· 27 min read

How to Create Law-Compliant Cookie Consent Notices According to GDPR, CCPA, and The Cookie Law?

The following article explains the details of the General Data Protection Regulation (GDPR), ePrivacy Regulation (The Cookie Law), and California Consumer Privacy Act (CCPA) and what they mean for your cookie usage, and obtaining cookie consent.

Many modern websites have dozens of active cookies and online tracking tools in use. But, what exactly does that mean for website users’ privacy?

If you have a website with visitors from the EU and California, you need a cookie warning popup notice to be compliant with cookie laws.

That way you'll be safe from paying penalties up to €20 million!

But don’t get confused, we have a long way to go together, so let’s begin!


Create Your Law-Compliant Cookie Consent Popup for Free!

What are Cookies?

5 chocolate chip cookies representing website cookies on the heading of what are cookies

A cookie is a web file that is stored on a user’s computer to collect information about the user's data.

What is Cookie Consent?

There are essentially three types of party cookies and three kinds of primary cookies which are explained and exemplified below;

1. First Party Cookies

First party cookies refer to cookies constituted by the domain that a user is visiting.

For example, when you click on popupsmart.com from a browser, our web infrastructure collects your behavioral data from your browser to enable us to provide a good user experience for you.

Most browsers treat first-party cookies as trustworthy by default since their primary goal is to allow customization and improve user experience.

They allow website owners to;

  • Gather analytical data,
  • Remember language settings,
  • Enable login without entering user information,
  • Show which items were added to the shopping cart before.

2. Third-Party Cookies

Third-party cookies refer to cookies created by domains other than the one a visitor is browsing on. These cookies are mainly used for tracking and digital advertising purposes.

For example, when you have had a chat via a live-chat popup, it identifies you and creates third party cookies; the next time you visit the same website and click the chatbox, it will remember your name and the previous conversation.

Or when you visit Amazon and view a product, third-party trackers will collect information about your activities on Amazon. Then, when you visit eBay, you will be shown ads of a similar product that you have previously viewed.

Here are some other third-party services that collect cookies;

In brief, there is no real difference between first-party cookies and third-party because they both collect similar information and can perform the same functions.

3. Second Party Cookies

On the other hand, second-party cookies are the ones that are transferred from one company to another company via data partnership.

For instance, an airline company could sell its first-party cookies’ data to a hotel chain to enable them to reach their target audience’s browsing behavior data and advertise accordingly.

However, obtaining or selling second party cookies’ data is not an ethical way to collect information about your prospects.

4. Session Cookies

Session cookies are temporary cookies that store information about your current session and disappear when you close your browser.

They are the least likely to raise privacy concerns and fall into the “strictly necessary” category.

This is why when you log off from your bank’s website, they recommend you to close the current browser window to remove any session cookies.

5. Permanent Cookies

Permanent cookies are placed on the hard drive of your device and not deleted when you close the current browser. They are also called “persistent cookies,” as well as “stored cookies.”

They are the type of cookies that raise many privacy concerns over cookies.

However, they are handy for providing a customized user experience, analyzing return visitor behavior, and advertising to the correct prospects because permanent cookies store information for an indefinite time.

6. Browser Independent Cookies

Browser independent cookies act like permanent cookies, only different in that they are not stored on your browser.

Instead, they are stored in separate program files, which makes them trickier to delete unless a user installs a separate cookie remover.

If you are utilizing browser independent cookies on your website, you definitely must disclose the use of cookies to new users and get their consent.

Why Are Cookies Regulated?

a man working from his laptop there are security reflection icons, a key, representing cookie regulations under the heading of why are cookies regulated

The use of cookies may raise several privacy concerns.

Tracking cookies on websites can collect data about users’ browsing habits, see what types of products they view and what they purchase.

Actually, cookies are extremely useful for users because, in this way, e-commerce websites and service providers reach them quickly and customize their advertising messages according to prospects’ browsing behaviors.

