Updated October 27, 2020.
Informing users of what cookies are active on your website, and what kind of personal data they collect is required by law by both the European General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
The burden of protecting user privacy shouldn’t be left on user shoulders, but rather thought of as an integral part of your website upon arrival.
Become compliant with Cookiebot consent management platform (CMP).
Exactly, what is a cookie text/cookie message?
No, here we’re talking about the cookie text or cookie message – that is, the text on the cookie banner.
Here’s an example of a good and informative cookie text (on a GDPR-compliant banner):
The consent banner is a familiar sight on most websites today, since the GDPR and CCPA have come into force in Europe and California.
However, there are many ways that websites around the world choose to declare their cookies and tracking. There are many different cookie messages on websites too.
Many cookie messages (in fact many cookie banners as a whole) are still non-compliant with the GDPR, because they leave no real choice of consent for the user and explain poorly how their personal data is being handled by the website.
EDPB guidelines on valid consent
The European Data Protection Board (EDPB) is the leading authority on the GDPR in the EU, and its main job consists of adopting guidelines and making decision on how the GDPR is to be interpreted and enforced by the national data protection authorities in each EU country.
The EDPB guidelines clarify that –
- Pre-ticked checkboxes on cookie banners are non-compliant. Checkboxes must always be deselected by default (except necessary cookies).
- Scrolling and continued use of a website is not considered valid consent. Users must give a clear and affirmative consent, not an implied consent.
- Cookie walls (consent conditional for access to a website) is non-compliant.
Cookie text for GDPR compliance
The GDPR mandates that all websites with visitors from the EU have to –
- obtain clear and unambiguous consent from its users,
- prior to any processing of personal data,
- after specifying all types of cookies and other tracking technology present and operating on its pages,
- in easy-to-understand ways that enable users to consent and to revoke consent on each specific category of cookies,
- to then be able to safely and confidentially document each user consent,
- Consent must be renewed annually. However, some national data protection guidelines recommend more frequent renewal, e.g. 6 months. Check your local data protection guidelines for compliance.
The “clear and unambiguous prior consent” happens in our option to opt-in or opt-out of the different cookie categories (preferences, statistics, marketing), while the “specifying all types of cookies” happens in our cookie declaration and depository (our comprehensive overview of all known cookies and their purpose).
That is the Cookiebot CMP consent banner as it is known and used on hundreds of thousands of websites around the planet.
But the GDPR mandates more than that – it dictates that your website must inform its users “in easy-to-understand ways” and thus “enable users to consent and to revoke consent.”
This is where the cookie text or cookie message comes in. It is the point at which you must state the underlying truth of tracking on your website.
How you do it can make a real difference for your users, and empower them with real, informed choice of consent.
It needs to be easy to read, easy to understand, i.e. plain and simple.
An example of our cookie message scripts:
Cookie text for CCPA compliance
The CCPA regulates how businesses are allowed to handle and sell the personal information of California residents.
It is different from the European GDPR because it doesn’t require the businesses to obtain prior consent before the collection and processing of personal information is allowed.
Instead, the CCPA states that businesses must inform their Californian users of what categories of personal information their websites are collecting (e.g. through cookies), for what purpose and which third parties it’s sold to.
The CCPA also requires websites to implement a Do Not Sell My Personal Information link, through which users can opt out of having personal information sold to third parties, like Google and Facebook.
The legal requirements are thus the same for the cookie text in California, i.e. text that informs users of what technology there is, what it collects, why and with whom it is shared.
The only difference is that most websites targeting Californian users for CCPA compliance won’t be using a cookie consent banner (as shown above), but a cookie declaration including their DNSMPI link.
Cookie texts and cookie messages, examples
The primary function of a cookie text is to inform the users of the following:
- which cookies and trackers you use,
- why you use them,
- what this means for their personal data,
- who you share it with or which third parties you sell or disclose it to,
- how they can give and revoke consent (GDPR) or opt out (CCPA).
