Cookie Message Guide and How to Make One

If your website uses cookies and other technology to monitor users, you must provide a cookie notification message. These pop-up boxes or cookie banners inform users about what cookies are active on your website and what kind of personal data your cookies collect.

You can also use them to get users to consent to place cookies on their devices.

Read on to learn more about cookie notification messages, when you need them, and how to create yours. If you’re not quite sure what any of this means, make sure to read our in-depth cookie guide for more information on cookies in general.

Table of Contents

What Is a Cookie Notification Message?
Why Do You Need a Cookie Message?
What Needs to Be in a Cookie Message?
Where Do You Need to Display a Cookie Notification?
How to Create a Cookie Message
Conclusion

Cookie messages on websites refer to the text in the pop-ups or banners that users receive when they go on websites with cookies. They remind users that a website uses cookies and that they have the right to opt out of cookies.

Companies also use cookie pop-ups to get users’ consent to use cookies.

These messages are required by certain privacy and cookie laws, such as the European Union’s General Data Protection Regulation (GDPR).

There are many reasons you need a cookie message on your website.

Whether you’re in the US, the EU, or another country or area, you need to put cookie messages on your site if you’re marketing to people who live in countries or regions with strict cookie laws.

For example, you need to comply with the EU’s GDPR if you target consumers from the European Economic Area (EEA), even if your company and website server are US-based. The GDPR applies to any website that offers services or products to EU citizens or collects personal information from EU citizens.

In the US

Although there are no cookie laws in the US, some states have laws that regulate cookie usage for their residents, such as the California Consumer Privacy Act (CCPA).

There are also some federal laws, such as the Children’s Online Privacy Protection Act (COPPA), that regulate how businesses use cookies in particular circumstances.

The California Consumer Privacy Act (CCPA)

The CCPA protects Californian users’ data from privacy violations. Like the GDPR, it regulates the use of personal information, including cookies.

In contrast with the GDPR, the CCPA doesn’t require an organization to obtain user consent for collecting and processing their personal information. However, the organization must give users the right to opt out of the sale of personal information if it collects and sells users’ personal information to third parties.

Consent is also required for specific circumstances like collecting and using the personal information of minors under 16 and information transfer.

The Children’s Online Privacy Protection Act (COPPA)

Like the CCPA, COPPA protects minors’ right to privacy. It applies to all websites and online businesses that collect, use, or disclose personal information from children and requires you to give direct notices to parents about cookie collection.

Unlike the GDPR, it doesn’t require you to put up cookie messages. However, you must disclose the following in your online privacy policy:

Contact information (e.g., name, telephone number, address, and email address) of all the operators that maintain or collect personal information through your site or service.
Description of the information that the operator collects from children, which should include whether the operator enables children to make their personal information available to the public, the operator’s disclosed practices for this information, and how the operation will use such information.
How parents can review or request to delete their children’s personal information. You should also outline how parents can limit the further collection or use of their children’s data.

In the EU

Cookie messages are required by law by the EU’s General Data Protection Regulation (GDPR) and ePrivacy Directive.

GDPR

The EU’s GDPR is the world’s strictest cookie law. It came into effect on May 15, 2018, and applies to all websites targeting EEA consumers.

Although the word “cookie” is only mentioned once in its 88 pages, the GDPR is a game-changer for cookie usage. Unlike previous privacy mandates, such as the ePrivacy Directive, the GDPR makes it mandatory for websites to get consent from users before putting cookies on their browsers.

For consent to be valid, it must be:

Specific and unambiguous
Freely given, which means it must be given voluntarily
Informed, which means the site must inform the user about cookies before placing them on their browser
Expressed through explicit, affirmative action

This requirement for active consent expressed through clear, affirmative action stands in stark contrast to the EU Cookies Law or ePrivacy Directive of 2002, which allowed passive or implied consent.

Passive consent, also known as browsewrap, is when a website assumes user acceptance of the site’s Terms of Service or Privacy Policy based simply on the fact that the user continues to use the site or service.

Since the user cannot opt out or consent to cookies before the cookies get placed on their browser, the user cannot give valid consent under the GDPR. As such, cookie messages with passive consent do not comply with the GDPR.

ePrivacy Regulation

The ePrivacy Regulation is a revised version of the current ePrivacy Directive — also commonly referred to as the Cookie Law. Like the GDPR, the Regulation operates in the EU but requires compliance from any website or organization targeting EU users.

It’s intended to work with the GDPR to establish the EU’s reformed data protection framework, but it still hasn’t come into effect. When finalized, the ePrivacy Regulation will expand on the GDPR and establish more straightforward rules for cookies.

We don’t know what all these rules will be like yet, but the European Commission has stated that no consent will be needed for cookies that don’t intrude on privacy. These include cookies that improve user experience, such as those used to remember shopping cart history.

Rest of the World

There are also some other countries with similar legislation.

Canada

Unlike California and the EU, Canada doesn’t have legislation specifically regulating cookies. However, cookie regulation is part of Canada’s anti-spam and privacy laws.

According to Canada’s federal Anti-Spam Law (“CASL”), it’s illegal to install any program or software on another person’s computer during commercial activity without first obtaining their express consent.