It is also great for internet users because they are provided with an excellent user experience like seeing customized ads and finding service solutions for their problems.

However, some website owners violate their web users' rights for their own personal gain.

Therefore, regulators have felt that internet users needed the right to understand what cookies are and how they are being used by website owners.

What are “Strictly Necessary” Cookies?

Not all cookies are evil. In fact, some are fundamental for both user experience and the proper functionality of websites.

Thankfully, regulators understand this and omit cookies that are “strictly necessary” to fulfill the requests of website visitors.

The strictly necessary cookie usage is especially important for online retailers.

The exact scope of what strictly necessary cookies do is not well defined. However, you may think of it as meeting and enhancing customer expectations.

If a customer does not accept cookies but still wants to see the items on the shopping cart from their previous website visit, these types of cookies can be used without user consent.

Another instance is to eliminate a perpetual login process every time a user browses the same website such as Facebook. Would a user not want to remain logged in on every page they visit? Probably. So, in this case, you can make use of strictly necessary cookies.

What Makes a Cookie Popup Compliant?

a girl holding a phone and uploading something on her laptop screen, a privacy policy cookie consent popup appears to secure her online privacy

Let’s have a look at the strict requirements of privacy regulators on what makes a cookie popup non-compliant or compliant.

Remember that you only need to get cookie consent for the first time a user visits your site. Once the consent is received, cookies will be able to identify return visits and won’t ask for further permissions each time the user returns.

You can control if your cookie consent popup meets the requirements below. The popup must:

  • Consist of specific information about data types,
  • Present clear information about the purpose of cookies,
  • Explain tracking technologies in use on the website,
  • Request for cookie consent initially in users’ browsers,
  • Clearly state which action will signify consent,
  • Have a link to your Cookie Policy, which includes the details of cookie usage, purpose, and related third-party activities.
  • Give users the opportunity to opt-in or opt-out of various types of cookies,
  • Enable users to make subsequent changes anytime,
  • Let users withdraw their consent whenever they want,
  • Record and send the data to be stored as evidence securely.

Don’t forget to renew your visitors’ cookie consent every 12 months to comply with the regulations of the ePrivacy Directive.

Because cookie laws do not let you install cookies before obtaining user consent, I recommend that you employ a script blocking cookies prior to user consent.

As I said before, you don’t need to handle all of these rules. Hence, Popupsmart has already designed multiple fully compliant cookie consent popup templates that are ready to use!


Create Your Law-Compliant Cookie Consent Popup for Free!

How to Create a Cookie Policy?

Posting a comprehensive cookie policy on your website will help you avoid legal hassles and paying hefty fines because of cookie laws.

To make sure your cookie policy meets the legal requirements set forth by legal authorities, include these articles below to your policy:

  • Describe details about the cookie installation purpose.
  • Indicate and explain the type of cookies installed.
  • Present in all languages which the website has.
  • Indicate all third-parties that can install cookies.
  • Include a link to third-party policies.
  • Have visible opt-out forms.
  • Provide information on how users can withdraw consent.

GDPR and Cookie Consent

GDPR General Data Protection Regulation 12 stars within a circle

The General Data Protection Regulation, also known as GDPR, was enforced on 25th May of 2018.

GDPR is the most significant initiative regarding online data protection for more than 20 years. The latest law on the protection of personal data extends until before 1995.

GDPR has strict regulations on how personal data of users must be handled, and it sets strict rules on how personal data must be handled and imposes a sanction with heavy fines (up to €20 M or 4% of global annual turnover) for websites that fail to comply with it.

The primary purpose of GDPR is to keep the EU legislation up to date with the digital age while protecting personal privacy and enabling users to have control over their own personal data.

The GDPR sets out strict requirements on data handling procedures, transparency, documentation, and user consent.

All websites located in the European Union, and websites that have EU citizens as users are held responsible for complying.

If you use cookies, you must ask for user consent before setting any cookies other than the strictly necessary, whitelisted ones.

