How To Create GDPR Compliant Cookie Consent Notices


20 min remaining

The following article explains the General Data Protection Regulation and ePrivacy Regulation (The Cookie Law), California Consumer Privacy Act, and their implications for you. 

Today’s websites use many online tracking tools and active cookies to keep track of their visitors. 

You will need to show a popup warning about cookies when you have visitors from California or the EU.

You won’t be subject to penalties of more than EUR20 million.

Do not be afraid to ask questions! There is still so much to do. Let’s get started!

A cookie on the internet is a file that stores personal data about a user.

What is Cookie Consent?

There are three types of party cookies and three kinds of primary cookies. These are described and illustrated below.

1. First-Party Cookies

First-party cookies are cookies that are set by the domain where the user is currently logged in.

We collect your behavior data whenever you click on Popupsmart.com. This is to provide you with an exceptional user experience.

First-party cookies are designed to enable customization and enhance user experience. Most browsers consider them trustworthy by default.

These permit site owners to:

  • Collect analytical data
  • Remember language settings,
  • Login without entering any user information
  • Display the items that have been added to your shopping basket before.

2. Third-Party Cookies

Third-party cookies are cookies created by domains other than the one a visitor is currently visiting. These cookies can be used primarily to track visitors and for digital advertising.

It will create third-party cookies if you have had a chat via a live-chat popup. It will remember your name and the conversation the next time you visit the same website.

Third-party tracking can also be used to collect data from you when shopping on Amazon. You’ll see ads for similar products to the ones you have viewed previously.

These services may also collect cookies

Third-party and first-party cookies are the same. Both collect the same information and serve the same purpose.

3. Cookies for Second Parties

These are second-party cookies that are sent from one company to another via data partnership.

A simple example: To target their audience’s browsing habits, a hotel chain could purchase first-party cookie data from an airline company.

It’s ethical not to sell or get data from third parties.

4. Cookies for Session

Sessions Cookies keep information about your session and disappear when you close your browser.

They are less likely to raise privacy concerns and fall under the “strictly necessary” category.

You can delete session cookies by closing your browser after you log off from your bank’s website.

5. Permanent cookies

Permanent cookies are cookies that are permanently stored on your device’s computer. They cannot be deleted even if you close your browser. “

These cookies raise privacy concerns.

These cookies are used to personalize user experiences, analyze return visitor behavior and advertise the right prospects. Permanent cookies store information for an indefinite time.

6. Browser Independent Cookies

Browser-independent Cookies work in the same way as permanent cookies but are saved in your browser.

Instead, they are stored in separate program files which makes it difficult to delete them unless an additional cookie remover is installed.

Inform new users about browser-independent cookie use on your site and get their consent

Cookies can raise privacy concerns.

Websites may track cookies to gather information about browsing habits, and see which products are being viewed.

Users find cookies very helpful. Cookies allow service providers and e-commerce sites to quickly reach potential customers and tailor their advertising messages to their browsing habits.

Internet users also love it because they have a great experience with personalized ads, service solutions, and other services. 

Website owners can violate the rights and property of users to make a profit.

The Regulators believe internet users should understand cookies and how they are used. 

What is strictly necessary? Cookies?

Not all cookies are bad. Some cookies can be essential for proper website functionality.

Regulators know this and will delete cookies that are “strictly necessary” to fulfill the requests of website visitors.

Online retailers must strictly follow the cookie usage policy.

It’s unclear what cookies are required to do. This may be considered fulfilling customer expectations.

These cookies are used to store items in the shopping basket if the customer does not want them. However, they can still be viewed on their previous visit

Another way to do this is to make it easier for users to log in to the website. 

Let’s look at what constitutes cookie popups as compliant or non-compliant according to privacy regulators.

Once a visitor visits your site, you only need to get cookie consent. Each visit will not require additional permissions.

This will allow you to check that the cookie consent popup created by you meets the requirements. Please include the following information:

  • Information about data types is provided.
  • It is necessary to be clear about the purpose of cookies
  • The use of tracking technology on a site.
  • Request for consent to cookies in the browsers of users
  • Indicate clearly what action will be taken to obtain consent.
  • Include a link to your Cookie Policy. This policy contains information about cookie usage, purpose, and any third-party actions.
  • Users can choose to accept or decline various types of cookies.
  • Users can make any changes they wish.
  • Users have the right to withdraw their consent at any moment.
  • Record the evidence and send it to be safely stored.

You must renew your visitor’s consent to use the cookie by the ePrivacy Directive.

Cookies are not allowed to be installed without consent under cookie laws. It is recommended that you use a script to block cookies until consent has been obtained.

It doesn’t mean you have to follow these rules. Popupsmart has many cookie consent popup templates that are ready for use.

You should post a comprehensive cookie policy on your website to avoid legal problems or pay large fines for cookie laws.

These articles can help you make sure that your cookie policy complies with all applicable laws.

  • Please explain the purpose of cookie installation.
  • Indicate and describe the type of cookies installed.
  • All languages can be found on the website.
  • Indicate third parties that can install cookies.
  • Add a link to third-party policies.
  • Display opt-out forms
  • Information about how users can withdraw consent.

