Updated January 17, 2022.
Complete transparency builds trust between a website and its users, between the people and the internet: our digital infrastructure.
The intersection of trust online is the cookie notice, cookie banner or cookie consent – it’s a flashlight on the dark corners, a pair of x-ray glasses mapping out the otherwise hidden anatomy of online tracking.
If it is allowed to be.
The General Data Protection Regulation (GDPR) and ePrivacy Directive are legal enforcements of the right to privacy, but the cookie notice is the actual lock on your virtual front door.
What is a cookie notice and what does it mean?
The name is a bit misleading. It’s actually more of an agreement than a notice. It also often referred to as a cookie banner or cookie consent banner. It has many names.
The name cookie notice implies that a website has to merely notify its users of its cookies, while in reality – the European legal reality of GDPR and ePR – a website has to do quite a bit more than just that.
A cookie consent agreement would be a much better nickname than cookie notice.
Why? Because a cookie notice is not just a casual brush-off about online tracking.
It’s a mutual agreement between a site and its users, a safeguard against third-party tracking and – yes, that’s right – a reform of the Internet towards a more transparent and user-educated infrastructure.
In doubt whether your website is GDPR-compliant? Test for free with Cookiebot consent management platform (CMP).
What does a cookie notice look like?
A cookie notice is the banner that pops up as the first thing, when you arrive on a website.
The one that tells you that the site is using cookies and then asks you to accept to this.
They can take a myriad of shapes and forms, but they (should) all have in common the intention to protect your right to privacy; to withhold all tracking technology operating to collect your data, until you – the user – give consent.
EDPB guidelines on valid consent
On May 4, 2020, the European Data Protection Board (EDPB) adopted guidelines on valid consent in the EU. The EDPB guidelines state that –
- Scrolling or continued browsing on a website does not constitute valid consent under GDPR – the user must make a clear and affirmative choice to consent to having their personal data processed.
- Pre-ticked checkboxes on cookie banners are non-compliant – cookies must be deselected by default, except for strictly necessary cookies.
- Cookie walls that make consent conditional for access to a website is likewise non-compliant – consent is not allowed to be forced in return of website access.
Learn more about the EDPB guidelines on valid consent.
Varieties of cookies
You see, there are many different types of cookies.
Some are “necessary cookies”, without which a website wouldn’t be able to function.
Others are “marketing cookies”, likely to be third-party trackers that harvest and use or sell your personal information, often in order to construct eerily detailed profiles for targeted advertisements.
A cookie notice is needed to specify and inform the users about the variety of online tracking, required by law by the GDPR and ePR.
Requirements for a GDPR and ePrivacy compliant cookie notice
In short, a lawful, compliant cookie notice has to:
- obtain clear and unambiguous consent from its users,
- prior to any processing of personal data,
- after specifying all types of cookies and other tracking technology present and operating on its pages,
- without any pre-ticked checkboxes on consent banners,
- in easy-to-understand ways that enable users to consent and to revoke consent on each specific category of cookies,
- to then be able to safely and confidentially document each user consent,
- Consent must be renewed annually. However, some national data protection guidelines recommend more frequent renewal, e.g. 6 months. Check your local data protection guidelines for compliance.
The bad, the good and the great: a walkthrough of cookie notices
A bad – and illegal – cookie notice is one that doesn’t specify the different tracking cookies, their functions, who’s operating them, nor leaves the user with any real choice of consent, but instead forces users to simply click “o.k.” or “accept.”
This cookie notice is not GDPR-compliant.
Here, we’re not talking about actual and real cookie consent, since the user has no way of knowing what they are consenting to, nor has the choice to revoke this consent, if they change their mind.
A good cookie notice is one that includes the user option to turn off the various types of trackers and cookies, with which they don’t wish to share their information.
A great cookie notice is one that through comprehensive detail, in clear and understandable language, shares as much information with the end user as the website operator has about third-party tracking facilities and cookies operating of their site.
Through transparency, a cookie notice enables us to understand what choices we want to make online and leaves us with the informed power to protect our right to privacy online.
How to use a cookie notice
As a website owner, the responsibility of respecting the users’ right to privacy rests on your shoulders.
Be careful and be aware of what operates on your site, so that user data isn’t harvested on your watch.
Cookiebot CMP provides you with a cookie notice, among its core functions. It’s a software that you implement on your website directly from the cloud.
It scans your site, maps out all tracking cookies, and presents different cookie notice templates for compliant use on your website. It’s free if you have under 50 subpages.
You can then engage with your users in a transparent and trust-building way, without having to dig through the technical depth of your own website.
Cookie notice text
The guiding principles should be clarity and transparency.