You have to revise your website’s cookie policy also known as the privacy policy, if necessary so that it meets requirements of accuracy and transparency.

Due to the new enforcement of the GDPR, simple “accept cookies,” popups are no longer considered as compliant.

Let’s look at a cookie consent popup that is compliant with GDPR;

cookie consent popup of nike GDPR-compliant cookie notice example

And, have a look at a non-compliant cookie consent popup;

cookie banner of airbnb non GDPR-compliant simple cookie notice example

Here, the user has no real choice, and there is no direct information about which cookies are set on the browser, where they come from, and which purposes they serve.

What is "Personal Data" in the GDPR?

Personal data in GDPR is considered as the data that is directly personal such as name, photos, email addresses, bank details, and IP addresses.

If you are using cookies that may track and identify personal data directly, you must either remove them or update your cookie consent under the new regulations of GDPR.

In other words, all cookies that process personal data are subject to the new regulations;

  • Cookies for analytics,
  • Cookies for advertising,
  • Cookies for functional services like survey and chat tools.

What Should Data Records Coming From Cookies Contain?

You must adequately record users’ data coming from your websites' cookies. Here are what must be included in the cookies’ data folder in accordance with cookie laws;

  • Name of your company,
  • Contact details of your business,
  • Description of each cookie data subjects,
  • Categories of organizations receiving data,
  • The time limit for removal of data,
  • Description of security measures used while data processing.

Who Needs a Data Protection Officer According to GDPR?

Employing a data protection officer is not always obligatory. It depends on the type and amount of data collection.

You need a data protection officer if you;

  • Process personal data for advertising through search engines and reach target audiences by considering web users’ behavior online.
  • Process personal health data for genetics or hospitals.

On the other hand, you don’t need a data protection officer, if you;

  • Send an advert to your customers once a year to promote your local business.
  • Are a general practitioner and collect your patients’ health records.

ePrivacy Regulation (ePR) and Cookies

ePrivacy Regulation ePR The EU Cookie Law 12 stars create a circle around the logo

ePrivacy Regulation or ePrivacy Directive was established to put guidelines and expectations for digital privacy, including cookie usage.

It carries much of the same scope as the GDPR and stipulates additional requirements to protect web users’ electronic communications. Also known as “The Cookie Law.”

The Cookie Law was implemented in 2002 and had become an actual regulation in 2019. This is why cookie consent popups started showing increasingly on lots of websites.

Both of these EU laws, the Cookie Law and GDPR, have a significant impact on the use of cookie consent banners to warn users about marketing and tracking.

According to the Directive, all websites have to ask for a cookie disclaimer from their users about the fact that they set cookies on the visitors’ browsers.

The law also states that users must be given the possibility to refuse or withdraw their consent.

In case a user opts-out their consent, you can keep their previous cookie data but cannot gather further data on their future visits.

Furthermore, according to The Cookie Law, you are not required to manage consent for third-party cookies directly; this responsibility must be held by third-parties.

However, you are required to facilitate the process by leaving links to the relevant policies of third-parties. You also must indicate their categories and purposes.

The law mandates that user consent must be freely given to be considered valid. Using coercive methods render the permission null and can be detected.

Some type of cookies are exempt from cookie requirements such as;

  • Technical cookies like preference cookies and session cookies.
  • Statistical cookies that are managed by the website itself.
  • Anonymized statistical third-party cookies like Google Analytics and Google Tag Manager.

The Cookie Law does not require records of user consent to be kept in files. However, it indicates that you should be able to prove that you acquire users’ consent prior to installing cookies.

What are “The Cookie Law” Requirements on Cookie Usage?

what are cookie requirements on cookie usage a woman lists all the necessary requirements to comply with cookie laws

The cookie law requires informing users before storing cookies on their device or tracking them.

Consent to cookies must be based on an explicit affirmative action like browsing, clicking, and scrolling.

