10 min read
A cookie notice is used by websites that deploy cookies to collect user data and helps ensure your business is transparent. It’s a requirement of privacy regulations like the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA) which protect the rights of website visitors and help build their trust.
Read further to explore what a cookie notice is and what it should include to ensure compliance with regulations like the GDPR or CCPA.
Adopt a customizable cookie banner for your Shopify website
Try TinyCookie freeWhat is a cookie notice?
A cookie notice, otherwise known as a cookie consent banner, is a notification or a statement about the use of cookies on a website. It’s used on websites, apps, and platforms that collect personal user data. A cookie notice informs app or website visitors about what types of data are collected, why, who can access it, and how users can opt out.
What exactly should be included depends on the privacy regulation that the specific business has to follow. While the GDPR compliance includes obtaining affirmative consent, the CCPA requires providing only an opt out option.
Is a cookie notice required?
Yes, a cookie notice is a requirement in many regions globally to ensure privacy regulation compliance if your website uses cookies, especially third-party cookies. While exact requirements differ depending on the privacy regulation, a cookie notice should be used even if user consent is not required for the sake of transparency.
For example, under the EU’s GDPR and ePrivacy Directive, you must inform website visitors about the use of cookies and obtain affirmative consent prior to deploying them. Meanwhile, the CCPA doesn’t require cookie consent except for minors, but companies must still disclose what cookies are used.
Cookie notice requirements
Cookie notice requirements are similar for many privacy regulations but each of them has specific nuances. So, let’s take a deeper look at what the EU’s GDPR or California’s CCPA-compliant cookie notice should include.
GDPR requirements for cookie notice
Both the GDPR and the ePrivacy Directive require organizations to inform consumers about how their data is used and obtain affirmative consent before activating cookies. This applies to all companies, no matter where they’re based, that process the personal data of European Union citizens.
Here are the main requirements to acquire cookie consent in compliance with the GDPR:
- Freely given consent. According to GDPR Article 14(11), consent must be informed, affirmative, and freely given. This means that the cookie notice must include an opt-in button that the user must click before cookies are deployed.
- Withdrawal option. According to GDPR Article 7, users have the right to withdraw consent whenever they want, and it should be as easy as giving consent. Therefore, a cookie notice should include a withdrawal button.
- Used cookies. The GDPR Article 12 states that information on cookie usage should be transparent, concise, and easily accessible to users. So, you must leverage the cookie notice to disclose what cookies your website uses.
- The purpose of used cookies. The GDPR Article 13 requires companies to disclose the legal basis and purpose of used cookies.
- Third parties that add the cookies. If you’re using third-party cookies, you must inform the user what parties these cookies belong to according to GDPR Article 13.
It’s also useful to include a link to your cookie policy under your cookie notice. While it’s not a direct requirement, it ensures transparency and is the core document for explaining cookie usage in full disclosure.
CCPA requirements for cookie notice
The CCPA requires companies to disclose what cookies are used, why they’re used, and what data is collected. However, unlike the GDPR, it doesn’t require acquiring user consent.
Moreover, the CCPA only applies to businesses if their annual gross revenue is over $25 million, at least 50% of their annual revenue comes from data selling, or they process the personal data of over 100,000 California residents each year.
Here are the main requirements for ensuring a CCPA-compliant cookie notice:
- Data collection practices. Under the CCPA Section 1798.100, users have the right to know, so the regulation requires disclosing what personal information is collected.
- Reasons for data collection. The CCPA Section 1798.110 states that data controllers must state the purpose for cookie usage.
- The “Do not share” link. Users have the right to opt out of data collection if it’s used for selling or sharing, according to CCPA Section 1798.120. Websites must comply by providing a "Do Not Sell or Share My Personal Information" link.
- Non-discrimination. The CCPA states non-discrimination as a user right. This means that organizations mustn’t prohibit services, access, or otherwise punish users for exercising any of their rights.
- Third parties. It’s required to disclose what third parties are receiving the personal user data if third-party cookies are utilized.
What should your cookie notice say?
A cookie notice should be transparent about cookie usage on the site and the data collection practices. It must be written in simple and clear language so that anyone can understand it.
Here are a few main insights into what you should say in a cookie notice:
- Disclose the use of cookies. Clearly state the fact that your website is using internet cookies.
- Definition of “cookie.” According to a study by All About Cookies, only 46% of Americans know what “cookies” are. So, it’s crucial to explain what they are and what they’re used for.
- Mention what cookies you use. Define the different types of cookies that you’re using, including strictly necessary ones that don’t require consent, third-party cookies, and all others.
- Define the purpose of cookie usage. Many privacy regulations, including the GDPR and CCPA, require companies to be transparent about what consumer data is collected and why.
- Provide opt-out options. Most if not all data privacy regulations around the world require businesses to provide users with opt-out methods. This is usually a “reject” button on the cookie notice.
Cookie notice examples
A good cookie notice that’s compliant with privacy regulations will inform website visitors what tracking cookies and other technologies the company is using and why. Let’s take a look at some compliant cookie notices.
The Elle magazine cookie notice is thorough – it explains that cookies are used for enhancing the user experience and mentions what third parties they share the data with. The cookie notice also includes management options for specific types of cookies and ensures that the user is informed of what each of them means.
The Jack & Jones cookie notice is shorter but still helps you understand what you’re agreeing to. It provides the legal basis for processing and what happens when you accept cookies. The “Cookie settings” section explains the types of cookies in detail. For more information, users can access the privacy or cookie policies straight from the notice.
TinyCookie lets you manage cookie preferences and explains why cookies are used in plain and simple language. You can read what each cookie type means and select which ones you want to accept or reject.
There’s also an “Accept required only” button which does the same as the “Reject all” button because strictly necessary cookies cannot be disabled. So, TinyCookie ensures that consent is as easy to decline as it is to accept.
Frequently asked questions
No, a cookie notice is a statement used to inform users about the use of cookies on a website. It’s usually placed at the bottom of any page of a website and includes accept or reject buttons. Meanwhile, a cookie policy is a legal document that discloses cookie usage and data collection practices.
If your website uses cookies and stores any information on the user’s device, a cookie notice is necessary to ensure compliance.
The US doesn’t have federal laws concerning cookie usage. Yet, there are some state-level laws, like the CCPA, CPA, UCPA, and others. Regulations like the CCPA don’t require user consent except for sensitive data or data of minors. However, the CPA, UCPA, and some others require obtaining explicit consent.
According to the Information Commissioner’s Office, under the UK GDPR, businesses must inform users about the use of cookies on their websites and obtain active consent.
