and tracking in operation on the website, their purpose and properties, or a choice of consenting to some cookies and not to others.
Users meeting this cookie disclaimer on a website has no choice but to hit the previous page button, or blindly accept and go forward onto the site.
Users might also already have noticed that this cookie disclaimer gives no guarantee that non-essential cookies, such as third-party marketing cookies, haven’t already been set and activated upon arrival on the landing page.
They most likely have on a website with this cookie disclaimer.
A cookie message without any choice of prior and informed consent is not a cookie message that really protects the privacy of your users, nor does it live up to the requirements of the GDPR.
The following cookie disclaimers are non-compliant because they rely on the now-illegal implied consent or soft opt in, clarified as unlawful by the EDPB guidelines of valid consent.
A non-compliant cookie disclaimer using the unlawful implied consent.
This cookie disclaimer used to be compliant with the GDPR but is unlawful after the EDPB guidelines on valid consent that specify that consent must be granular, specific, freely given and easily withdrawable.
The cookie disclaimer relies on the implied consent of the user by their continued scrolling and browsing on the site. However, the EDPB guidelines state clearly that this does not meet the requirements for valid consent.
Cookie consent banners are different from cookie disclaimers, because they are designed to meet the different GDPR requirements that together constitute a valid consent.
However, cookie consent banners can also be implemented wrongly so that users are in fact not protected by prior consent and your website not actually GDPR compliant.
The following examples are non-compliant cookie consent banner implementations.
The cookie consent banner above is a Cookiebot banner, but it has been implemented in a way that leaves the user without the possibility to deselect the already pre-ticked cookie categories, violating the GDPR’s principle of consent being freely given and specific that has been cemented by the EDPB guidelines 05/2020.
Such an implementation also violates the principle of prior consent, because when the cookie categories are pre-ticked, the cookies will already be in operation, when the user lands on the website, and therefore already be processing personal data even though the user has not consented to this yet.
According to the GDPR and the EDPB guidelines, websites must have preference cookies, statistics cookies and marketing cookies un-ticked as a default so that users have to opt in themselves. Only necessary cookies are allowed to be pre-ticked.
In the following cookie consent banner, also one of Cookiebot’s, all three cookie categories of cookies are pre-ticked when the user lands on the website, meaning that marketing cookies are already processing their personal data even though they haven’t clicked the “OK” button yet.
Another cookie banner from Cookiebot with non-compliant pre-ticked checkboxes.
Cookiebot’s consent management platform offers a high level of customization and autonomy for our customers when it comes to layout and make-up of the cookie banners. It is designed to be used in many different contexts, as well as live up to different national privacy laws and regulations.
To make sure that you use Cookiebot in full GDPR compliance, you must leave all cookie categories deselected by default (except necessary cookies), so that users can exercise a clear and affirmative prior consent.
We here at Cookiebot obviously care a lot about things being done in the right way.
Every day we fight to protect privacy, and so the correct and compliant implementation of our technology is something we care about.
A Cookiebot consent banner that is compliant with the GDPR/ePR and the CJEU ruling.
This cookie banner is compliantly implemented because -
The good thing about being compliant with the European data protection law is that it means that you protect the privacy of your users in a sustainable way.
A cookie consent banner is a way for websites to be compliant with the EU's GDPR, which requires that websites obtain the prior consent of users in order to legally process their personal data, e.g. through cookies and trackers. Cookie consent banners are found on most websites today and come in various types and designs, only some of which are actually compliant with the GDPR.
The GDPR and EDPB guidelines on valid consent specify that user consents must be obtained prior to the activation of any cookies or trackers (apart from those strictly necessary for the basic function of your website) that process personal data. Cookie banners must have easy-to-understand text that informs users in detail about each cookie in operation. Cookie banners are not allowed to have pre-ticked checkboxes or nudge users into making one choice rather than another. Cookie banners must be granular, i.e. users must be able to select some cookies rather than others, and consent needs to be as easily withdrawn as given.
Cookies are small text files that websites use to identify and remember individual users. Cookies are stored on users' browsers and often contain personal data that can be used to re-identify a user upon repeated visits. Different cookies exist, some that are strictly necessary for a website's basic function, some that are exclusively for marketing purposes. GDPR requires that your website obtain user consents before any processing of personal data for non-necessary purposes, which means that you must ask user for permission to activate cookies that are for preference, statistics or marketing purposes.