The Best Cookie Policy Practices: Top Examples & Guidelines

Best Cookie Policy Practices

You’re probably more familiar by now with what cookies are and how they can improve your browsing experience.

Since cookies handle important information, mandates like the cookie law require websites to explicitly inform visitors about cookies.

Here are the best practices for cookie policy and how you can properly inform your users of their rights.

Best Examples of a Cookie Consent Notice

There are different ways to inform users about your cookie policy and the importance of cookie consent.

One of the best ways to do this is to have a visible cookie consent notice on your website. Its appearance may vary, but it holds all the information your users need to understand cookies.

These are the different formats of the cookie consent notice and how they can differ for the various privacy laws in each country or region.

1) GDPR Cookie Banner

GDPR Cookie Banner Netflix

The General Data Protection Regulation requires websites to use cookie consent banners to inform users of their rights.

This mandate applies to any website accessed by visitors from the EU, even if a non-EU citizen owns the website.

A GDPR cookie consent notice should have the following:

  • Accept and Reject Buttons: This opt-in consent approach gives the website user the freedom to choose if they will accept or reject cookies. Implied consent is not allowed.
  • Detailed Information About Cookie Usage: There should be enough information about what and why cookies are used on the website.
  • Information on Third Parties: It should explain and list the different third parties involved with cookie usage.
  • Include a Link to the Cookie Policy: The banner should link to the website’s cookie policy to further explain how the website utilizes internet cookies.
  • Include a Link to the Cookie Settings: While it’s not strictly required, it’s best to provide users a way to access and manage their cookies easily.

The strictness of the GDPR has set data privacy standards and influenced numerous practices worldwide.

Note: Websites that only collect anonymous data or a load-balancing cookie are not subject to the Cookie Law and don’t require consent for necessary cookies.

Later, we’ll discuss how you can make your cookie consent more GDPR-compliant.

2) CCPA Cookie Banner

CCPA Cookie Banner NB

The CCPA requires websites to inform visitors about the information they collect and how they’re used. The main contents of a CCPA-compliant cookie banner are the following:

  • Information About Cookies: They must list the cookies, third parties, and other details regarding the site’s cookies.
  • Button to Accept Cookies: The main difference with the GDPR is that it can place cookies before the user selects accept.
  • “Do Not Sell” Button: Citizens have the right to opt out of the sale and should also link to the site’s privacy policy.

While the CCPA may not have the same explicit or transparent nature as the GDPR, its pop-up approach is still an effective way of informing site visitors about cookies.

3) Nevada Privacy Law Cookie Banner

Unlike the previous two, the Nevada Privacy Policy Law doesn’t need explicit consent when it comes to data collection. This also applies to information about opting out.

Customers in Nevada would need to proactively check the site’s cookie policy and take the necessary steps to protect themselves.

However, many sites could still follow the template of previous banners to help conform to the laws of other states.

4) ICO Cookie Banner

ICO Cookie Banner Netflix

The ICO cookie banner is also based on GDPR. They’re just as strict when it comes to consent.

It needs to include a link for which cookies are used on the website and what they will do.A key difference for the ICO cookie banner is that users also need to provide consent for analytics cookies, which is different from other EU states, like France.

5) LGPD Cookie Banner

The LGPD cookie banner was also patterned with the GDPR.

Just like the GDPR banner, it also requires websites to provide users with information about how and why they collect data. They should also have a statement about denying consent.

It should also be stated if cookies are used for targeted ads and similar cookies.

6) CNIL Cookie Banner

Etsy CNIL Cookie Banner

A CNIL cookie banner generally follows a format similar to the GDPR. However, it also has a few key differences for some cookies.

Besides the usual requirement to inform users of the cookies and why it’s used, they’re also required to notify users that it doesn’t lead to targeting individuals.

While CNIL doesn’t require consent for analytics cookies, they still need to include it on their consent notice and explain what they’re for. These can be edited on the website’s privacy settings.

What is Cookie Consent?