The General Data Protection Regulation, also known as the GDPR, was implemented on 25 May 2018.

The GDPR represents the most significant initiative in online data privacy for over 20 years. The 1995 law on the protection of personal data dates back to 1995.

GDPR gives clear guidelines about how personal data should be handled. Websites that don’t comply with the rules are subject to severe penalties, including fines of up to EUR20M and 4% of global revenue.

It is the main purpose of GDPR to keep EU legislation up-to-date with the digital age and give users control over their personal information.

The GDPR has strict requirements for data handling, transparency, and documentation.

Websites that are located in the European Union or have EU citizens as visitors must comply with

Users must consent to cookies before any other cookies can be set. 

You will need to make changes to your website’s privacy policies (also called cookie policies) for them to be accurate and transparent.

Popups are no longer compliant with the GDPR.

What does “Personal Data” mean under GDPR?

GDPR refers to personal data that can be directly linked to a person. This includes photos, names, and email addresses.

Any cookies that track or identify you must be deleted immediately. 

All cookies that store personal information is subject to the new regulations.

  • Analytics cookies
  • Advertising cookies
  • Cookies provide functional services like chat tools and survey results.

What data records should cookies have?

All cookie data must be correctly recorded. These items must be added to the cookie’s folder by the cookie laws.

  • Name your company
  • Contact information for your business
  • Description for each subject in the cookie data.
  • There is a variety of categories that receive data.
  • The time limit for deleting data
  • Security measures are taken during data processing

What is a Data Protection Officer under GDPR?

Not every organization has to have a data protection officer. It all depends upon the data being collected.

Contact a data protection officer if you’re interested in protecting your data.

  • Search engines can use personal data to promote products and services. You can also reach target audiences by using web user behavior.
  • Personal data can be used for genetics and hospitals.

A data protection official is not required, but

  • Send an advertisement to customers once a year to promote your local business.
  • Collect the medical records of your patients as a general practitioner.

Cookies, ePrivacy Regulations (CPR) and

The ePrivacy Reg (or ePrivacy Directive) was created to provide guidelines and expectations for digital privacy.

It is similar to the GDPR in scope and requirements, but also provides additional protections for electronic communications. 

In 2018, the Cookie Law was passed and made a regulation. Cookie consent popups started appearing on many websites as a result.

The Cookie Law (and also the GDPR) are significant EU laws that have a significant impact on consent banners for cookie tracking and marketing.

According to the Directive, all websites must request a cookie disclaimer from their visitors about how they place cookies in their browsers.

Consenting users must also have the ability to withhold or refuse consent.

A user can opt out of consenting to cookies, but you can keep their cookie data and not collect further information on subsequent visits

You are also prohibited from managing third-party cookie consent directly according to the Cookie Law. This responsibility must be shared with third parties.

Provide links to policies from third parties to simplify the process Indicate the purposes and categories of these third-parties

Consent must be freely given. Permission can be null if coercive methods are used.

Cookies not required by cookie regulations can be exempted.

  • Technical cookies, such as preference and session cookies, are known as
  • Websites can manage statistical cookies.
  • Third-party anonymous statistical cookies, such as Google Analytics or Google Tag Manager.

The Cookies Law does not require consent records to be kept. However, it does state that you must be capable of proving that you have received consent from users before installing cookies. 

It’s a requirement under the cookie law that users are informed before cookies can be stored on their devices and tracked.

Cookies’ consent must be based upon affirmative action, such as browsing, clicking, or scrolling.

Please give specific details about how cookie data will be used over time.

Visitors must refuse to accept cookies by setting them up.

Even though consent is not mandatory, the law requires that records be kept to prove that permission was obtained.

It’s important to provide an option for informed consent or for withdrawing consent.

You must mention the purpose of cookies and their category, but it is not mandatory to list them all separately.

The cookie consent banner (or ) is a warning message displayed when a user visits a website. It asks for consent to collect data and warns them about possible consequences. 

This banner informs users of cookies and lets them opt out of collecting data.

Cookie consent banners can be used to inform website visitors and try to get their permission to set cookies.

Websites should display cookie consent banners to comply with the EU ePrivacy Directive.

The EU Court of Justice states that your website must not include any checkboxes for cookies of any type, except strictly necessary.

Cookies and CCPA

The California Consumer Privacy Act, (CCPA), is a shorter version of the GDPR. This protects a limited number of US citizens against the sale and collection without their consent.

The CCPA will take effect on January 1, 2020.

The federal government does not participate in the development and implementation of privacy laws online. The States have been very strict about this matter.

California’s state regulators have passed legislation that will be binding beginning in 2020. This creates cookie obligations.

California residents need to be informed about cookie practices by their companies.

Website visitors have the right of requesting that website owners not sell their personal information to third parties. 

Penalties for non-compliance could range from $2.500 to $7.500 per violation.

Companies must provide information when they exceed a specified user base or revenue threshold.