Like the GDPR, the CASL requires user consent to be obtained in a particular way. A person — defined as any corporation, organization, individual, partnership, trustee, receiver, association, or legal representative — must explicitly state the following before obtaining express consent:

Why you are seeking the person’s consent
The identity of the person seeking the consent

However, the CASL also says that a person is deemed to have given express consent to cookie installation if it’s reasonable to believe that the person has consented through their conduct. Unfortunately, there’s currently not much guidance on what kind of conduct is deemed “reasonable” — the only example provided by the CASL’s regulator is that a person will not be considered to have consented if they have disabled cookies through their browser.

Canadian privacy law (PIPEDA) generally requires consent to collect, use, and disclose personal information. The safest way to obtain this consent is through express, informed consent, such as cookie notifications.

All in all, this suggests that Canada’s cookie regulation is much less strict than what we see in California and the EU.

Singapore

Singapore’s data protection act, the Personal Data Protection Act (PDPA), regulates the handling of personal data and marketing. It establishes how organizations use, collect, and dispose of Singaporeans’ personal data.

Like the GDPR, the PDPA stipulates that you must have user consent before collecting or using their personal data. Therefore, you must include the following details when obtaining user consent:

Reason for handling the users’ personal data.
Any other purpose you have for handling the users’ data that you hadn’t disclosed before.
Upon the users’ request, you must provide the contact information of a person who acts on behalf of the organization requesting the users’ data. This person will have to answer the users’ questions about collecting, using, or disclosing their data.

However, unlike the GDPR, the PDPA accepts implied or deemed consent under certain circumstances. These include:

Deemed consent: consent can be implied or deemed to be given if using, collecting, or disclosing users’ personal data is required to fulfill a contract between the organization and the user.
Deemed consent by notification: companies can deem consent if they provide notification of the purpose behind the collection, use, or disclosure of personal data. At the same time, they must also give the users a reasonable period to opt out. Consent will be deemed given if the users don’t opt out within this period.

Singapore’s PDPA is more similar to Canada’s CASL than it is to the GDPR since it accepts implied or deemed consent.

Your cookie message needs to do the following to comply with the GDPR:

Inform users that the website uses cookies.
List the types of cookies that are present on the website (e.g., essential, functional, marketing)
Give users more information about how the website uses cookies by including links to the site’s privacy policy or cookie policy. It can also contain information about how users can opt out of cookies or change their cookie settings.
Get users’ active consent to use cookies.

For example, The Guardian’s cookie message below does all three of these things.

the-gaurdians-cookie-message

The Guardian’s banner:

Informs users that the site uses cookies. It uses a large, eye-catching font for “It’s your choice.” This prompts the user to read out to find out why there’s a banner and what choice it’s referring to.
It gives users information about how The Guardian uses cookies. The details are under “It’s your choice.”
Gets users’ active consent to use cookies. It does this through the “Yes, I’m happy” and “Manage my cookies” buttons.

To ensure compliance, you need to place a cookie notification message on every page of your website.

If you only place it on your homepage, users who land on another page will not be able to see the notification message. As a result, they won’t know that your website uses cookies, and you won’t be able to get their consent to place cookies on their device.

Creating cookie notification pop-ups from scratch can be difficult, especially if you don’t have the time and energy to ensure your messages comply with the relevant legislation.

Here are some ways you can kickstart your creation of a cookie notification message.

Managed Solution (Recommended)

The most time-saving and secure way to ensure you are compliant with cookie requirements is to get a managed solution like Termly’s Cookie Consent Manager.

Powerful yet easy to use, our Cookie Consent Manager is a browser-based tool that requires minimal effort on your part.

Use Termly to Create a Cookie Notification

Step 1: Enter your website URL into Termly’s scanner
Step 2: We will scan your site and categorize the majority of your cookies
Step 3: We will generate your cookie policy & customizable cookie notification banner

All you have to do is enter your website’s information and press the “Build Cookie Consent” button. We’ll then scan your website for cookies, organize them into appropriate categories, write a custom cookie policy for your company, and generate a cookie consent banner that you can display on your site with ease.

Plugins Solution

If you’re the owner of a WordPress site, consider downloading a cookie message plugin. These tools will give you customizable cookie messages and pop-ups that will help you comply with cookie requirements.

Unlike DIY or templates, plugins already come with coding, colors, WordPress page synchronization, and formatting, so all you have to do is change the text and look to fit your brand.

DIY Solution (Not Recommended)

This option involves writing up the required legalese and coding the notification message display and function by yourself. It is not recommended if you’re not familiar with data privacy laws or coding. If you choose this option, you should consider using a cookie policy template to streamline the process of cookie compliance.

Conclusion

Cookie notification messages are now a requirement under the GDPR, CCPA, and other privacy laws. As such, you need to get together with your team and choose a cookie notification message solution that will help you comply with the privacy laws that apply to your website’s users. This will not only protect you from the backlash of the GDPR, COPPA, CCPA, and other laws, but it will also prepare you for upcoming cookie laws such as the EU’s ePrivacy Regulation.

More about the author

Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author

What Is the IAB’s Global Privacy Platform (IAB GPP)?

American Privacy Rights Act (APRA): First Look & Summary

109 Biggest Data Breaches, Hacks, and Exposures as of 2024

New Zealand Data Privacy Act 2020 Explained

Cookie Walls: Are They GDPR Compliant?

7-Step CPRA Compliance Requirements Checklist

CCPA vs. CPRA: What's Different and What's the Same?

CPRA: California Privacy Rights Act

Google Consent Mode vs. Google Additional Consent