Cookie disclaimers and cookie banners are not the same thing.
Sure, you could use the words interchangeably, but there’s a big difference between the two when it comes to compliancy with the existing European data protection law – the General Data Protection Regulation – and the various national interpretations of the ePrivacy Directive 2009.
The GDPR lays out the rules uniformly for all 28 EU member states of how to handle cookies and trackers on your website – i.e. rules for processing personal information.
In this blogpost, we will take a look at –
A cookie disclaimer is a thing of the past. Or it should be, but in reality, the Internet is littered with archaic cookie disclaimers that not only leaves the users confused and fatigued but are also not compliant with the existing data protection law of the EU – the General Data Protection Regulation.
A cookie banner or cookie consent banner, on the other hand, can be a sustainable approach to protecting the privacy of your website’s users, if it is done right, if it is implemented correctly.
It is the technology that enables your users to decide for themselves which categories of cookies and tracking they wish to consent to on your domain, and it is the technology that enables you, the website owner, to be fully compliant with the GDPR.
Cookie disclaimers are by definition bad, if we take cookie disclaimers to be the pop-ups on websites that leave no real consent for the user.
This cookie disclaimer is exactly that – a disclaimer and nothing more. It leaves no choice of consent for the user, it doesn’t expose the cookies and tracking present on the site, their purpose and properties.
A critical user meeting this cookie disclaimer on a website has no choice but to hit the previous page button, or blindly go forward onto the site.
A critical user might also already have noticed that this cookie disclaimer gives no guarantee that non-essential cookies, such as third party marketing cookies, haven’t already been set and activated upon arrival on the landing page.
They most likely have on a website with this cookie disclaimer.
A cookie message without any choice of prior and informed consent is not a cookie message that really protects the privacy of your users, nor does it live up to the requirements of the General Data Protection Regulation (GDPR).
The General Data Protection Regulation is a regulation (i.e. a uniformly binding legislation for all EU countries) that controls how companies, websites and other entities handle personal data.
The GDPR rules that no processing of user data is allowed without prior consent. This means that your website is not legally allowed to automatically activate any cookies but the ones strictly necessary for the function of your website before users consent.
You can get an overview of what constitutes sensitive data on the European Commission’s website.
If your website does process sensitive data, you are legally obligated to obtain explicit or affirmative consent.
In summary, for your website to be compliant with the GDPR, you must –
Staying compliant with the GDPR is important, since it means protecting the privacy of your website’s users.
Being non-compliant with the GDPR can also be a costly affair, with maximum fines being €20 million or 4% of a company’s global annual turnover, whichever is higher.
The following cookie disclaimers are compliant with the active consent (or implied consent or soft opt in) as described in the GDPR.
This cookie disclaimer is compliant with the GDPR, as long as the domain using these cookie disclaimers do not process sensitive data (e.g. health data), in which case they are required to use explicit consent.
Cookie consent banners – that enable prior and informed consent – are by definition good, but they can be implemented wrongfully.
You can implement Cookiebot consent banner and still not be GDPR compliant. The following examples are non-compliant cookie consent banner implementations:
The cookie banner above is one of ours. However, it has been implemented in such a way that it is not possible for the users to un-tick the boxes of third party marketing cookies, such as those of DoubleClick (a Google company).
According to the GDPR, websites must have marketing cookies un-ticked as a default so that users have to opt in themselves.
In this banner, marketing cookies are locked in activation, leaving the user without a choice of revoking their assumed consent, as well activating third party cookies automatically upon the arrival of a user on the landing page: both of which are non-compliant with the GDPR.
Here is another non-compliant cookie banner. Marketing cookies are pre-ticked, which is non-compliant with the GDPR.
Cookiebot offers a high level of customization and autonomy for our customers when it comes to layout and make-up of the cookie banners. It is designed to be used in many different contexts, as well as live up to different national privacy laws and regulations.
This level of customization also, however, enable our customers to actually not be compliant with the GDPR, when it comes to prior consent and not activating any cookies before the prior consent has been obtained.
It is, for instance, possible to have pre-ticked marketing boxes (as shown above), which is non-compliant with the GDPR.
To make sure that your website is GDPR compliant, you must leave marketing cookies un-checked for users to opt in themselves, i.e. give their prior consent.
We here at Cookiebot obviously care a lot about things being done in the right way. Every day we fight to protect privacy, and so the correct and compliant implementation of our technology is something we care about.
This cookie banner is compliantly implemented on the given website. Un-ticked marketing cookies make this cookie banner compliant with the GDPR.
This cookie banner is in turn compliant with the new guidelines from ICO and CNIL, forcing affirmative and explicit consent for all non-essential cookies regardless of what type of data the website processes.
The good thing about being compliant with the European data protection law is that it means that you protect the privacy of your users in a sustainable way.