Create a Free Cookie Banner

Also created in the European Union (EU), the General Data Protection Regulation is the world’s strictest data privacy law. It gives citizens of the EU the right to be informed when websites collect their personal data.

To comply with the rules of the GDPR, any website that receives visitor traffic from the EU must display a cookie banner informing EU citizens of their rights under the law.

A cookie banner that is compliant with the GDPR should:

• Include a button to accept cookies: Your website must not activate cookies until the user performs an affirmative action, such as pressing the “Accept” button — i.e., opts in. Your cookie banner should clearly state that by clicking the button, the users allow the cookies on your website to collect their data. If it contains options to accept or reject the use of cookies, both buttons must get featured with equal prominence.
• Give detailed information about how and why you use cookies: Under the rules of the GDPR, websites must allow users to make informed choices about the website’s use of cookies. To make an informed choice, the customer must receive sufficient information about the usage of the data collected via cookies from the website. Your cookie banner text must inform the user of the purpose of the data collected, whether for advertising, analytics, or another objective.
• Inform the user about sharing private data with third parties: If your website plans to share the data collected via cookies with any third party (advertising or analytics partners), the cookie banner must disclose this information to the user. Some websites include a link within the cookie banner to a list of vendors with whom they share such data.
• Include a link to the website’s cookie policy: Within the cookie banner, the user must be able to click a link to view the website’s cookie policy. That way, visitors can get informed about the types of used cookies, the reasons for collecting information, how to remove cookies, and the methods of storing data.
• Link to the cookie preference settings: Many websites link to their cookie preferences page within the cookie banner. Users can allow some cookie categories and reject others on the preferences page. A user may choose, for example, to reject targeted advertising cookies but allow those used for website analytics.

The California Consumer Privacy Act (CCPA) was revised several times before California’s Office of Administrative Law approved the final (and current) version of the law.

The CCPA does not require websites to obtain the consent of users before using cookies except for the sale of personal data of users under 16 years of age.

A cookie banner that complies with the CCPA should:

• Provide information about how and why you use cookies: A CCPA-compliant cookie banner should give users details about why the website uses cookies and whether it shares the collected data with any third parties.
• Include a button to accept cookies: The CCPA does not require explicit user consent, but many websites include a button within their cookie banner to allow the user to accept cookies. The cookie banner may also contain a link to the website’s cookie settings page, where users can select which cookie types (if any) they wish to accept.
• Include a “Do Not Sell” button: Any business subject to compliance with the CCPA must add a “Do Not Sell My Personal Information” button and page to its website, allowing customers to opt out of the sale of any personal information the website collects about them.

In the United Kingdom (UK), the Information Commissioner’s Office (ICO) is an independent body overseeing the privacy rights of citizens of the UK.

The ICO’s guidance shares many similarities with the GDPR. For example, the ICO does not recommend accepting implied consent for cookies, instead suggesting that websites require users to give explicit consent before providing any non-essential cookies, including cookies that collect data on website analytics. In addition, it advises websites not to use pre-checked boxes or other mechanisms that may nudge users toward accepting consent.

According to the ICO’s guidance, cookie banners must:

• Include information about how and why you use cookies
• Not use “cookie walls,” which are cookie banners that force the user to accept cookies before being allowed to continue to the website.

The French CNIL’s cookie banner guidelines are similar the ICO and GDPR.

For a cookie banner to be CNIL compliant, it should:

• Include a button to accept cookies: The banner must give the user information about the specific data that cookies collect, the purpose of such action, and the potential share of information with third parties.
• Include specific links: The cookie banner must include links to the website’s cookie policy and settings.
• Inform the user about analytics cookies: The banner must inform the user about the use of cookies that collect data about website analytics. Before the website can use analytics cookies, it requires the user’s explicit acceptance. The banner must also include a mechanism for the user to reject analytics cookies, usually in the form of a link to the website’s cookie settings page.
• Avoid using cookie walls: The website is advised not to use cookie walls to block the use of the page if the user does not agree to allow cookies.

The Lei Geral de Protecao de Dados (LGPD), or General Personal Data Protection Act, is the Brazilian data privacy law that took effect in September 2020. Because of the similarities between the Brazilian law and the GDPR, cookie banners compliant with these two laws will appear very similar.

To be compliant with the LGPD rules, a cookie banner should:

• Explain the website’s data collection: The banner should inform users that the website collects and processes their data. It should also explain the how and why behind the cookies and list any third parties with whom the website may share this data.
• Allow users to refuse consent: Users must know they can choose to accept or refuse data collection. The banner should make this clear and provide intuitive buttons for these actions.

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian data privacy law that applies to private-sector organizations that collect, use, or disclose personal information for commercial activity.

It differs from other privacy laws as it contains the requirement to obtain meaningful consent from the user — i.e. if the use of cookies under the circumstances is reasonable.

Therefore, whether you need to obtain implicit or explicit consent depends on the circumstances.

A cookie banner compliant under PIPEDA should:

• Obtain explicit user consent: Unless the user would expect data to be collected, your cookie banner should require meaningful consent to data gathering via cookies on your website.
• Inform the user about data collection: The banner should explain the categories of data collected and the purpose of your website processing this data.

According to the Office of the Privacy Commissioner for Canada, you must have the user’s explicit consent when:

• The information being collected, used, or disclosed is sensitive
• The collection, use, or disclosure is outside of the reasonable expectations of the user
• The collection, use, or disclosure creates a residual risk of significant harm

Canada’s Privacy Commissioner also recommends the following to make your consent process more meaningful:

• Allow users to control how many details they wish to receive and when.
• Use innovative, creative ways of obtaining consent.
• Remind users periodically about their consent choices and those available to them.
• Periodically audit your privacy solutions to ensure they reflect current practices on personal information management.
• Be prepared to demonstrate that your consent process is user-friendly and easily understandable.
• When developing consent processes, consider involving users, focus groups, privacy experts, or regulators and following established best practices.

Thailand’s Personal Data Protection Act (PDPA) is the country’s first law designed to oversee data protection in the digital age. It often gets compared to the EU’s GDRP, and indeed, several principles of the PDPA were heavily influenced by the GDPR.

For a cookie banner to be compliant under the PDPA, it should:

• Inform the user about cookies: The cookie banner should explain to the user that your website uses cookies. It should also specify what data the cookies collect, who does so, and for how long.
• Withhold cookies until the user consents: All cookies should be blocked until or unless the visitor consents to your website’s use of cookies.
• Provide a way to change or decline consent: The banner should include a simple mechanism for the customer to change their previous consent choice or to reject the use of cookies to collect their data.

It is important to note that all of your users’ consent choices must, by law, be stored for five years.