How to make a compliant cookie banner? Worldwide review

In recent years cookie banners have become widely distributed. They are used to obtain consent for the processing of cookies – small text files that improve the quality of the user’s experience or help to support the website performance.

The main reason for such an increase was the adoption of the General Data Protection Regulation (GDPR), which requires freely given, specific, informed and unambiguous consent before the processing of personal data.

At the same time, the GDPR generally applies only within the European Union. Other countries of the world have their own legal framework that may or may not require obtaining consent via cookie banners.

Below we provide our analysis of the relevant legislation around the world as well as examples of compliant cookie banners.

 

  1. The USA

 

Federal level

 

There is no cookie banner requirement on the federal level. 

 

However, the Children’s Online Privacy Protection Act (COPPA) regulates the operation of websites aimed at children under 13 years old and in effect prohibits tracking of children over the Internet without their parents’ consent (§ 312.5). Under § 312.2 of the COPPA cookies are considered personal information (namely, a persistent identifier). If your website is directed to children under the age of 13 or you actually know they use it – verified parents’ authorisation for the collection of cookies is required. A cookie banner cannot verify consent directly from the parent and not the child, which means it cannot satisfy the requirement.

 

California

 

Under Section 1798.140 (x) of the California Consumer Privacy Act (CCPA) cookies are considered to be personal data (namely, unique personal identifier). The CCPA does not require websites to include a cookie banner.

 

However, the CCPA does require incorporating a mechanism for a user to opt-out of the sale or sharing of cookies (Section 1798.20). The “opt-out” principle means that a website can collect information until a user requests to stop. You can provide users with a link “Do not sell my personal data” in the footer of the website to comply.

 

A compliant example can be found at https://www.stericycle.com/en-us



  1. The EU

 

The EU (organisation level)

Under Recital 30 of the GDPR cookies qualify as personal data.

 

Under Article 6 of the GDPR cookies can be collected based on the consent of the user (for preferential, analytical or marketing cookies) or the legitimate interest of the controller (for necessary cookies). The latter does not require consent. 

 

The use of cookies on websites is conditioned upon the prior consent of users: users must first be given clear and comprehensive information in accordance with the GDPR about the purposes of processing data to be able to give their consent and they must also be provided with an easy way to refuse. Thus, a cookie banner is required.

 

To be valid, consent must be freely given, specific and informed (Recital 32 of the GDPR). It must involve some form of clear positive action. Silence, pre-ticked boxes or inactivity do not constitute consent. Cookie walls where users cannot use the website unless they consent to the processing of cookies, as well as cookie banners with an inability to make a choice, are non-compliant. It is also not advisable to hide the “reject” or “decline” button, nor is it a good practice to make this button less visible or smaller than the “accept” button on the cookie banner.

 

A compliant example of a cookie banner can be found on the official European Data Protection Board website at https://edpb.europa.eu/edpb_en:



Austria

At the national level the legal grounds for using cookies are established in the Telecommunications Act, which divides cookies into two broad categories: technically necessary and technically unnecessary cookies.

In general, technically necessary cookies are either used with the sole purpose of transmitting a communication or are basic preconditions enabling the provider to provide a service that is requested by the user (e.g. cookies that save the information about the shopping cart or login status). At the same time, as Austrian DPA defines, technically unnecessary cookies record and evaluate the user behaviour on the respective website(-s) or end devices.

It is important to know the difference between the categories of cookies, as technically necessary cookies do not require consent, while technically unnecessary cookies do. If consent is required, it should be freely given in accordance with the GDPR (e.g. by clicking on the cookie banner) and must be specific, informed and unambiguous.

As Austrian DPA further specifies, there are no strict requirements for the design of cookie banners. For instance, a compliant cookie banner at https://www.win2day.at provides users with the opportunity to allow, reject or manage cookies and gives additional information on the Cookie policy. 

The Netherlands

Just like in Austria, at the national level the legal grounds for using cookies are established in the Telecommunications Act. In general, the use of cookies requires freely given, specific, informed and unambiguous consent that is made in accordance with the GDPR requirements (e.g. by clicking on a cookie banner).

Yet at the same time, Article 11.7a (3) of the Telecommunications Act provides some exceptions for cookies that do not require consent. The exceptions are similar to the Austrian ones and apply if cookies are:

  • used for the sole purpose of transmitting a communication;
  •  strictly necessary to provide the information requested by a subscriber or user;
  • needed to obtain information about the quality or effectiveness of a delivered service (if it has no or minor consequences on the user’s privacy).

