Cookies or “HTTP cookies” are small fragments of data created by the websites you visit that get saved as text files.
While they’re fundamental to any website, cookies do raise some privacy concerns, and as a result, some countries established cookie warning laws requiring safeguards to be put into place to ensure user privacy.
Below, I describe what a cookie warning is, the laws that impact them, and whether your website needs one.
Why Does Every Website Warn You About Cookies?
Cookies have existed ever since the Internet was created, and nearly every website shows a cookie warning, including retailers like Amazon and Apple.
Why? The answer is simple: Privacy laws.
Europe’s General Data Protection Regulation (GDPR) enacted much stricter data privacy laws, regularizing personal data collection, processing, and sharing and impacting cookies.
Once the GDPR went into effect, companies and jurisdictions worldwide hurried to ensure compliance with the new data privacy laws for all their users around the globe, which included using a cookie warning notice.
In the United States, laws like the California Consumer Privacy Act (CCPA), the Virginia Consumer Data Protection Act (CDPA), and the Colorado Privacy Act (CPA) affect internet cookies and warning notices.
Because laws like these exist all over the world, it’s common to see websites using cookie warnings to meet their requirements.
What Is the Purpose of a Cookie Warning?
The purpose of cookie warnings is to align with privacy laws, enhance transparency, and build trust between users and websites.
If an Internet cookie can identify an individual through their device, the website needs a cookie warning to facilitate obtaining proper user consent.
When an individual lands on a web page, a cookie warning pops up requesting their consent to deploy certain cookies or other trackers on their browsers.
If privacy laws protect that individual, using a consent warning notice like Termly’s enables you to present that user with a proper banner that aligns with the requirements of those laws.
In essence, the cookie banner is an agreement between a website or app and its visitors. This contract aims to inform visitors about any potential third-party tracking and foster more transparency across the internet.
Does Your Website Need a Cookie Warning?
Yes, your website should have a cookie warning, especially if it uses cookies or other trackers — you can check if your website needs a cookie warning by using our cookie scanner.
It’s important to have a cookie warning to meet the obligations of applicable data privacy laws.
For example, if you have customers or users based in the EU or your company’s located or based in a jurisdiction with cookie laws, you most likely needs to include a cookie warning.
If you don’t have one, you could get fined for violating the law.
Here’s a look at the EU’s law regulating cookie usage, what happens if you fail to comply, and what it means when someone chooses not to consent to cookie usage.
Cookie Warning Law Summary
The GDPR was initiated as a directive from the European Union. Under these directives, several requirements have been placed on the collection of cookies for tracking users.
For help complying with the fundamental guidelines, follow these steps:
- Step One: Know the type of cookies — essential and nonessential — that their website or app uses and what categories these cookies fall under.
- Step Two: List all cookies in both the privacy policy and cookie policies of the website or app.
- Step Three: Inform users about the cookies being used on the website or app, explaining it in explicit, GDPR-compliant, cookie warning language.
- Step Four: Only activate nonessential cookies if a user authorizes their use.
- Step Five: Give users the option to withdraw or alter their cookie preferences at any given time.
- Step Six: Maintain consent logs of user cookie preferences.
If you want more info on the GDPR’s cookie requirements, check out our GDPR cookies guide.
Exemptions
Not all cookies fall under the scope of the GDPR — these get referred to as essential cookies.
Essential cookies are fundamental for the smooth working of a website. But what a “strictly essential” cookie is, remains somewhat ambiguous.
The guideline provides that strictly essential cookie types won’t stand in the way of any technical storage or access for solely transmitting a communication over a network.
That’s why these cookies are exempt — they’re strictly necessary to enable a website that provides information to users who request such information on the content they are seeking.
For example, exemption applies if you own an e-commerce site that uses a session cookie that allows users to place items in their cart during their time on the website.
It also applies if you rely on a load balancing cookie to allocate your network traffic over a range of servers when the primary function of such a cookie is to identify one of the servers.
Record Keeping
Furthermore, even though under the cookie warning law, records of consent are not explicitly required to be kept, most of the time, cookies collect and process user data, which is why they fall under the GDPR requirements of record keeping.
Cookie warnings aren’t mandated to list out every cookie used, though — just their type, usage, and purpose need to be stated.
