10 min read
A cookie consent banner is a must-have element for any website. It informs users about the use of cookies on your site, ensuring transparency and legal compliance with privacy regulations like GDPR, CCPA, PIPEDA, APPI, or LGPD. Non-compliance can result in warnings, large fines, or even bans on data processing.
For this reason, we prepared the ultimate guide to what a cookie banner is. You’ll learn the types of consent banners and layouts, how to make a personalized and compliant cookie banner and more.
Add a compliant cookie banner to your Shopify site in just a few clicks
Try TinyCookie freeWhat is a cookie banner?
A cookie banner is a notice that appears when users open a website, informs them about cookie usage, and asks for consent to use cookies. In many countries, it is legally required that a website includes a cookie consent banner as soon as users enter the site.
The cookie banner should include a statement that cookies are being used on the website. It should also have buttons to consent, withdraw consent, or manage cookie preferences. There should also be a link to the website’s cookie policy which states exactly what cookies are being used.
As a legal element of a website, a cookie banner should include simple and easy-to-understand language to make it accessible to all.
How does a cookie banner work?
A cookie banner works by displaying a pop-up on the website for every user that visits it. It’s used to provide users with transparent information on the site's cookie usage and provides options to give content, manage cookie categories, or reject their usage.
Additionally, a cookie banner should help ensure that your website is compliant with privacy regulations. This includes letting you add links to your cookie policy or only storing cookies if consent is given.
Upon acquiring consent, the banner sends cookies to the user’s device. The cookies start collecting user data for enhancing the user experience, delivering targeted ads, or improving website performance.
For example, website owners often utilize Google Analytics for monitoring various metrics regarding user behavior. The tool sends cookies to a user’s device in order to collect data about how the user interacts with the site, what pages they go to, their IP address, and more.
Main cookie consent types
There are two main cookie consent types that you may use on your website depending on the privacy regulation you need to comply with. Here are the main ones and when to use them:
Active consent
This is the most important and strict type of cookie consent which requires an active opt-in by the user. This means there should be a button to consent and a button to manage preferences and withdraw consent. Here’s an example of what it looks like:
Countries that require using active consent include European countries protected under the GDPR, Canada, Brazil, Japan, United Kingdom, Chile, Colombia, Malaysia, Morocco, South Africa, South Korea, Taiwan, and India.
Passive consent
The passive consent isn’t as strict as the active one. It assumes user consent if they continue browsing the website. In such cases, consent withdrawal is still allowed. Let’s take a look at how it’s implemented below:
Countries that require using passive consent include the United States, Hong Kong, Switzerland, and Australia.
Types of cookie consent layouts
There are a few types of layouts used for cookie consent on websites. Here are all of them with examples:
- Footer cookie banner. This cookie consent banner is placed at the bottom of the page on either side.
- Header cookie banner. This cookie banner type appears at the header of the page – this is a very rarely used type of cookie banner.
- In-line header. This banner type is a fixed notification in line with your website header, conveniently showing up on any page and can’t be missed.
- Cookie consent popup. Pop-ups usually appear at the center of the page and do not let the user proceed to the website until they interact with it.
There are no strict rules – you can freely choose which layout is most convenient to your project.
How to make a personalized cookie banner
The easiest way to add a cookie banner to your website that you can personalize is to get a third-party app. The setup process is similar for many cookie consent banner apps. Here’s how to add and personalize a cookie banner on your website:
- Install your cookie consent banner app. We recommend using TinyCookie on Shopify.
- Embed the app on your website editor. Click Save.
- Open the app and click General settings to change the layout, placement, cookie categories, and more. Click Save once completed.
- Head to Design settings to change the cookie bar, badge, preference window color, button size, content padding, and more. Click Save once done.
- Now, click the Content settings button and edit the title, description, button text, or any other content on your cookie bar, badge, or preference window. Click Save once completed.
- That’s all – you can view the cookie consent banner on your website.
How to make sure my cookie banner is compliant
To make sure your cookie banner is compliant, you first need to know what privacy laws you should comply with. For example, if the majority of users on your website are from Europe, you need to ensure GDPR compliance. However, even if a portion of your audience comes from, let’s say, California, you’ll need to guarantee CCPA compliance too.
Let’s take a look at the main steps on how to ensure cookie banner compliance for any business:
Step 1: Find out what privacy laws are applicable to you
If you’ve never dealt with privacy laws, you may be confused as to what regulations you should comply with. It primarily depends on your audience and the country you operate in. Here’s a quick overview of the main privacy regulations around the world and who they apply to:
- General Data Protection Regulation (GDPR). Businesses and individuals from the European Union (EU) or businesses and individuals outside the EU that process the data of EU citizens.