The compliant cookie banner in the Netherlands (e.g. at https://www.umcutrecht.nl/nl) might include information on the use of cookies on the website, options to accept or decline all cookies, as well as a link to the Cookie policy.  

It is also interesting to note that now the Dutch DPA decides if cookies used by Google Analytics comply with the law, but the final decision has not yet been released.

 

France

In France the French DPA (CNIL or Commission Nationale Informatique & Libertés) has not only published a guideline for using cookies but also recommendations that contain further clarifications and examples (such as a compliant cookie banner or a cookie icon on the website).

In general, the use of cookies requires freely given, specific, informed and unambiguous consent (e.g. by clicking on a cookie banner). However, just like in other EU countries, there are some exceptions for cookies that are strictly necessary for the website’s operation or for the provision of services requested by users (e.g. cookies used for service authentication or that save the contents of a shopping cart).

Cookie banners (e.g. at https://sf-cancers-enfant.com) allow you to accept, reject or manage cookies and provide a link to the Cookie policy.  

It is also interesting to note that France was among the first to ban Google Analytics, as, according to the CNIL`s decision, it is not compliant with the GDPR requirements.

 

Italy

The Italian DPA (Garante per la protezione dei dati personali) published a guideline on cookie policies in 2021.

It categorises cookies into two categories: technical and profiling (non-technical). Technical cookies are used for the website’s operation or for the provision of services requested by users, while profiling (non-technical) ones – to trace specific actions or recurring behavioural patterns. Just like in other European countries technical cookies do not require consent, while profiling (non-technical) cookies do.

The guideline further specifies the requirements for cookie banners, which are used for obtaining consent, such as the banner size, placing of the command, a link to the privacy policy etc. 

A compliant cookie banner might include (e.g. at https://viaggio.italia.it/it/) options to accept all cookies, use only necessary cookies or manage cookies preferences, as well as more detailed information and link to the Cookie policy: 

  1. UK

There are two main acts in the UK that deal with cookies: the PECR and the UK GDPR. In general, they require consent to process cookies, however, there are some exceptions for the information:

  • strictly necessary for the provision of a service requested by a user; or
  • for the purpose of the transmission of a communication.

In other cases, when consent is needed, it should be freely given, specific, informed and unambiguous, made by a statement or by a clear affirmative action, as the UK GDPR requires

Such consent might be given via a cookie banner (e.g.as at https://ico.org.uk), which provides the option to either accept or decline all cookies, as well as further additional information and a link to the Cookie policy: 

  1. Brazil 

The General Data Protection Law (Lei Geral de Protecao de DadosLGPD) defines personal data as “information regarding an identified or identifiable natural person”. The LGPD does not make specific reference to cookies but because they contain identifiable data, cookies may be subject to the LGPD.

 

Under Article 7 of the LGPD personal data can be collected, inter alia, based on the consent of the user or the legitimate interest of the controller. Valid consent is defined as “free, informed and unequivocal” (Article 5 of the LGPD). This means a cookie banner is required and rules similar to the GDPR apply.

 

Notably, the Brazilian Data Protection Authority (the ANPD) has found that the cookie banner on the government portal Gov.br at https://www.gov.br/anpd/pt-br is not-compliant with the LGPD. The banner states “We use cookies to improve your browsing experience on the portal. By using gov.br, you agree to our cookie monitoring policy. For more information on how this is done, go to Cookies Policy. If you agree, click on ACCEPT”: 

 

Such practice contradicts the legal requirement for obtaining consent. The ANPD recommended: 1) to provide an easy-to-view button that allows to reject unnecessary cookies; and 2) to deactivate consent-based cookies by default.

 

Following those recommendations an example of a compliant cookie banner can be found at https://dponapratica.com.br/, which provides you with basic cookie information and allows you to set your cookies, reject them or allow them:

  1. Australia

 

According to the Australian privacy laws, namely the Privacy Act 1988 and the Spam Act 2003, consent for cookies is not required. There is no need for a cookie banner or other confirmation for the use of cookies.

