Ever think about the text on a website’s pop-up cookie banner? That phrasing, or how you explain to visitors that your website places internet cookies on their browsers, is what people mean by “cookie text.”
Turns out, how you write your cookies text is vital, especially if your business needs to comply with any applicable data protection laws.
So join me while I explain what cookie text is and how to write one for your website to keep people adequately informed while meeting relevant legal obligations.
What Is Cookie Text?
A cookie text is the phrasing website owners use to inform visitors that it places internet cookies on their browsers.
Usually, this text appears on a pop-up or cookie banner and may also feature:
- An ‘Agree’ button
- A ‘Decline’ button
- A ‘Customize’ or ‘Preferences’ button
- A live link to the site’s cookie policy
- A brief explanation of why the site uses cookies
Cookies text is different from a cookie policy — a legally required document that lists the different types of cookies a site uses and their purposes. These policies also usually explain individuals’ rights over controlling the cookies and provide instructions for how to opt in to, decline, customize, or delete them.
But because of the nature and purpose of a cookie text, it’s common for businesses to reference the policy and link to it on their consent banners or pop-ups.
Which Laws Require Cookie Text?
A well-written cookie text helps your website comply with applicable data privacy laws, so you must write yours in a way that meets all obligations outlined by the pieces of legislation that impact your business.
In this next section, I’ll explain what your cookie text must look like based on some of the most prevalent data privacy laws worldwide.
General Data Protection Regulation (GDPR) Cookie Text Requirements
Under the GDPR, cookies qualify as personal information and are subject to legal requirements.
You need proper cookie text, and your consent banner must provide users in the European Union (EU) and the European Economic Area (EEA) with adequate opt-in and opt-out rights.
However, your website users cannot exercise their right to accept or reject cookies effectively without knowing what cookies are used, what personal data is collected, and how it is used.
Therefore, the GDPR outlines the following obligations regarding cookies and your cookie text:
- Inform users that your site uses cookies, and provide a list of each one used.
- Request and obtain active opt-in consent from users before placing any cookies on their browsers (except for strictly necessary cookies).
- Do not place cookies on browsers if users don’t actively opt into consent.
- Provide a way for users to withdraw consent or change their minds at any time, and it must be as easy as giving their consent.
- Document and keep proof of your users’ consent choices.
- Periodically renew their consent regarding your use of cookies.
Below, see an example of what a GDPR-compliant cookie text looks like.
The next screenshot is an example of what your preference center might look like for users.
California Consumer Privacy Act (CCPA) Cookie Text Requirements
The CCPA also considers internet cookies a method to collect personal information.
While the CCPA does not require websites to display cookie banners to website users, businesses can satisfy key CCPA requirements more easily by using cookie banners.
Consent banner for advertising cookies
Under the CCPA, third-party behavioral advertising cookies may be considered a sale of personal information and require consent.
Therefore, websites can obtain consent from the website users via a cookie banner to comply with the CCPA and document their compliance with the CCPA’s rules concerning the sale of personal information.
Analytics cookies
Under the CCPA, using analytics cookies may also be considered selling personal information.
However, if a “consumer uses or directs the business to intentionally disclose personal information,” it will not be considered a sale.
Therefore, obtaining consent to analytics cookies via a cookie banner will reduce the risk of non-compliance with the CCPA.
Below, see a sample of what a CCPA-compliant cookie text looks like.
Colorado Privacy Act (CPA) Cookie Text Requirements
Cookies are also considered personal information under the Colorado Privacy Act (CPA).
The CPA requires that businesses obtain affirmative prior consent from consumers for the following processing activities:
- Sensitive data or personal data concerning children
- Selling a consumer’s personal data
- Processing a consumer’s personal data for targeted advertising
- Profiling (following a consumer opt-out)
- Otherwise processing personal data for unnecessary or incompatible purposes
When you use cookies to collect and process data that falls under these categories, you can obtain CPA-compliant consent by using a cookie banner.
However, the consent must be “specific,” “informed,” and through an “affirmative action.”
Therefore, you need to present website users with clear information about what data is collected and for what purposes it is used for the above-mentioned processing activities.
You must use certain language in your cookie text to meet the requirements outlined by this U.S. state law.
Under the CPA, your cookie text must:
- Inform users that your site collects cookies and present them with a cookie policy
- Provide an opt-out mechanism for targeted ads and the selling of their personal data
- Provide opt-in consent requests to collect sensitive personal information
- Provide opt-in consent request to collect data from a known child
Below, see an example of what a CPA-compliant cookie text looks like.
Connecticut Data Privacy Act (CTDPA) Cookie Text Requirements
Under the CTDPA, cookies are personal information, so when you collect sensitive data and need to obtain consent, you must write your cookie text in a specific way for compliance.