You must provide detailed information about how the cookie data will be utilized over time.

If visitors refuse the use of cookies on your site, you need to ensure that cookies will not be placed on their machine.

The law does not require records of consent to be kept but still indicates that you have to prove that users’ permission is obtained.

You need to provide an option for obtaining informed consent and a means for withdrawal of consent.

You have to state third-party cookies’ category and purpose with a relevant link to their cookie policies but listing them individually is not required.

What is a Cookie Consent Banner?

A cookie consent banner is a cookie warning that appears on a user’s first website visit and asks for consent to collect data about the user.

The banner declares the cookies and gives the user a choice of consent prior to gathering data.

The purpose of cookie consent banners, therefore, is to alert website users about the cookies and attempt to get consent for setting cookies.

Cookie consent banners need to be shown on websites in order to be compliant with the EU ePrivacy Directive of 2002.

Additionally, according to the EU Court of Justice, your website’s cookie banner cannot have marked checkboxes on any cookie category except strictly necessary ones.

CCPA and Cookies

California Consumer Privacy Act CCPA, a lock

The California Consumer Privacy Act (CCPA) is a shorter version of the GDPR. It enshrines protections for a subset of US citizens against the collection and selling of their data without their knowledge.

The CCPA takes effect on January 1, 2020.

While the federal government does not play a vital role in online privacy laws, the States are taking a strict approach to the subject.

California state regulators have enacted new legislation which will be binding from the beginning of 2020, that gives rise to cookie requirements.

The Act requires companies to give notice to California residents about their cookie data collection practices.

CCPA gives customers the right to demand that website owners not sell their personal information to third parties. Then, the business is prohibited from selling the visitors’ personal information to comply with the law.

Companies that are non-compliant with the CCPA may be issued penalties from $2.500 to $7.500 per violation.

The law requires businesses over a specific user base and revenue threshold to disclose;

  • What personal data they collect,
  • The purpose they intend to use this data for,
  • Third-parties that cookies will be shared with,
  • Third-party cookie disclosure reasons.

According to CCPA, all businesses providing service to Californians must provide a clear link on their website with the title of “Do not sell my personal information.” Moreover, the link must not require customers to create an account to opt-out.

If a customer chooses to opt-out from the distribution of their data to third parties, that business is not allowed to charge different prices for its services, deny giving customer support or provide a different level of quality for services.

Customers have the right to access and obtain a copy of their personal information, which has been gathered by the business in the past 12 months.

Website users also have the right to request personal data deletion. In this case, the company which gathers the data of a visitor who claimed deletion must permanently clear all personal data except the strictly necessary ones.

Furthermore, businesses cannot sell the personal information of customers under the age of 16 unless parents first authorize them in the first place.

Official CCPA Law

Who is Responsible for CCPA Regulations?

In the CCPA, a business is defined as companies, partnerships, legal entities, and associations that are operated for the financial benefits of stakeholders.

To be bound by the CCPA, a company has to meet at least one of the attributes below;

  • Generate an annual gross revenue exceeding $25 million.
  • Obtain 50% or more of its revenue from selling customers’ personal information.
  • Purchase, receive, and sell the personal information of more than 50.000 Californians a year.

If you do not meet one of the requirements above, the CCPA does not apply to your business. However, if you share common branding with a company meeting one of the above thresholds, your business is subject to CCPA compliance.

What is Personal Information in CCPA?

Personal information is defined in the CCPA as;

“Information that identifies, relates, describes, or is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Personal information may include;

  • Biometric data like fingerprints, DNA, and voice recordings.
  • Data regarding personal characteristics, religion, and sexual preferences.
  • Geo-locational data, such as browsing history and location history via devices.
  • Identifier data like IP addresses account names, cookies, and pixel tags.

How to Create a CCPA Compliant Privacy Policy?

To become compliant with the CCPA, your privacy policy must be updated and include;

  • A description of customer rights and how to exercise these rights,
  • A list of categories of personal information that your website collects sells and discloses.