Check out these cookie notice examples.
Cookie notice on WordPress
If you are using WordPress as a management system for your website, you are not alone. In fact, it’s the most popular website management system in the world, with more than 60 million domains.
However, it is still your responsibility to have a compliant cookie consent notice to implement on your WordPress website or blog – not the responsibility of WordPress.
Cookie notice plugins
You can choose a cookie notice plugin that does most of the work for you. A cookie notice plugin is built specifically for a hosting system such as WordPress and can provide you with a template for managing both cookies and user cookie consent.
This way you secure transparency between your site and its guests, hence providing them with a real and informed choice of consent.
Read more about WordPress cookie notice plugins in our article: WordPress and the GDPR.
How to think of a cookie notice – and why it’s interesting rather than boring
In the past few years, we’ve witnessed a number of big, public scandals surrounding the misuse of personal data:
The 2018 Facebook/Cambridge Analytica plot that saw the vast harvest of private information and its subsequent reselling for political purposes.
The 2016-and-ongoing digital interference in democratic elections by the Russian government that have shell-shocked Western democracies and continue to cloud US politics today.
And the 2019 revelations by the special Cookiebot CMP report on ad tech surveillance in European public sectors, which exposed the fact that 89% of official EU government websites still contain invisible 3rd party ad tracking nine months into the GDPR – of which Google account for three out of five.
The frontlines of trust and online privacy
The tides of public opinion have turned quite dramatically as a consequence of these events.
There’s no doubt about it: the erosion of public trust in our digital infrastructures is as clear and present a danger to the function of our increasingly digital societies, as is the rampant misuse of personal information by Google, Facebook and countless ad tech companies.
Only 15% of people feel they have complete control over the information they provide online.
The European Union is undertaking genuine efforts to regulate this breech of democratic rights, while the tech giants are lobbying heavily against being regulated.
All efforts to prevent the misuse of user data and to regulate the trillion-dollar industry of monetizing personal information, are good efforts in order to restore and expand that essential trust.
But this battle for privacy is not only fought in Brussels or Silicon Valley – it’s fought every day by website owners, who choose to protect their users from abuse and misuse; to be transparent about the otherwise invisible tracking structures of their website; and to give the control of privacy to their users.
So the cookie notice might at first glance seem like a boring, bureaucratic have-to, but it is, in fact, the frontlines of the battle for privacy – and that’s why a tremendous responsibility rests on the shoulders of the website owners.
A responsibility to not only offer cookie consent but do so in a clear and transparent way. It’s not just about your last user, and the next one: it’s about the Internet as a whole and the culture we choose to foster in here.
That’s the real reason why a cookie notice needs to be clear, honest and to the point, and not just to avoid heavy GDPR fines. It educates all of us about the ambiguous nature of the Internet.
It informs the user and the public about the shades of the visible Internet. It makes clear what to expect when being online; what to look out for, and how to take control and responsibility for your own personal information.
It’s not just a notice …
What is a cookie notice?
A cookie notice is a mechanism used on websites to obtain the consent from users to the processing of their personal data. Cookie notices appear when a user lands on a website and informs them that the website is using cookies and trackers that process personal data, and that the user must make a choice whether they want their personal data processes.
What is the GDPR?
The GDPR – or General Data Protection Regulation – is an EU law that controls the processing of personal data of individuals inside the European Union. The GDPR empowers users with the right not to have their personal data processed without their prior consent, as well as the rights to have it rectified, deleted and access it. The GDPR specifies that user consents must be a freely given, specific, informed, unambiguous indication of a user’s wishes.
What are cookies?
Cookie are small files that are stored on a user’s browser, when they visit a website. They often contain information like IP addresses or Unique IDs that make it possible for websites to identify and recall individual users upon repeated visits. Third-party marketing cookies can be used to track users across the Internet in order to serve them targeted, behavioral advertisement. Under the GDPR, websites are not allowed to store cookies on a user’s browser without their clear and affirmative consent.
What is personal data?
Visit Cookiebot CMP for a compliant and wholesome cookie notice solution.
Inform yourself on rules and implications of the European GDPR and how it impacts your website.
Learn more about the EDPB guidelines for valid consent in the EU
Update yourself on the repercussions of the Facebook/Cambridge Analytica scandal , one year later.
Get a comprehensive overview of the Russian interference in the 2016 US presidential election .
Take a look at “Ad Tech Surveillance on the Public Sector Web” , Cybot’s detailed and revelatory report into the hidden tracking of EU citizens.
Read about the US political debate around breaking up of tech giants .
How does targeted ads actually work ? Here’s a cool and explanatory investigation into the science behind targeted ads by the New York Times.