Cookie Consent

Cookie consent is a plugin or pop-up feature on a website that gives users control over their personal data online.

This feature contains the website’s important links and documents, like the cookie policy and settings. It’s the easiest way to inform website visitors about their rights to their data.

If a person chooses to accept cookies through the cookie consent banner, the website can do tasks like save login details or your preferences for that site.

While not all countries need to have an actual pop-up or banner, it’s recommended to protect the users and the owners of websites.By having cookie consent, websites can establish trust with their users. People who choose to accept cookies trust the website with sensitive information.

Types of Cookie Consent

Types of Cookie Consent

Cookie consent can vary depending on the laws of a country or region. Most of them are patterned after the EU’s Cookie Law, which requires a website to inform users before storing cookies on computers and mobile devices.

These are the different types of cookie consent based on the privacy laws in place.

General Data Protection Regulation

The GDPR is known to be one of the strictest privacy laws in place, influencing the laws of European Union member states. They’ve also influenced other privacy laws worldwide.

Along with the ePrivacy Directive, and the EU cookie law, the GDPR has data protection authorities working to ensure these mandates are implemented correctly.

Their central protections give EU citizens the right to be informed about how businesses collect and use their information. They prioritize consent explicitly and freedom to opt out.

The EU cookie consent rules apply on a per-country basis. It can vary to fit the individual constitutions and laws of each member state.

California Consumer Privacy Act

The CCPA went into effect on January 2020 to protect the personal data of Californians. For this law to apply to a business, it must meet AT LEAST ONE of these conditions:

  • They’re a business that earns more than $25 million in revenue.
  • They derive 50% of their annual revenue from selling the personal data of California citizens.
  • They process the data of at least 50,000 consumers, households, or devices.

Unlike the GDPR, they’re not required to have opt-in consent before they set cookies. However, they’re still required to have accessible links on the website’s cookie policy and settings.

They’re also required to disclose the third parties they’re involved with.

A great example will be when you drop into a page, and a footer banner shows the necessary information.

Some can have the same model as the GDPR, while others may have a statement on cookies along with the links for users to learn more about it and edit settings.

However, this mandate can get complicated because it requires websites to have an opt-in consent notice to sell visitors’ personal data between the ages of 13 and 16.

That’s why even though websites are generally not required to do the opt-in method, it’s still advisable in case there are younger visitors.

Nevada Privacy Law

This privacy law went into effect in 2019. While it does have some similarities with GDPR and CCPA, it’s not as strict when it comes to asking for consent.

If a website is based in Nevada but has visitors from other states or regions, it would have to add more restrictions to follow the country or region’s policies.

Information Commissioner’s Office

The ICO is an independent body in the UK government tasked with upholding their citizens’ information rights.

Since EU privacy laws were passed while the UK was a member state, their consent requests for data collection guidelines are patterned after the GDPR and PECR.

The PECR, or Privacy and Electronic Communications Regulations, are derived from EU law, which sets more specific guidelines regarding privacy rights.

These regional mandates help the UK’s general data protection regime become more strict with the privacy details of their websites.

Lei Geral de Protecao de Dados

The LGPD is the Brazilian data protection regulation. It was established in August 2020 to amend the country’s previous laws on personal data protection.

It also has many similarities with the GDPR and the Cookie Law, combining its previous law with the provisions of the European model.

It’s why there are many similarities in how their cookie notices and policies look.

Commission Nationale de L’Informatique ET Des Libertés

The CNIL serves as the French data protection authority. Since France is also an EU state, its mandate also adheres to the GDPR and the EU cookie law.It generally has similar provisions as the GDPR and ICO, with subtle differences to make it more applicable to fit their local laws.

How to Set Up Compliant Cookie Banners

Set Up Compliant Cookie Banners

Creating a cookie consent banner is more accessible nowadays. Many great cookie consent banner generators can give you a banner in minutes!

Some websites, like WordPress, even feature a cookie consent plugin to make it easier for website owners.