The list of personal data categories must be updated every year.

What Is The Difference Between CCPA and GDPR?

You can think of the GDPR as prevention, whereas the CCPA signifies transparency.

According to the GDPR, the personal data of a website visitor cannot be collected until the user gives their consent to do so, whereas the CCPA does not require prior consent to handling personal information but grants the user the right to request disclosure and deletion.

In other words, the main difference between GDPR and CCPA is the opt-out opportunity and prior consent necessity.

GDPR’s obligations comprise of a broader area. Even though GDPR seems to affect only websites in Europe, it has an extra-territorial scope since any website may offer services to European visitors. On the other hand, CCPA laws are only binding to sites that sell Californians' personal data.

EU data protection authorities have investigatory powers for non-compliant websites, yet CCPA violations are solely left up to the Attorney General for investigations to be launched.

GDPR is a broader privacy law that forms a data protection framework under the EU, in comparison to CCPA, which is a smaller and more sectoral law.

Website Privacy Audit

a checklist on a computer screen a cup of coffee a tablet, the photo represents online privacy audit

The General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and ePrivacy Regulation (ePR) affect how you get and store cookie consent from your visitors.

To comply with these requirements, you must have a thorough and compliant setup for managing consent for cookie usage on your website. You may start by identifying what cookies are on your website, then evaluate their compliance levels.

If you are in doubt whether or not the use is compliant, there are some free compliance test tools to check that your website’s use of cookies and online tracking processes are accurate.

How to Make Your Website Law-Compliant Infographic

How to make your website cookie laws-compliant explained in an infographic

We like sharing our knowledge with our visitors! You are very welcome to use infographics on your website for presenting an excellent visual about how to make your website compliant with cookie laws!

Best Examples of Cookie Consent Notices

You may think that if visitors are prominently exposed to the cookie policy, they may get confused, irritated, and concerned.

Believe me, paying heavy penalties is more sorrowful than losing some visitors who do not care about their own privacy.

In fact, lots of well-known companies continuously show a cookie consent popup notification to their users. Let’s look at some companies which insistently ask for cookie consent;

1. Google

Google's cookie consent notice popup example

Google enables its users to get the most accurate information about cookie usage by making them read their cookie policy.

2. Jet Brains

jet brains resharper cookie consent notice popup example

Jet Brains chose to show a plain text-only prompt and included balanced options to opt-in or opt-out of cookies.

3. Nielsen

nielsen norman group's cookie consent notice popup example

Nielsen Norman Group has grouped all of its cookies in one popup. The popup states that necessary cookies cannot be opted out of while other groups of cookies can be disabled with a few taps.

4. MailChimp

MailChimp's cookie consent notice popup example

MailChimp has tabbed cookies as groups and enables its visitors to opt-out from any group of cookies they want, except the strictly necessary ones.

5. Daily Mesh

Daily Mesh's cookie consent banner popup example

Daily Mesh provides an option to customize privacy settings to accept or reject some type of cookies. Also, there are “Accept All” and “Reject All” options to ease visitors’ cookie choice selection process.

6. Indie Web Camp

Indie Web Camp's cookie consent notice popup example

Indie Web Camp chooses to display cookie settings in a dashboard and explains all the patterns of cookie usage, which increased the transparency of their data collection process.

7. Fandom

Fandom's cookie consent notice popup example

Fandom presents a cookie consent popup to its users when visitors first enter the website. The popup explains which type of cookies are in use and for what purpose they are used.

8. Jamie Oliver

Jamie oliver's cookie consent notice popup example

Jamie Oliver sets all options off by default to be on the safe side and allows visitors to adjust cookie usage settings as they please - even as much as to turn them on.

9. Iamsterdam

Iamsterdam's cookie consent notice popup example

Iamsterdam allows its website visitors to alter cookie settings, and explains all the types of cookies, what they are used for and how they process information.

