Cookie banners. Let’s talk about them.
They’ve been hanging around websites since 1994. (Basically, Stone Age digital technology.) Just think, how many cookie banners have you clicked past in your digital life without a second thought?
(A lot, probably.)
It’s enough to make a business owner or marketing professional wonder: do I really need a cookie consent banner to be compliant with the laws and regulations?
It’s hard to keep track of privacy regulations, after all, especially when changes are always appearing on the horizon. Consider that the European Data Protection Board (EDPB) adopted guidelines on valid consent in May. Or that Apple’s new iOs 14 requires users to authorize information known as IDFA, which requires opt-in permission before developers and publishers can start tracking ads.
Let’s unpack this question together.
What’s a Cookie Banner, Actually?
First: the cookie. Cookies are small text files that your computer stores when you visit a website. They contain lots of information and there’s a big variety when it comes to the types of cookie. Some are purely functional, while others might track visitor data or activity on a website.
Cookies can be really helpful for both website owners and website visitors, but they aren’t universally loved. Especially by users. They can feel intrusive and a little Big Brother-ish, especially when the purpose of cookies isn’t clearly explained and users aren’t given options for managing user consent.
In years past, it was acceptable to just pop some cookies onto your website and go back about your job. But now, as a result of legislative efforts, notice and consent are required before you can place cookies on a user’s device.
The notice and consent come in the form of cookie banners. They can be a pop up. They can be a banner on your website. They can be in your header or footer. They can be a whole wall of text ala Google.
No matter how it’s formatted, though, it has an important job: alert website visitors that cookies are present on the website and get informed consent prior to data collection.
Approaches to Cookie Banners
You have options for cookie banners depending on your cookie practices and policies. You can take a simple approach of Notice Only, which isn’t compliant with GDPR but is straightforward. You can take the Opt-Out route, which means you fire all cookies when your visitors arrive on your website.
However, this approach misses the GDPR mark.
You can take the Implied Consent route, meaning your website activates strictly necessary cookies. Users are then asked to click through to learn more and otherwise consent is implied by continued use of the site.
Finally, you can take the Opt-In approach, the most compliance-aligned method. This is your most compliance-forward approach. Fire only the strictly necessary cookies when a user arrives on your site, and get their explicit permission for everything else. An ideal opt-in cookie banner informs users what cookies are being used for and then has them take a specific and intentional action, like checking a box, before firing the rest of the cookies.
What Laws Apply to Cookie Consent Banners?
General Data Protection Regulation (GDPR)
GDPR was seriously maligned when it rolled out in 2018. It still is spoken of in aggrieved tones by some marketing and privacy professionals.
We get it. It’s a tough one. It required lots of businesses to recalibrate their operations.
But behind the challenges, it does bring some good into the world. It gives people real, actionable rights! It gives them channels to exercise them! It holds businesses accountable for how they process and use personal data. That’s worth a lot.
So where do GDPR and cookie banners meet? Like with so many privacy-related questions, it comes down to consent to data processing.
Consent, Cookies, and GDPR
What pieces need to be included in your cookie banner according to GDPR?
Opt-in Cookie Consent
GDPR requires that you take an opt-in approach, which means your website won’t fire cookies without the go-ahead from your visitors. (With the exception of those that are needed for essential site functions.) This consent should be given via an opt-in button. What’s more, you need to be extremely clear with your users: they are agreeing to cookie deployment.
Informed Consent
Why is this clarity so important? Your visitors’ consent has to be informed and explicit. You can help them provide this informed consent by spelling out what kind of cookies you are using, why you want the data, and how you’re going to use it.
Note that consent requirements are subject to change. For example, this fall the Commission nationale de l’informatique et des libertés (CNIL) in France issued new guidance that states scrolling past a cookie banner doesn’t constitute valid consent. Nor does the cookie wall, which makes consent required to access a site. Moreover, they recommend a “Reject All” button for the first layer of a cookie banner.
Learn more about CNIL and their cookie guidance.
Third-Party Data Sharing
Let’s talk a little more about how you’re using personal data. For a GDPR-compliant cookie banner, you need to tell your website visitors if you’re sharing their information with third-party vendors. Yes, we know they provide important services but they’re also a significant security risk for your business and your customers.
One big third-party service that deserves discussion here? Google Analytics. Google Analytics is one of the most common cookies run on websites so it’s understandable that people want to know how it interacts with GDPR. Google Analytics uses cookies and therefore requires user consent to be compliant.
But while Google Analytics is a data processor, you can adjust the settings so it tracks data in an anonymous mode. This means you can choose to proceed without consent. (But we definitely recommend you consider getting consent anyway as a best practice.)
Learn more about anonymizing data.
We’d be remiss if we didn’t touch on Facebook, CCPA, and cookies. Facebook is a prolific cookie source, but they’ve taken the position that businesses need to determine whether their data transfer activities with Facebook qualify as sale of data under CCPA.
That being said, businesses can make use of a feature known as Limited Data Use (LDU), which does just that: creates limitations on how Facebook can use your business’ data.
Via LDU, marketers can specify which data they want to share with Facebook. Initially, LDU was automatically enabled for all Facebook business accounts, but since July 31, businesses will have to make the updates manually.