Here’s a simple step-by-step guide to help set up a compliant cookie banner for your website.

1) Choose Your Compliance Preference

Once you’ve chosen and created an account with your preferred cookie consent solution, you’ll be redirected to a page on the laws your banner can follow.

It will serve as the main template of your cookie banner. If you need a GDPR or CCPA-compliant banner, the generator will adjust the banner to fit your needs.

Select the mandate your cookie banner should conform with. It’s important to consider your website’s demographic for this step.

Different banners are required for the various laws around the world. While a vast majority may be in line with the GDPR, it’s important to consider it while creating your cookie banners.

2) Customize Your Cookie Consent Banner

After entering your consent preferences, you can customize your cookie banner to match your website’s aesthetic. You can change the theme, fonts, colors, and more.

You can also choose a specific language for your banner. It can automatically change based on the user’s IP address or location.

In terms of placement, you can usually choose between the following:

  • A footer banner at the bottom of the page
  • A floating banner which will usually pop up on the right side or in the middle of the page
  • A header banner at the top of the page

Ensure your cookie policy is also included and visible so users can easily find more information about them.

3) Add the Necessary JavaScript

Before finalizing your cookie consent widget, adding the necessary JavaScript scripts is important.

It includes scripts for Google Analytics cookies and other similar third-party cookies.

These tracking scripts will help you process data collection with ease. It can divide the cookie categories, which may need an individual user’s consent.

When users accept cookies, there are times when they block non-essential cookies. This step will also help organize those preferences later on.

This step determines the overall cookie consent level your user’s device can accept, depending on what users allow.

4) Copy Your Cookie Banner Code

Once you’ve finalized everything, review your cookie consent banner. While generators are designed with legal advice, it’s still best to ensure everything is complete.

Before publishing it on your website, you can also preview how your cookie consent banner will look.

Then, copy the code and paste it onto your website. It should start tracking cookies and consent for you.

Your cookie consent banner generator usually comes with a consent manager. This feature will easily manage cookie consent and update your banner as necessary.

GDPR Consent Checklist/Guidelines

GDPR Consent Checklist

As mentioned earlier, the GDPR is one of the strictest when it comes to protecting the personal data of its citizens.

It can be difficult to keep track of the guidelines that will help you comply with this law.

Here are things to add to your checklist when fixing your cookie consent banner. We’ve also included variations from other EU states to make it more country-specific.

Note that these guidelines can also apply to the UK post-Brexit.

Equal Prominence Between “Accept” and “Reject” Buttons

The GDPR requires explicit consent for a website to use cookies. The buttons should encourage the user to click on accept. It allows the user to have complete autonomy over their decision about accepting cookies.

If your cookie notice uses a consent box, it should not be pre-checked or pre-enabled. Nudging or emphasizing the accept button is also not allowed.

Since you’re handling an individual user’s data, the consent has to be solely from them.

Implied consent is not allowed, especially in the UK, Germany, and France. Websites should explicitly obtain consent from the users for them to use cookies.

Actions on the website, such as scrolling and clicking, don’t count as consent in countries like Germany, Italy, and Spain. Until the user interacts with the cookie consent widget, they have not given their consent.

France is also strict with obtaining every user’s consent. However, they provide a flexible exception for using analytics cookies and functional cookies.

Italy also requires websites to include a close (X) button for a website’s cookie banner, allowing the user to close it. An additional notice should pop up, notifying the user of what closing the banner means.

Information on Cookies With Cookie Settings

Any cookie information and the policies tied to them should be presented in simple language. It helps the users fully understand whether they should give consent for cookies.

Users should also have the right to withdraw consent. Including a link to the cookie settings where they can change their preferences is essential.

The mandate also requires websites to include a link to the cookie settings. It will allow users to choose the cookies they’ll enable and opt out of.

Germany requires the cookie banner and all its information to comply with the website’s privacy and cookie policy. Luckily, the best privacy policy generators can work with cookie policies and banners.