The cookie text or cookie message is the main way of communicating to your visitors that you use e.g. analytics or marketing cookies to make your website and its services better and smarter, while at the same time protecting their privacy, giving them a real choice of how their data should be used.
Users might see it as a cookie warning message, but the intent is not to warn, scare and induce fear in the end-users – rather to show how their privacy is integrated in your website’s function, just as the advertisements and analytics are.
Keep the text short, precise and appealing if you choose to customize the text yourself. Avoid cake-related jokes. Make your cookie text and cookie messages sincere and honest. The more transparent, the better cookie consent for the users to make.
How to show a cookie message on your website
Subscribing to Cookiebot CMP means easy, automatic privacy protection on your website that is GDPR and CCPA compliant.
Once employed, it will automatically scan and find all cookies and similar tracking technologies, then block all activation and data collection until the end-users have given their choice of consent in the case of GDPR compliance.
For CCPA compliance, the cookie declaration (the result of the deep scan with all cookies and similar trackers uncovered) includes the required Do Not Sell My Personal Information link for users to exercise their rights to opt out.
Privacy paradox: cookie messages vs information avoidance
Have you ever heard of the privacy paradox?
A recent study out of Harvard University tested the “privacy paradox”, i.e. how people express the importance of their privacy, yet act in ways that are in direct opposition to those strongly held beliefs.
The experiment found that people are, indeed, inconsistent about their privacy: they are willing to pay for privacy, but they are also willing to trade off their privacy for small amounts of money.
The study hints at an explanation too: people choose not to know about the consequences of their actions in order to obtain bonuses. It is known as “information avoidance” – people keep their head in the sand and avoid information about how their behavior will affect their lives.
“Even people who are willing to pay to keep their Facebook data private also have a strong preference to avoid thinking about privacy in the first place”, Dan Svirsky, the researcher behind the study said to the New York Times and added that “lots of people don’t want to think about this stuff.”
In other words, the users of your website do care about their privacy, they just don’t want to think about it all the time.
The consent fatigue phenomenon is a clear symptom of information avoidance. Your users just click at whatever pops up out of exasperation of constantly being forced to face their own privacy matters, especially when faced with bad, non-compliant cookie messages and cookie texts.
You, as the website owner, are undoubtably aware of the weary and frustrated reaction of end-users towards cookie banners online. “I just click accept, cause I’m so tired of seeing them”, is an all-too common response in conversations on this subject matter.
Cookiebot CMP saw this problem many years ago.
That’s why we developed the solution we have today: one that does not leave the difficult, uncomfortable, anxiety-inducing decisions of privacy and surveillance in the hands of the users.
“Anything that relies on people taking it upon themselves to protect their data is doomed”, Svirsky argues to the New York Times.
To respect the agency and autonomy of your users without putting the burden on them to protect themselves is not only the balance that ad blockers and private search browsers fail to strike, it’s the very uniqueness of the Cookiebot CMP solution.
A technology that lies between the website owner and their visitors as a watermark of transparency and certification, a guarantee that their privacy is protected by default.
What is a cookie text?
A cookie text or cookie message is the informative part of consent banners on websites. Under the GDPR, websites are required to inform their users of what kinds of personal data they process, how, for what purposes and with whom they share it.
Try Cookiebot CMP free for 30 days… or forever if you have a small website.
What is a valid cookie consent?
Under the GDPR, cookie consent in the EU must be a clear and affirmative action on part of the end-user, an unambiguous indication of their wishes. Websites are not allowed to process any personal data from end-users until they have consented to the activation of cookies and trackers (except necessary cookies).
What is personal data?
Under the GDPR, personal data is any kind of information that can identify a living individual, either directly or indirectly. This includes names, postal addresses, location data from phones, online identifiers such as IP addresses, unique IDs in cookies, search and browser history.
How can my website become GDPR-compliant?
Your website must inform end-users of all personal data processing going on as well as making sure that no personal data is processed before the end-users have given their consent to the specific processing purpose. Using a consent management platform can ensure full GDPR compliance for your website.
Try Cookiebot CMP free for 30 days… or forever if you have a small website.