If your website also uses third-party cookies, you need to ensure that users are informed of these third parties, directing them to the respective privacy and cookie policies.
Consent
Notably, you must obtain a user’s consent the first time they visit your website.
There’s no obligation to ask repeatedly for permission after the initial cookie warning — once a user has granted authorization, you can safely assume that they consent to the continuous use of such cookies.
However, if your website uses third-party cookies, it would be better to obtain new consent each time a new third-party cookie must be activated.
Nevertheless, even after permission is received, you will still be required to provide your cookie policy, which should include the types of cookies used and how they are used.
You can learn what else you need to include in your cookie policy using Termly’s cookie policy template or quickly create one using our free cookie policy generator.
Lastly, the GDPR requires that consent be voluntarily given by the user to be classified as valid. Any use of coercion to obtain consent may render it invalid.
What Happens if You Don’t Use a Cookie Warning?
Violating the GDPR’s cookies law can result in penalties in the form of monetary fines up to €20 million ($21 million), or 4% of companies’ worldwide turnover for the preceding financial year—whichever is higher.
The maximum penalty will typically be imposed if the violation is deemed intentional, causing significant distress to the user.
For example, in 2014, a Dutch public broadcaster was fined $29,000 for failure to comply with cookie laws set by the Netherlands Authority for Consumers and Markets.
The broadcaster’s negligence in implementing a compliant consent mechanism resulted in the imposition of the fine.
What if a Visitor Doesn’t Accept Your Cookies?
If a user doesn’t accept your cookies, then their request needs to be honored.
That doesn’t, however, mean that they get entirely restricted from the website.
If your website can still be accessed using non-essential cookies, users should be granted access to that extent. This could mean providing content that may not be entirely relevant or a less personalized experience.
For websites requiring usernames and passwords, users would have to insert their credentials manually every time they access your website.
Tips on Setting up a Cookie Warning
While cookie warning laws do vary, but they’re generally quite similar.
Here are some fundamental obligations that are identical in nearly all laws and should get integrated into your website.
1. Add A Voluntary Consent Button
Adding a voluntary consent button gives users a choice to opt out of cookies, better aligning your site with privacy laws.
For example, several laws require you to obtain active consent from users to deploy cookies on their browsers. This essentially requires that users have an option to opt out of the use of their data as well.
Note: this doesn’t mean that users can be entirely restricted from accessing the website by declining the use of cookies.
Also, the opt-out option should be as convenient and easy to use as the opt-in feature.
2. Use Boxes That Have Not Been Pre-checked
To properly comply with laws like the GDPR, all checkboxes in the cookie warning must be blank when presented to website visitors.
If they’re pre-checked, it’s considered a violation of the GDPR.
The rationale here is that a user’s informed consent must be obtained freely and without using any coercive or deceptive methods — pre-checked boxes go against this.
The Federal Supreme Court reinforced this position in the Planet49 decision.
3. Enable Selective Cookie Usage
As part of obtaining the user’s informed consent, a website visitor or app user must also be allowed to select the type of cookies they authorize and the ones they don’t, so provide them with a preference center to make these choices.
In addition, they need to be informed of the various types of cookies used by your website or app and be given the option to choose the ones they want to activate.
Termly’s Cookie Consent Manager can help you ensure that your cookie warning and its selective cookie usage options are GDPR compliant.
4. Avoid Implied Consent
A user ignoring your cookie warning — or simply clicking an “OK” button — and continuing to browse does not count as consent to your cookie usage.
Cookie warnings that are only for informational purposes and don’t allow the alteration of cookie usage are in breach of the GDPR requirements.
For a cookie warning to be compliant, just displaying an ‘OK’ button goes against the purpose of these warnings — if a user is given no option to select, it can’t be deemed voluntary consent.
5. Link to Your Privacy Policy
Apart from displaying the cookie warning on the website, it’s also important to provide an easily accessible privacy policy on your website or app.
To remain in compliance, your cookie warning should have a link to your privacy policy.
Conclusion
There are stricter laws now regulating the use of cookies. Data privacy laws across the globe have been increasingly reinforced. So even if your company or website isn’t located or based in the European Union, some of your users may reside there.
That’s why your company needs to comply with new cookie warning laws and regulations concerning their use.
If you need some inspiration, check out a few examples of GDPR cookie banners.
More about the author
Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP
Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author