On the other hand, Spain prefers to have numerous layered banners instead of a single cookie banner. Its goal is to avoid information overload for the users.

Link to the Website’s Cookie Policy

In addition to the clear information about what cookies are, websites need to include a link to their cookie policy. It’s to provide supporting documents for the information on the banners.

Some countries, like Germany and Italy, also require websites to add their privacy policy on the banner, while others may want to exclude it.

No Cookie Walls

A cookie wall is a feature that can block access to the website if the user chooses to decline cookies. All websites covered by the GDPR are not allowed to have cookie walls if the user refuses cookies.

It also applies to users who edit their preferences and withdraw consent after agreeing to it.

Users have the right to opt out of the website’s cookie policy. It’s a provision in the law that gives users autonomy over their personal information.

Keep Cookie Consent Notices Separate

It’s best to keep a cookie consent notice separate from other legal documents, like the terms and conditions. It helps keep all forms of legal consent separate from each other.

A key feature of consent notices is their expiration date, which may vary per country.

A website’s consent manager would have to take note of these expiration dates, among other documents, and ask for consent again when needed.

Your cookie policy is different from your privacy policy. Therefore, it’s important to consider both kinds of policies while you’re fixing your cookie consent.

Frequently Asked Questions (FAQs)

FAQs

You may have more questions about cookie consent notices and how they work.

We’ve gathered the commonly asked questions to help you with your research.

How do Cookies Work?

Cookies are generally small personal data stored to help streamline a user’s browsing experience.

Once the user interacts with the cookie consent popup, the cookie consent manager you’re using will note their decision. It helps your website know when to block cookies or allow them.

When you have consent collected, it will know when to drop cookies and collect the necessary information. However, the website can’t drop cookies if a user decides to opt out of cookies.

There are those like session cookies, which are created while a user scrolls through a site. Then, they’re automatically deleted once your browsing session is done.

On the other hand, persistent cookies are stored in the user’s device and retrieved once the user reaccesses the website.

Do Website Owners Need to Inform Users and Secure Consent for Cookies?

Not all countries require consent for a site to drop cookies. Some countries and regions are stricter when it comes to obtaining consent.

Others may rely on implied consent to store cookies in devices, depending on the nature of the cookies.

However, refusing consent is a right of the users. Various privacy laws state that they’re not allowed to have cookie walls or prevent a user from accessing the website for choosing to opt out.

It’s also mandatory to inform users regarding the use of cookies on the site, especially regarding third-party cookies. It’s one of the many reasons a website needs a cookie policy.

What Makes a Good Cookie Consent Policy?

A good cookie consent policy follows the laws for privacy. It may depend on the law applied to the website’s region, but the most basic goal is to inform users of their rights and the law.

They’re also written in simple terms, allowing users to understand the information. It’s the best way to let them know their rights and what they can do to stay safe.

Many excellent cookie policy generators can make this process faster and easier for anyone.

How Can We Comply With Cookie Rules?

The best way to comply with cookie rules, like the Cookie Law and GDPR, is to have a cookie consent notice that clearly explains the user’s rights.

Since these plugins are designed to inform the user and gather consent, it easily fulfills the goals of the different cookie rules.

What are the Main Security Concerns with Cookies?

The most common security concern with privacy is third-party cookies. These are cookies generated by websites outside of the website you’re browsing.

Cookies from these third parties are usually used for targeted advertising on the website you’re on. They’re different from first-party cookies created by the website itself.

The cookies’ nature from third parties can make them vulnerable to being tracked and hijacked. Since they link to different websites, hackers can easily tap into them if connections aren’t secured.

While there are laws that help protect users from these risks, users still have the responsibility to ensure their safety online. Users can do this by having a strong password and dual authentication.

Increasing security measures don’t automatically remove all risks, but it does decrease them for most users.

Conclusion

Complying with numerous mandates can be a challenge. However, privacy and security are important when browsing the internet.

Adhering to the laws in place helps keep internet users and owners of websites safe online.