If you use cookies on your website, there's a good chance at least one law says you need user consent to issue cookies and collect data through them. This consent is only valid when users have made an informed and meaningful choice to give it.
In this guide we'll explain how cookie consent messages can give users the necessary information and then explore examples of different approaches to writing and displaying cookie consent messages.
- 1. What is Cookie Consent?
- 2. Is Cookie Consent Required?
- 2.1. ePrivacy Directive
- 2.2. General Data Protection Regulation (GDPR)
- 2.3. Federal U.S. Laws
- 2.4. U.S. State Laws
- 3. What Should Your Cookie Consent Message Say?
- 3.1. Your Use of Cookies
- 3.2. Links to Your Legal Agreements and Policies
- 3.3. Consent Collection Mechanism
- 3.4. Withdrawing Consent
- 4. What are Some Examples of Cookie Consent Messages?
- 5. How Should I Display My Cookie Consent Message?
- 6. Summary
What is Cookie Consent?
Cookie consent means getting permission to add and store cookies on a user's computer and using the information gathered through the cookies.
A cookie is a small text file that a website can create through a web browser and store for future reference. A first party cookie is created and accessed by the site the user is visiting. A third party cookie is created and accessed by other sites, for example to track a user's online activity and deliver customized advertising.
In many cases, particularly when a law requires it, getting cookie consent is not solely about the technical action of issuing a cookie. You are also getting permission to collect and handle personal data, both in creating and referring to the cookie.
Is Cookie Consent Required?
Several laws around the world require some form of consent to issue some or all types of cookies. These laws can apply even if your organization isn't in the country or region concerned.
ePrivacy Directive
The main law directly addressing cookies in Europe is the Privacy and Electronic Communications Directive 2002/58/EC, also known as the ePrivacy Directive. It's implemented in individual countries through their own national laws. Broadly, the same principles will apply whenever your site is accessed by somebody in a European Union country or if your servers are physically in such a country.
The key points of the ePrivacy Directive are:
- You must get consent to issue any cookie except for those which are "strictly necessary." This means the site cannot function properly without them. This type of cookie is also called "essential." You need consent to issue any other type of cookie, regardless of whether it is first or third party.
- You must tell users the general purpose of the cookies before requesting consent. This doesn't have to be broken down to detail individual cookies.
General Data Protection Regulation (GDPR)
The GDPR applies if you, the site user, or your servers are in an EU country. (Similar measures apply in former EU country the United Kingdom.)
The GDPR doesn't directly require consent for cookies. However, it does say that cookies can count as personal data if you can combine them with other information to identify an individual.
Under the GDPR, you must have a lawful basis to use personal data. Consent is one of the lawful bases.
The practical effect is that if you plan to use cookies to collect or process personal data (such as tracking a user online), you should get informed consent first. To make the consent informed, you must tell the user what data you will collect and how you will use it. You must also make it possible to withdraw consent later on.
Many countries outside of Europe now have privacy laws that follow similar principles. This means you will often need to get consent before issuing a cookie to collect or process personal data.
Federal U.S. Laws
The United States does not have a federal law requiring cookie consent for adults.
The Child Online Privacy Protection Act (COPPA) does require consent to process data about children aged under 13. COPPA applies if your site is targeted at under-13s or you know they use it. This consent, which would apply to many cookies, must be from a verified parent or guardian. Getting such consent for cookies is so impractical that sites affected by COPPA will normally not use cookies that involve personal data.
U.S. State Laws
Several states (including California, Virginia and others) have relevant measures in privacy laws. Generally, these laws work on an opt-out basis. This means you don't need to get consent before issuing cookies. Instead, you must give clear information about what data you collect and how you use it, often on a dedicated page, linked to with a specific wording.
The interpretation and enforcement of these laws is still evolving as regulators and courts rule on specific cases. To be completely sure you will not break any of these laws, get consent before issuing:
- Cookies to collect data that you intend to sell to a third party
- Cookies to collect sensitive personal data, for example covering religion, sexuality or health status
What Should Your Cookie Consent Message Say?
To get legally valid consent, you need a message that covers your cookie use, links to informative policies, and details on giving and withdrawing consent.
Your Use of Cookies
Tell site visitors that you use cookies and give a brief description of what types of cookies you use and why you use them. Aim to be brief enough that people can easily read it, but give enough detail that they can make an informed decision.
Here's an example of this:
A good rule of thumb is that somebody reading your description shouldn't then be surprised by any cookies you do use or the way you use them.
Links to Your Legal Agreements and Policies
To avoid overloading visitors with information, link to full documents. This can include your dedicated Cookies Policy if you have one, and your Privacy Policy.
Here's an example:
Consent Collection Mechanism
Use a clear method to request and confirm the user's consent to cookies. Common options include clearly marked buttons letting the user show they agree or refuse cookies, or checkboxes.
You can also have an option to make more detailed choices, for example to accept some types of cookie and refuse others.
Here's how this can look:
Do not make one option (such as agreeing to cookies) more prominent than other options (such as refusing consent.) Court rulings on the European rules have established this does not meet the requirement for users to make a fair and meaningful decision.
An alternative option is to use a checkbox or toggle to indicate consent. Do not set these to be pre-ticked or set to "agree" by default.
Here's an example of this:
Never rely on passive consent, for example having a cookie consent message that simply says continuing to use the site after reading the message constitutes consent. This does not meet the requirement for meaningful, active consent.
Withdrawing Consent
Make clear that site visitors can withdraw their consent at any time. Explain the consequences both for you (you will stop collecting and processing the data) and the user (some site functions may be limited or unavailable).
Here's an example of a cookie consent message that notes that settings can be changed at any time:
If necessary, explain what happens to any data you have previously collected through the cookies, such as it being deleted.
What are Some Examples of Cookie Consent Messages?
The following examples show cookie consent messages that use the approaches we've recommended in this guide.
Similarweb clearly links to both a dedicated Cookies Settings section and a Privacy Policy, giving an opportunity to get more information and context before making a choice:
YouTube gives clear details of how it uses cookies and what effect accepting or rejecting will have on the user experience:
Facebook uses a combination of links and a scroll bar to provide extra detail while still keeping the banner small enough to be practical and to make the selection buttons prominent:
Virgin Media uses an element of humor. The two key options (accept or reject non-essential cookies) are both equally prominent:
Reddit clearly and concisely explains the consequences of accepting or rejecting cookies:
How Should I Display My Cookie Consent Message?
Above all else, make sure your cookie consent message is prominent. Do not create any risk that users do not see the message. Never display it in a way that some of the text is difficult or impossible to see.
Good options include:
- Using a banner across the bottom of the screen. Banners should overlay the page so that it's clear the content is a site-wide notice rather than part of a specific page. Make sure the banner still works well on different size screens and on mobile devices.
- Using a pop-up notice. Don't put too much of a delay between the page loading and the pop-up appearing. Use a distinct color scheme to the rest of the page so that users don't miss the message.
Summary
Cookie consent means getting permission to install cookies and collect data using them. The consent usually isn't required for essential cookies.
Several European laws mean you must get prior consent both to issue non-essential cookies and to process any personal data collected through cookies. U.S. state privacy laws generally let you work on an opt-out basis, though you may need consent for cookies that gather sensitive information or information that you plan to sell.
Inform users and gather consent through a cookie consent message. This should summarize the cookies you use and why and how you use them, link to dedicated Cookies Policy and/or Privacy Policy, collect consent, and inform users that they can withdraw consent at any time.
Obtain consent by requiring users to take a clear action such as clicking an "Accept" button or checkbox. Display your cookie consent message prominently and don't hide key information.