  • What personal information are they collecting?
  • They plan to use the data in a specific way.
  • Cookies may also be shared with third parties
  • Reasons to disclose third-party cookies

According to CCPA, all businesses providing service to Californians must include a link to their website with the title “Do Not Sell Me My Personal Data.” Customers should not be required to create an account to use the link.

Customers have the option to opt-out of data distribution by not having to pay any additional fees, depriving customer support, or offering a lower level of service.

Customers can access personal data collected by the company over the past 12 months and request a copy.

Website users have the right to request the deletion of their data.

Customers under 16 years old cannot have their personal information sold by businesses unless they have permission from their parents. 

Official CCPA Law

What are the CCPA regulations responsible for?

According to the CCPA, a business is any legal entity, partnership, or company that is managed to benefit its stakeholders.

To be bound by CCPA, a company must meet at minimum one of the following attributes:

  • Earn more than $25,000,000 in annual income
  • You can earn 50% or more by selling the personal information of customers.
  • Californians have the right to buy, sell and receive their personal information every year.

Businesses that don’t meet these requirements are not eligible for the CCPA. If your company has common branding, however, compliance with the CCPA is required.

What is Personal Information in CCPA?

Personal information is defined by the CCPA.

“Information that identifies, relates to, describes, or could reasonably have been associated with a specific consumer, household, either directly or indirectly. “

Personal information may include:

  • Data such as voice recordings, fingerprints, DNA, and other biometric data.
  • Information about personal characteristics, religion, and sexual preferences.
  • Geo-locational information such as browsing history and location history via devices.
  • Identifier data, such as IP addresses and account names, cookies, and pixel tags.

How can you create a CCPA-compliant privacy policy?

You must keep your privacy policy current and include the following information to comply with the CCPA

  • This article will explain what customer rights are, and how they can be exercised.
  • This list contains the categories of personal information that your website collects and sells.

Every year, it is necessary to keep the list of personal data types up-to-date.

What’s the Difference Between GDPR & CCPA?

While the CCPA can be viewed transparently, the GDPR can be regarded as preventive.

According to the GDPR, personal data can only be collected if the visitor consents. The CCPA does not require consent, but the user can request the disclosure of or deletion of their data.

The two main differences between GDPR & CCPA are the opt-out option and the need for prior consent.

The GDPR requirements cover a larger area. While GDPR seems to only affect European websites, it can also apply to any websites offering services to European customers. But, CCPA laws are only applicable to websites that sell Californians’ personal information.

EU data protection authorities can investigate websites that are not in compliance. The Attorney General can initiate investigations into violations of the CCPA.

The EU’s data protection framework is the GDPR, which is a more comprehensive privacy legislation. This contrasts with CCPA, which is a smaller and more sectoral law.

Website Privacy Audit

How you collect consent from visitors is affected by the General Data Protection Regulation (CCPA), California Consumer Privacy Act(CCPA), and ePrivacy Regulation (ePR). 

Your website must have a system to manage consent to cookie usage. First, identify the cookies that are on your site and then evaluate their compliance.

You can use free tools to check if your website is compliant with online tracking.

  • Cookiebot
  • Osana
  • Privacy audit
  • One Trust
  • Euro Privacy

How to make your site law-compliant infographic

We are passionate about sharing our knowledge with visitors. Information Graphics can be a great way for your website to comply with cookie laws.

Visitors may be confused, irritated, and concerned if they’re made aware of the cookie policy

I can guarantee you that heavy penalties are worse than losing visitors who don’t respect your privacy.

A lot of well-known companies display a popup notifying users that they have consented to cookies. Here are some examples.

1. Google

Google enables its users to get the most accurate information about cookie usage by asking them to review their cookie policy

2. Jet Brains

JetBrains chose to display a text-only prompt that offered balanced options for opting in and out.

3. Nielsen

Nielsen Norman Group has grouped all of its cookies into one popup. However, you can also opt out of certain cookies by clicking on this popup. You can disable other types of cookies with just a few mouse clicks. 

4. MailChimp

MailChimp tabbed Cookies into groups and allows its users to opt out of any group that they don’t require.

5. Daily Mesh

Daily Meshing lets you set privacy settings to allow certain types of cookies. Two options are available: Accept All or Reject All.

6. Indie Web Camp

Indie Web Camp displays cookie settings in a dashboard. It also explains cookie usage patterns and increases transparency in data collection.

7. Fandom

Fandom shows a popup asking users to consent to cookies when they first visit the site. The popup informs visitors what cookies are being used and why.

8. Jamie Oliver

Jamie Oliver defaults on all options Visitors can modify cookie usage settings and even turn them off.

9. Iamsterdam

Iamsterdam allows its visitors to change their cookie settings. It also explains what cookies are and the differences between them.

10. Osano

Osano has created a tab cookie popup that allows website visitors to modify their cookie consent levels however they wish.

11. Cookiebot

Cookiebot offers a banner that allows website users to view detailed information on cookies without having to visit the cookie policy page.

About the author

Kobe Digital is a unified team of performance marketing, design, and video production experts. Our mastery of these disciplines is what makes us effective. Our ability to integrate them seamlessly is what makes us unique.