10. Osano

Osano's cookie consent notice popup example

Osano has used a tab cookie popup to enable website users to adjust their level of cookie consent however they want.

11. Cookiebot

Cookiebot's cookie consent notice popup example

Cookiebot has a cookie banner enabling website users to access very detailed information about all types of cookies without the necessity of going to the cookie policy page.

Frequently Asked Questions About Cookie Consent

What should I do to comply with the regulations governing cookies under GDPR, ePrivacy, and CCPA laws?

  • Ask for user consent before you use any cookies except strictly necessary ones such as accessing secure areas and login related cookies.
  • Provide accurate and detailed information about the data each cookie tracks.
  • Store and document consent received from users.
  • Allow users to access your website content even if they refuse the use of certain cookies.
  • Enable your users to withdraw their consent whenever they want.
  • Regularly audit your site for changes and update any relevant cookie information.

How do I implement a cookie consent message on my website?

The most efficient way to become compliant with cookie regulations is to have popups on your website. Luckily, Popupsmart offers law-compliant cookie consent popup templates that do not require any coding or design knowledge to create.

Do I need to have a Cookie Banner if I only use cookies that are exempted from cookie consent requirements?

Yes, you must inform users about the use of cookies via your cookie policy. The banner is not necessarily required for this instance if the cookie policy is visible and accessible on every page of your website.

What should I do if a user opts-out of the cookies on my website?

If a user decides to opt-out of the cookies on your site, you may handle the request with two different options that do not create a compliance conflict: Ask the user to update their browser settings to remove their cookie consent. This option eases your job but does not provide the best user experience. Set your website up to shut off cookie usage when the user withdraws their consent. In this case, it is better to allow the user to select what type of cookies should be removed.

How can somebody report me if my website is non-compliant with cookie laws?

Your website visitors deserve privacy, and they are very aware of that. If you get a visitor who suspects that you are collecting cookie data without their consent, they have the right to report your website to regulation institutions. Moreover, if those institutions agree about the non-compliance, you may be penalized up to $20 M for violating the rights of your website users.

Do I need cookie consent if I use Google Analytics, MailChimp, Salesforce, and social media buttons?

All of the services and features mentioned above are examples of third-parties on your website. Those service providers instantly deposit cookies on browsers when a visitor arrives on your website. Therefore, you are required to protect your website users’ privacy and give them clear information about how their data is being used, both by you and by third parties in use on your website.

What should I do if a user clicks on the exit icon instead of accept or reject cookie usage button?

You should set cookie settings by default if a user clicks on the exit icon instead of accept or reject cookie usage button. When you generate default settings, I recommend that you include strictly necessary cookies as selected to be safe from hefty fines. Other cookie settings should only be changed by website visitors.

Does the EU Cookie Law appeal to US websites? Or are US websites only responsible for CCPA regulations?

This question does not have a bright answer. Certain privacy matters come from the ePrivacy Regulation but lack clarity in the CCPA. GDPR employs long territorial arms that may reach you. Therefore, I recommend that you contact Popupsmart for obtaining assistance with developing a defensible and customizable policy for your online business.

Conclusion

It is easy to get lost or confused when trying to keep track of the many privacy-related rules. In this case, please feel free to communicate with us via live chat, and our data protection officer will gladly help you.

I hope this guide on Cookie Laws and how to make your website cookie usage compliant with those policies would prevent you from facing massive fees.

If you have website visitors located in countries that are not a member of the European Union, it is safe to have a simple cookie consent popup on your website by using Popupsmart’s free tool.

Lastly, remember that Popupsmart has cookie popups and cookie banners that are ready-to-use, utterly compliant with Cookie Laws, and professionally designed. What’s more, you don’t need to have any coding or design expertise to build one of our popups.


Create Your Law-Compliant Cookie Consent Popup for Free!

Don't forget to consider UX while making an announcement or displaying cookie consent popups. Here's how; _Target Black Friday Shoppers with UX-Friendly Gamified Popups