- California Consumer Privacy Act (CCPA). Anyone who processes the data of California residents and has an annual gross revenue of over $25 million, makes 50% (or more) of annual revenue by selling data or processes data of over 100,000 California residents per year.
- Personal Information Protection and Electronic Documents Act (PIPEDA). Organizations under federal regulation that operate in Canada.
- Brazilian General Data Protection Law (LGPD). Anyone who operates in Brazil, offers goods and services to Brazilian citizens, or processes the data of Brazilian citizens
- Act on the Protection of Personal Information (APPI). Anyone who processes data of Japanese citizens.
Step 2: Meet the respective privacy law requirements
Here are the main privacy regulation requirements that are the same or similar to most main privacy regulations:
- Request consent. Privacy regulations require acquiring active user consent before placing cookies on the user’s device. While regulations like CCPA don’t have this rule (except for children), websites still must have a cookie banner informing about the use of cookies.
- Give a consent withdrawal option. Most privacy regulations require you to provide users with an option to withdraw consent just as easily as they gave it using the cookie banner. This includes letting users manage or change cookie preferences.
- Collect user consent. When users give you consent to store cookies via a cookie banner, you must ensure that you store those consents securely in one place. This is a legal obligation and an ethical business practice.
- Allow website access. According to privacy regulations like GDPR, you must provide users with access to your website even if they don’t consent to cookie usage. Regulations like the CCPA, PIPEDA, APPI, and LGPD don’t explicitly mention this rule.
- Give cookie explanations. Providing users with an option to manage cookie preferences isn’t enough, and you need to also provide a cookie policy with information on what cookies are used on your website.
- Protect user data. Privacy regulations require website owners to protect user data when using cookies – data breaches or other violations may result in large penalties.
- Acknowledge user rights. When users consent to cookie usage, they may have the right to request access, rectification, or deletion of their personal data depending on the privacy regulation. Website owners must comply with these user rights when requested.
What if my cookie consent is non-compliant?
If your cookie consent banner is not compliant with respective privacy regulations, you may face penalties or fines. However, each privacy regulation has different consequences for non-compliance. Here are a few types of penalties and some examples with different privacy laws:
- A warning. You may get a warning with a 30-day cure period if the violation is minor under regulations like GDPR or LGPD. Non-compliance after the mentioned period may lead to fines.
- Fine for non-serious violations. Under GDPR, you may receive a fine of up to €10 million (~$11 million), or 2% of the firm’s global annual revenue from the previous financial year (whichever one is higher). As for CCPA, a non-intentional violation fine can be up to $2,500 per single violation.
- Fine for serious violations. GDPR fines can go up to €20 million (~$22 million), or 4% of the firm’s global annual revenue from the previous financial year. Meanwhile, CCPA can charge up to $7,500 per single violation, while PIPEDA – up to $100,000 CAD per violation.
- Class action. In some cases, consumers may take class action. The fine size can vary depending on the privacy regulation. For example, consumers may get up to $750 per violation in statutory damages under the CCPA.
- Data processing ban. Under some privacy laws, including GDPR, unlawful data handling practices that a company refuses or fails to comply with can result in a temporary or even permanent data processing ban. This could result in a business having to close.
Conclusion
Cookie banners are obligatory for all website owners who use cookies. Various privacy regulations require acquiring consent and informing users about cookie usage. Additionally, it’s obligatory to provide an option to withdraw consent and rectify or delete collected data.
Refusing to comply with data privacy laws can cost businesses a lot of money or even a permanent data processing ban, meaning the company would have to cease operations.
The easiest way to comply with the law and add a cookie consent banner to your website is to get a third-party tool. Shopify owners can utilize TinyCookie it gives you all customization freedom, lets you add the banner to your site in just a few clicks, and automatically collects user consent forms.
Frequently asked questions
Yes, a cookie banner is a legal requirement in many countries. Privacy regulations like GDPR, CCPA, LGPD, APPI, and many more require having a cookie consent banner on your website even if acquiring consent is not obligatory. Failing to provide a cookie consent can result in a warning, fines, or temporary or permanent data processing bans.
Your cookie banner should include a statement informing users that your website uses cookies, a button for consent (for GDPR compliance), withdrawal, and cookie preference management options, and a link to your cookie policy.
The most relevant US state laws that require having a cookie consent banner on your website are California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado’s Privacy Act (CPA), Utah Consumer Privacy Act (UCPA), and Connecticut Data Privacy Act (CDPA).
