Logo Logo

The General Data Protection Regulation (GDPR) affects how your website may track visitors from the EU.

Try our free compliance test to check if your website’s use of cookies and online tracking is GDPR/ePR compliant.

Cookie notice - on the front of digital transparency and GDPR compliance

Complete transparency builds trust between a website and its users, between the people and the internet: our digital infrastructure.

The intersection of trust online is the cookie notice, cookie banner or cookie consent – it’s a flashlight on the dark corners, a pair of x-ray glasses mapping out the otherwise hidden anatomy of online tracking.

If it is allowed to be. The GDPR and ePrivacy are legal enforcements of the right to privacy, but the cookie notice is the actual lock on your virtual front door.

What is a cookie notice and what does it mean?

The name is a bit misleading. It’s actually more of an agreement than a notice. It also often referred to as a cookie banner or cookie consent banner. It has many names.

The name cookie notice implies that a website has to merely notify its users of its cookies, while in reality – the European legal reality of GDPR and ePR - a website has to do quite a bit more than just that. 

A cookie consent agreement would be a much better nickname than cookie notice.

Why? Because a cookie notice is not just a casual brush-off about online tracking.

It’s a mutual agreement between a site and its users, a safeguard against third-party tracking and – yes, that’s right – a reform of the Internet towards a more transparent and user-educated infrastructure.

What does a cookie notice look like?

A cookie notice is the banner that pops up as the first thing, when you arrive on a website.

The one that tells you that the site is using cookies and then asks you to accept to this.

They can take a myriad of shapes and forms, but they (should) all have in common the intention to protect your right to privacy; to withhold all tracking technology operating to collect your data, until you – the user – give consent.

Cookie notice is greatest when clear and detailed.

Example of a great cookie notice that is clear, detailed and enables real consent from visitors.

Two types of cookie consent

Consent is in most cases given as a so-called active consent (or “implied consent” or “soft opt-in”), which means that if the user ignores the cookie notice and clicks on through the site, consent is given by the fact that the user is active on the site after the cookie notice; that the user is actively browsing despite a clear cookie notice.

However, sometimes explicit consent is necessary.

Explicit consent is the type of cookie notice that usually appears in the middle of the screen upon arrival on a website and essentially blocks the users’ way in. It’s the kind of cookie notice that doesn’t disappear until the user clicks “accept”.

This kind of cookie notice is only necessary in cases where sensitive personal data is being processed. It doesn’t matter whether the sensitive data is being processed by the website itself or by third-parties, explicit consent must be given by the user here.

Non-compliance with the GDPR cookie consent specifications can result in heavy fines - up to €20 million or 4% of a company's annual turnover, whichever is higher.

Varieties of cookies

You see, there are many different types of cookies.

Some are “necessary cookies”, without which a website wouldn’t be able to function.

Others are “marketing cookies”, likely to be third-party trackers that harvest and use or sell your personal information, often in order to construct eerily detailed profiles for targeted advertisements.

A cookie notice is needed to specify and inform the users about the variety of online tracking, required by law by the GDPR and ePR.

Requirements for a GDPR and ePrivacy compliant cookie notice

In short, a lawful, compliant cookie notice has to:

The bad, the good and the great: a walkthrough of cookie notices

A bad – and noncompliant – cookie notice is one that doesn’t specify the different tracking cookies, their functions, who’s operating them, nor leaves the user with any real choice of consent, but instead forces users to simply click “o.k.” or “accept.” This cookie notice is not GDPR compliant.

Non-compliant cookie notice. Not GDPR compliant.

This is a bad, non-compliant cookie notice that leaves no real consent for users.

Here, we’re not talking about actual and real cookie consent, since the user has no way of knowing what they are consenting to, nor has the choice to revoke this consent, if they change their mind.

A good cookie notice is one that includes the user option to turn off the various types of trackers and cookies, with which they don’t wish to share their information.

A great cookie notice is one that through comprehensive detail, in clear and understandable language, shares as much information with the end user as the website operator has about third-party tracking facilities and cookies operating of their site.

Through transparency, a cookie notice enables us to understand what choices we want to make online and leaves us with the informed power to protect our right to privacy online.

How to use a cookie notice

As a website owner, the responsibility of respecting the users’ right to privacy rests on your shoulders.

If your website processes sensitive personal data, you must obtain the user’s explicit consent – this is also the case if your website enables third-parties to process sensitive data, e.g. if you use an analytics or ad service, or a video or social media plugin.

Be careful and be aware of what operates on your site, so that user data isn’t harvested on your watch.

Cookiebot provides you with a cookie notice, among its core functions. It’s a software that you implement on your website directly from the cloud.