The CTDPA is another U.S. state law requiring you to provide consumers with an opt-out mechanism concerning specific internet cookies. Opt-in consent is unnecessary unless you want to collect sensitive information or data from known children.
Your CTDPA cookie text must:
- Explain that your site uses internet cookies and present users with a cookie policy
- Give users a mechanism for opting out of cookies used for the sale of personal information
- Provide an opt-in consent option if you want to collect sensitive personal information
- Provide an opt-in consent option if you’re going to collect data from known children and use this data for targeted advertising
See a great example of a cookie text that complies with the CTDPA below.
Virginia Consumer Data Protection Act (VCDPA) Cookie Text Requirements
The VCDPA defines personal data as “any information that is linked or reasonably linked to an identifiable or identified natural person.”
Therefore, the use of cookies may also fall under the scope of the law, and websites may need to comply with the VCDPA’s transparency and consent requirements.
Under the VCDPA, websites must:
- Provide a mechanism for opting out of the sale of personal information
- Obtain consent for the collection and processing of sensitive data
- Obtain prior consent for precise geolocation information
To use cookies under the VCDPA, you must follow strict legal requirements that impact the cookie text on your consent banner or pop-up.
Below is a sample of a VCDPA-compliant cookie text.
How To Add Cookie Text to Your Website
You can easily add cookie text to your website using Termly’s cookie banner generator — which you can configure to meet consent requirements outlined by data privacy laws in 70+ regions.
As part of our Consent Management Platform, our generator creates a compliant cookie text for you but allows you to customize and change it as you see fit.
If you decide to change the cookie text, follow these tips:
- Use clear, straightforward language that is easy for all website visitors to understand.
- Don’t use unnecessary jargon or legalese, as this language tends to confuse people.
- Explain your users’ choices over the internet cookies and provide instructions for how to act on those choices.
- If you only use essential cookies (which don’t always require user consent), clearly say so in your cookie text.
- Add a live link to your cookie policy so your users can make an informed choice about whether they agree to your use of cookies.
- Follow all opt-in and opt-out requirements based on applicable laws and regulations.
Below, see a sample of one way you can configure your Termly consent banner to comply with the GDPR.
Our Pro+ members can set up regional consent preferences, so users in locations with different data privacy laws are presented with a compliant consent banner.
You can get started right now by scanning your website below:
Cookie Text FAQ
Want to know more about cookies and cookie texts? Check out the answers to these frequently asked questions!
Do cookies collect personal data?
Yes, some cookies collect personal information about users. And all cookies contain something called a cookie identification (ID), which is a unique number that can identify an individual.
Third-party cookies, for example, are often used to track your behavior across other sites.
However, strictly necessary cookies (sometimes called first-party cookies) typically don’t collect personal information about users and instead are there to help the website function properly.
What is cookie text?
A cookie text is the phrasing that appears on a website to inform users that the site places internet cookies on their browsers and sometimes explains what controls they have over them.
It usually appears on pop-ups and cookie banners.
It also typically includes a live link to the site’s cookie policy, which expands upon the cookie text by presenting the user with more specific and comprehensive details.
Why do websites need cookie text?
Websites need a well-written cookie text to inform visitors about what internet cookies it places on their browsers and what controls they have over those cookies. This can help your business meet legal requirements outlined by applicable data privacy and protection laws.
Regardless of the law, being honest with your users about what cookies your website uses is also just the right thing to do, and it helps build and maintain trust with your consumers.
Is cookie text legally required?
While data privacy laws don’t explicitly say you need a cookie text, writing one helps you meet some of the legal requirements outlined by those pieces of legislation. This means a properly written cookie text is essential for businesses that need to follow laws like the GDPR, the CCPA, the VCDPA, and others.
How do I implement cookie text on my website?
You can implement cookie text on your website using a comprehensive, reputable Consent Management Platform with a pop-up cookie banner. Termly’s software writes the text for you, and you can configure it to meet several data privacy laws.
Another (non-Termly) option you have is to manually create a banner and write your own cookie text. If you do, make sure it clearly states that your site uses cookies, and consider including a link to your actual cookie policy.
Summary
You now have all the information you need to write proper cookie text for your website’s pop-up or consent banner based on applicable data privacy laws. That’s great!
Remember, when making cookie text, use simple language, be clear about your use of internet cookies, link to your cookie policy, and provide users with the appropriate choices based on the regulations that apply to your business.
Why not make it extra easy on yourself? If you use Termly’s CMP to create cookies text for your platform, you can set up regional consent settings to account for multiple data protection laws.
More about the author
Written by Ali Talip Pınarbaşı, CIPP/E, & LLM
Ali is a London-based Data Privacy Law Consultant with a Master of Laws Degree in EU Privacy law at King's College London. He has three years of experience in advising businesses on how to comply data protection laws. More about the author