However, under the Australian Privacy Principles, which are provided in the Privacy Act 1988, it is usually necessary to disclose the use of cookies in a privacy policy, as information collected through cookies might constitute personal information if a person could be reasonably identified from it. Such disclosure can also be made via a special banner on the website (as at https://www.itasca.com.au): 

  1. Canada

In general, there is no need for consent for cookies (e.g. via cookie banners) under Canada’s anti-spam legislation (CASL).

Namely, according to the 10 (8) of the CASL, a cookie is a program, for the installation of which a person is considered to expressly consent if the person’s conduct is such that it is reasonable to believe that they consent to the program’s installation. In other words, in Canada consent for cookies is set by default.

However, it is unclear if cookies are considered to be personal information under the PIPEDA, which requires a free expressed consent for the processing of such data. 

Thus, even though Canada’s law does not expressly require cookies consent (e.g. via cookie banners) it is advisable, as in some cases information from cookies may be used to track an individual and therefore be subject to the PIPEDA.

 

  1. Mexico 

 

The Privacy Notice Guidelines (The Guidelines) contain definitions of cookies and web beacons. The Guidelines in para 31 consider cookies to be personal data and require websites: 1) to inform users at the time of accessing the website through a notice or warning posted in a visible place of the use of cookies; and 2) that personal data has been obtained through them; and 3) how cookies can be disabled unless such technology is necessary for technical reasons.

 

Processing of personal data is subject to the tacit or express consent of the user under Article 8 of the Federal Law on Protection of Personal Data Held by Private Parties (The Law) unless provided by Article 10 of the Law. Following these documents usage of cookies is subject to tacit consent and a cookie banner is advised.

 

An example of a compliant cookie banner can be found at https://scouts.org.mx, which states “Welcome to Scouts de México (scouts.org.mx)! We use cookies on this website to improve your experience. For more information about our Cookie Policy, click here. By continuing to use our website, you are giving us your consent to use cookies. You can find out more about what cookies we are using or disable them in the settings”:



  1. New Zealand 

 

The Privacy Act does not contain any specific provisions regarding cookies and there is no legal requirement to obtain users’ consent to process cookies (meaning a cookie banner is not required).

 

  1. Turkey

 

The Law on Protection of Personal Data No. 6698 (LPPD) does not make specific references to cookies. Under Article 3 (1)(d) of the LPPD “personal data” means any information relating to an identified or identifiable natural person.

 

The Turkish Data Protection Authority (Kişisel Verileri Koruma Kurumu – the KVKK) has published guidelines (the Guidelines) regarding cookies, stating that the LPPD is applicable to cookies, which was also stated in the decision of the KVKK dated 27.02.2020 No. 2020/173.

 

Under Article 5 of the LPPD, personal data cannot be processed without the explicit consent of the data subject unless one of the conditions, mentioned in Article 5 (2) of the LPPD, is met (the legitimate interest of the controller is one of them). This means that necessary cookies can be collected without users’ consent.

 

“Explicit consent” means freely given, specific and informed consent (Article 3 (1)(a)). Thus, rules similar to the GDPR apply. Under Article 5 (f) of the Communique on principles and procedures to be followed in fulfilment of the obligation to inform – privacy policies and obtaining explicit consent procedures must be separate, meaning a cookie banner is required.

 

The Guidelines state that explicit consent cannot be imposed on the data subject as a pre-condition for online services and provide with some bad cookie banner examples. An example of a compliant cookie banner from the Guidelines notifies that cookies are used on this website, briefly describes cookie types, has a link to the cookie policy and is followed by 3 buttons “Allow All”, “Deny All”, “Cookie Settings”:



  1. Switzerland

Generally speaking, there is no need yet to obtain the user’s explicit consent for cookies (e.g. via cookie banner). However, in 2020 the Swiss Parliament approved a comprehensive Federal Data Protection Act, which is supposed to enter into force on September 1, 2023.

Under the Federal Data Protection Act, websites that process personal data from Swiss users will have to obtain prior, freely given, informed and explicit consent from these users (including consent to process cookies via cookie banners).

 

  1. India

India doesn’t have a legal framework for the use of cookies. Cookies are also not considered to be personal information. 

Thus, there is no need to obtain consent for the use of cookies in India (e.g. via cookie banner).

 

  1. China

 

Chinese law doesn’t make any references to cookies. Under Article 4 of the Personal Information Protection Law (PIPL) personal information is “all kinds of information recorded by electronic or other means related to identified or identifiable natural persons, not including information after anonymization handling”. Following this statement, it may include cookies.