It scans your site, maps out all tracking cookies, and presents different cookie notice templates for compliant use on your website. It’s free if you have under 100 subpages.

You can then engage with your users in a transparent and trust-building way, without having to dig through the technical depth of your own website.

Cookie notice text

With a solution like Cookiebot, you are offered the choice of using a template cookie notice text, which informs your users of your website’s use of cookies, and the choice of formulating your own cookie notice text with specifics to your website.

The guiding principles should be clarity and transparency.

Check out these cookie notice examples.

Cookie notice on WordPress

If you are using WordPress as a management system for your website, you are not alone. In fact, it’s the most popular website management system in the world, with more than 60 million domains.

However, it is still your responsibility to have a compliant cookie consent notice to implement on your WordPress website or blog – not the responsibility of WordPress.

Cookie notice plugins

You can choose a cookie notice plugin that does most of the work for you. A cookie notice plugin is built specifically for a hosting system such as WordPress and can provide you with a template for managing both cookies and user cookie consent.

This way you secure transparency between your site and its guests, hence providing them with a real and informed choice of consent.

Install the Cookiebot WordPress plugin to easily make the use of cookies and tracking on your WordPress website GDPR and ePrivacy compliant.

Read more about WordPress cookie notice plugins in our article: WordPress and the GDPR.

How to think of a cookie notice – and why it’s interesting rather than boring

In the past few years, we’ve witnessed a number of big, public scandals surrounding the misuse of personal data:

The 2018 Facebook/Cambridge Analytica plot that saw the vast harvest of private information and its subsequent reselling for political purposes.

The 2016-and-ongoing digital interference in democratic elections by the Russian government that have shell-shocked Western democracies and continue to cloud US politics today.

And the 2019 revelations by Cybot’s special report on ad tech surveillance in European public sectors, which exposed the fact that 89% of official EU government websites still contain invisible 3rd party ad tracking nine months into the GDPR – of which Google account for three out of five.

The frontlines of trust and online privacy

The tides of public opinion have turned quite dramatically as a consequence of these events, to the point where the hashtag #BreakUpBigTech is trending on Twitter, and embraced as a policy platform by a major US presidential candidate in the 2020 election.

There’s no doubt about it: the erosion of public trust in our digital infrastructures is as clear and present a danger to the function of our increasingly digital societies, as is the rampant misuse of personal information by Google, Facebook and countless ad tech companies.

Only 15% of people feel they have complete control over the information they provide online.

The European Union is undertaking genuine efforts to regulate this breech of democratic rights, while the tech giants are lobbying heavily against being regulated.

All efforts to prevent the misuse of user data and to regulate the trillion-dollar industry of monetizing personal information, are good efforts in order to restore and expand that essential trust.

Privacy activists demonstrate

A transparent and responsible dealing with cookies and tracking is vital for websites to be compliant with EU laws on data privacy. Try for free here.

But this battle for privacy is not only fought in Brussels or Silicon Valley – it’s fought every day by website owners, who choose to protect their users from abuse and misuse; to be transparent about the otherwise invisible tracking structures of their website; and to give the control of privacy to their users.

So the cookie notice might at first glance seem like a boring, bureaucratic have-to, but it is, in fact, the frontlines of the battle for privacy – and that’s why a tremendous responsibility rests on the shoulders of the website owners.


A responsibility to not only offer cookie consent but do so in a clear and transparent way. It’s not just about your last user, and the next one: it’s about the Internet as a whole and the culture we choose to foster in here.

That’s the real reason why a cookie notice needs to be clear, honest and to the point, and not just to avoid heavy GDPR fines. It educates all of us about the ambiguous nature of the Internet.

It informs the user and the public about the shades of the visible Internet. It makes clear what to expect when being online; what to look out for, and how to take control and responsibility for your own personal information.

It’s not just a notice


Visit Cookiebot for a compliant and wholesome cookie notice solution.

Inform yourself on rules and implications of the European GDPR and how it impacts your website.

Update yourself on the repercussions of the Facebook/Cambridge Analytica scandal, one year later.

Get a comprehensive overview of the Russian interference in the 2016 US presidential election

Take a look at “Ad Tech Surveillance on the Public Sector Web”, Cybot’s detailed and revelatory report into the hidden tracking of EU citizens.

Read about the US political debate around breaking up of tech giants.

How does targeted ads actually work? Here’s a cool and explanatory investigation into the science behind targeted ads by the New York Times.

Get a glimpse into the heavy lobbying against the ePrivacy Regulation by Privacy International.

Make your website’s use of cookies and online tracking GDPR/ePR compliant today

Try for free