Remember, this isn’t an exhaustive list of third-party vendors or their requirements. Always review terms and conditions for the cookies that you use.
Link to the Website’s Cookie Policy.
Finally, you’ve got to link to your cookie policy, which should detail how and why cookies are used and where they live on your site. (Remember, you need to have this legal document in place, too.) The easiest way to do that? Pop the link in your cookie banner.
Link to Cookie Settings
Consider this a bonus activity. Linking to your cookie settings isn’t required for GDPR compliance if users can outright reject all your cookies. But consider this: Privacy doesn’t need to be all or nothing. Make consent management easy for customers. When they customize their interactions with your website and your brand, they’ll be in control of their information and you’ll build a better relationship with them.
ePrivacy Directive
But before there was GDPR, there was the ePrivacy Directive. Passed in 2002 and amended in 2009, it’s not a law but rather a directive that requires EU member states to develop national privacy laws.
While GDPR deals specifically with personal data, ePrivacy works on the issues of electronic communication, web traffic, and, you guessed it, cookies. In fact, it’s sometimes referred to as The Cookie Law because it, well, laid down the law on cookies, requiring explicit user consent before websites could fire anything but strictly necessary cookies.
The regulation shares GDPR’s understanding and definition of consent as “freely given, specific, informed and unambiguous indication” through a statement or clear affirmative action. To be in compliance with the ePrivacy Directive, you’ll need to:
- Get consent (as defined above) from users before firing anything other than strictly necessary cookies
- Deliver accurate information about data tracked by each cookie before consent is given
- Document and store consent records
- Services shouldn’t be contingent on accepting cookies
- Opting out and withdrawing consent should be easy
However, EU member states and their regulatory bodies add complexity to the picture. CNIL, the Information Commission Office (UK), the Swedish Data Protection Authority, and the Hellenic Data Protection Authority are just a few of the regulatory bodies that provide guidance for their states.
To add even more complexity, the ePrivacy Directive is in the process of being upgraded to the ePrivacy Regulation. While it will carry on in spirit what the Directive put in place, it will have stricter rules for security and pose its own GDPR-like fines. On the plus side, though, the most current draft proposes to streamline cookie consent processes. (But hold your horses — the Regulation may not come into play until 2021 due to ongoing negotiations.)
Wait, what about CCPA?
You may notice that the California Consumer Privacy Act (CCPA) isn’t listed here. Quelle surprise! But CCPA, while currently the strongest state privacy law in the US, doesn’t technically require them. Instead, it requires that you notify website visitors “at or before” collection of “personal information,” which can include cookies.
Moreover, CCPA takes an opt-out rather than an opt-in approach to consent. You don’t need a banner to make the opt-out happen, but it’s the best practice to make sure you give users the fullest opportunity to exercise their individual rights.
A little bit more about CCPA and cookies
As per CCPA, websites do need to tell users what personal data they’re collecting via cookies and if they’re going to be selling it to third parties. Don’t think you sell anything? Don’t jump to that conclusion quite yet.
CCPA has an impressively broad definition of selling — it doesn’t have to mean that you or someone else has shelled out money. “Selling” in CCPA-land also refers to “renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means…” Even your well-intentioned ad tech might be included.
To facilitate a transparent privacy program, you can include a link that lets users accept cookies or not. One helpful further step? Provide users a preference center so they can control their cookies.
But while preference centers are great (really great, actually), they do take strategy to implement. Be thorough by including links to industry opt-outs like About Ads or Network Advertising Initiative’s (NAI) opt-outs. If Facebook and Google cookies are part of your cookie game, requirements for opting out should be linked, too.
Who Needs Cookie Consent Banners?
But the big question: Do you need a cookie consent banner? There are privacy regulations all over the world that deal with cookies, so it depends on where your customers and audience are. Is your audience located in the EU or the US? If you tick these boxes, you have to have a cookie consent banner:
- If you have customers in the EU?
- Do you target individuals in the EU?
So, that’s a pretty short list. If you don’t collect data from EU visitors, then you’re not legally mandated to post a cookie consent banner.
You can even set up your cookie banner to trigger just for visitors from the EU. Or just for California. Or you can set it up the same banner for everyone. Point is: you have options.
But even if you don’t, you still should strongly consider it.
Here’s why: Major data breaches in the past years, combined with misuse of our personal information by tech giants and the ubiquity of digital content in our lives, have eroded public trust. Only 15% of people feel like they have meaningful control over their personal information held by companies.
Compliance regulations like GDPR and CCPA work to mitigate privacy concerns and reign in misuse, but the real work shouldn’t be done in courthouses and parliaments.
It needs to be done on the ground floor. Companies, along with their legal departments and marketing teams, can take the initiative to protect their users and their data by creating transparency in their digital marketing and handing over the privacy reigns to their users.
All of this can happen within your cookie consent banner.
Privacy is operationally crucial. To get privacy working for you, it has to work for your customers and to do that, it has to center around transparency and trust. If that sounds like a goal for your business, we’d love to talk. Drop us a line to schedule a conversation today!