 

Under Article 13 of the PIPL, personal data can be processed only on the basis of: 1) Obtaining individuals’ consent; … 6) other circumstances provided in laws and administrative regulations. Unlike the GDPR, legitimate interest is not one of them.

 

Consent for handling personal data must be given by individuals under the precondition of full knowledge and in a voluntary and explicit statement of wishes (Art. 14).

 

A cookie banner is not required but advised.

 

For instance, there is a good cookie banner example at https://www.honeywell.com.cn, stating “We use cookies to improve the performance of our website, to facilitate information sharing on social media and to provide advertising based on your interests. For more information, please see our Cookie Statement. You can also customise your browser’s cookie settings. Please note that if you reject cookies, this may affect the functionality and performance of the site.” followed by “Cookie settings”, “Accept all” and “Reject all” buttons:

 



  1. Argentina

 

Argentina`s legal framework does not clearly define whether or not consent for the use of cookies (e.g. via cookie banner) is required.

 

However, Argentina does have a law on data protection, namely the Personal Data Protection Act. According to Article 2 of the Personal Data Protection Act, personal data is information of any kind that identifies or could identify an individual or legal entity.

Processing of personal data is illegal under the Personal Data Protection Act without free, express and informed consent, which must be expressed in writing, or by other means (Article 5).

Thus, if cookies can be used to identify an individual and can therefore be defined as personal data under the Personal Data Protection Act, consent may be required.

Due to the imprecision of the Argentinian legislation, cookie banners can be different. Some are GDPR compliant (as at https://www.seidor.com/es-ar) and some are not (as at https://www.bureauveritas.com.ar the cookie banner only allows you to automatically accept all cookies after clicking on any link on the website).



  1. Singapore

 

In Singapore, the primary law that applies to cookies is the Singapore’s Personal Data Protection Act (PDPA).

The PDPA has a broad definition of personal data, which may include cookies. If cookies can be used to identify an individual, they are subject to the PDPA.

In general, in order to process personal data, the PDPA requires consent. Thus, a cookie banner is advised. For instance, the cookie banner on the Go-Ahead Singapore website at https://go-aheadsingapore.com allows users to either accept all cookies or decide which types of cookies, besides the necessary ones, they allow. Moreover, the website also allows changing the cookies settings at any time:

In some exceptions, personal data in Singapore may be processed based on the basis of deemed consent (including deemed consent by notification) or without the individual’s consent (on the basis of the legitimate interest).

  1. Japan

 

In April, 2022 the amended Act on the Protection of Personal Information (APPI) came into force. The amended APPI in Article 2(7) defines a new category, Personally Relatable Information (PRI), which is information about living individuals that does not fall into any of the categories of personal information, pseudonymous processing information and anonymous processing information. Cookies are PRI according to the Guidelines of the Personal Information Protection Commission (the Guidelines).

 

Article 31 of the APPI requires prior consent for the transmission of cookies if they are transmitted to a third party in possession of additional, related data, which combined with cookies can become personal data.

 

Websites transferring marketing cookies to third parties are advised to place a cookie banner. According to the Guidelines, an example of the complaint cookie banner would state “We obtain the web browsing history, collected through cookies, from third party data management platforms and their analysis, link it to your personal data and use it to deliver advertisements and for other purposes” and would be followed by “I agree with the above” button:

 

 

  1. Kazakhstan

Kazakhstan`s legal framework does not explicitly govern cookies or define them as personal data. However, if cookies can be used to identify a specific individual, they may be subject to the data privacy law, namely the Law of Kazakhstan “On Personal Data and Its Protection”.

As a general rule, according to Article 7 of the above law, collection and processing of personal data must be carried out on the basis of the consent of the personal data subject or his/her legal representative (meaning a cookie banner is advised).

It should be noted that Kazakhstan`s law does not have such strict consent requirements, as, for instance, in Europe (under the GDPR). In practice, this means that cookie banners may rely more on the opt-out principle rather than on explicit consent (e.g. at https://aix.kz) or do not have an option to reject or manage cookies at all (as at https://spubl.kz/kk). 






Conclusion 

 

If you are an online platform doing business in particular state you have to comply with its privacy laws, even if you are based outside of this country. This article shows that each country has its own unique approach to cookies and it is not always clear where you need user’s consent to use cookies and if you do how to obtain it correctly.

    Your question to IT lawyers


    Subscription