How to make a compliant cookie banner? Worldwide review
In recent years cookie banners have become widely distributed. They are used to obtain consent for the processing of cookies – small text files that improve the quality of the user’s experience or help to support the website performance.
The main reason for such an increase was the adoption of the General Data Protection Regulation (GDPR), which requires freely given, specific, informed and unambiguous consent before the processing of personal data.
At the same time, the GDPR generally applies only within the European Union. Other countries of the world have their own legal framework that may or may not require obtaining consent via cookie banners.
Below we provide our analysis of the relevant legislation around the world as well as examples of compliant cookie banners.
There is no cookie banner requirement on the federal level.
However, the Children’s Online Privacy Protection Act (COPPA) regulates the operation of websites aimed at children under 13 years old and in effect prohibits tracking of children over the Internet without their parents’ consent (§ 312.5). Under § 312.2 of the COPPA cookies are considered personal information (namely, a persistent identifier). If your website is directed to children under the age of 13 or you actually know they use it – verified parents’ authorisation for the collection of cookies is required. A cookie banner cannot verify consent directly from the parent and not the child, which means it cannot satisfy the requirement.
Under Section 1798.140 (x) of the California Consumer Privacy Act (CCPA) cookies are considered to be personal data (namely, unique personal identifier). The CCPA does not require websites to include a cookie banner.
However, the CCPA does require incorporating a mechanism for a user to opt-out of the sale of cookies (Section 1798.120). The “opt-out” principle means that a website can collect information until a user requests to stop. You can provide users with a link “Do not sell my personal data” in the footer of the website to comply.
A compliant example can be found at https://www.stericycle.com/en-us:
The EU (organisation level)
Under Recital 30 of the GDPR cookies qualify as personal data.
Under Article 6 of the GDPR cookies can be collected based on the consent of the user (for preferential, analytical or marketing cookies) or the legitimate interest of the controller (for necessary cookies). The latter does not require consent.
Follow the link to find a webinar about the latest European trends in the GDPR with speakers from different countries:
To be valid, consent must be freely given, specific and informed (Recital 32 of the GDPR). It must involve some form of clear positive action. Silence, pre-ticked boxes or inactivity do not constitute consent. Cookie walls where users cannot use the website unless they consent to the processing of cookies, as well as cookie banners with an inability to make a choice, are non-compliant. It is also not advisable to hide the “reject” or “decline” button, nor is it a good practice to make this button less visible or smaller than the “accept” button on the cookie banner.
A compliant example of a cookie banner can be found on the official European Data Protection Board website at https://edpb.europa.eu/edpb_en:
At the national level the legal grounds for using cookies are established in the Telecommunications Act, which divides cookies into two broad categories: technically necessary and technically unnecessary cookies.
In general, technically necessary cookies are either used with the sole purpose of transmitting a communication or are basic preconditions enabling the provider to provide a service that is requested by the user (e.g. cookies that save the information about the shopping cart or login status). At the same time, as Austrian DPA defines, technically unnecessary cookies record and evaluate the user behaviour on the respective website(-s) or end devices.
It is important to know the difference between the categories of cookies, as technically necessary cookies do not require consent, while technically unnecessary cookies do. If consent is required, it should be freely given in accordance with the GDPR (e.g. by clicking on the cookie banner) and must be specific, informed and unambiguous.
Yet at the same time, Article 11.7a (3) of the Telecommunications Act provides some exceptions for cookies that do not require consent. The exceptions are similar to the Austrian ones and apply if cookies are:
- used for the sole purpose of transmitting a communication;
- strictly necessary to provide the information requested by a subscriber or user;
- needed to obtain information about the quality or effectiveness of a delivered service (if it has no or minor consequences on the user’s privacy).
It is also interesting to note that now the Dutch DPA decides if cookies used by Google Analytics comply with the law, but the final decision has not yet been released.
In France the French DPA (CNIL or Commission Nationale Informatique & Libertés) has not only published a guideline for using cookies but also recommendations that contain further clarifications and examples (such as a compliant cookie banner or a cookie icon on the website).
It is also interesting to note that France was among the first to ban Google Analytics, as, according to the CNIL`s decision, it is not compliant with the GDPR requirements.
The Italian DPA (Garante per la protezione dei dati personali) published a guideline on cookie policies in 2021.
It categorises cookies into two categories: technical and profiling (non-technical). Technical cookies are used for the website’s operation or for the provision of services requested by users, while profiling (non-technical) ones – to trace specific actions or recurring behavioural patterns. Just like in other European countries technical cookies do not require consent, while profiling (non-technical) cookies do.
There are two main acts in the UK that deal with cookies: the PECR and the UK GDPR. In general, they require consent to process cookies, however, there are some exceptions for the information:
- strictly necessary for the provision of a service requested by a user; or
- for the purpose of the transmission of a communication.
In other cases, when consent is needed, it should be freely given, specific, informed and unambiguous, made by a statement or by a clear affirmative action, as the UK GDPR requires.
The General Data Protection Law (Lei Geral de Protecao de Dados – LGPD) defines personal data as “information regarding an identified or identifiable natural person”. The LGPD does not make specific reference to cookies but because they contain identifiable data, cookies may be subject to the LGPD.
By the way, on our YouTube channel there is a wonderful webinar about 10 privacy issues in Brazil:
Under Article 7 of the LGPD personal data can be collected, inter alia, based on the consent of the user or the legitimate interest of the controller. Valid consent is defined as “free, informed and unequivocal” (Article 5 of the LGPD). This means a cookie banner is required and rules similar to the GDPR apply.
Such practice contradicts the legal requirement for obtaining consent. The ANPD recommended: 1) to provide an easy-to-view button that allows to reject unnecessary cookies; and 2) to deactivate consent-based cookies by default.
Following those recommendations an example of a compliant cookie banner can be found at https://dponapratica.com.br/, which provides you with basic cookie information and allows you to set your cookies, reject them or allow them:
In general, there is no need for consent for cookies (e.g. via cookie banners) under Canada’s anti-spam legislation (CASL).
Namely, according to the 10 (8) of the CASL, a cookie is a program, for the installation of which a person is considered to expressly consent if the person’s conduct is such that it is reasonable to believe that they consent to the program’s installation. In other words, in Canada consent for cookies is set by default.
However, it is unclear if cookies are considered to be personal information under the PIPEDA, which requires a free expressed consent for the processing of such data.
Thus, even though Canada’s law does not expressly require cookies consent (e.g. via cookie banners) it is advisable, as in some cases information from cookies may be used to track an individual and therefore be subject to the PIPEDA.
Processing of personal data is subject to the tacit or express consent of the user under Article 8 of the Federal Law on Protection of Personal Data Held by Private Parties (The Law) unless provided by Article 10 of the Law. Following these documents usage of cookies is subject to tacit consent and a cookie banner is advised.
The Privacy Act does not contain any specific provisions regarding cookies and there is no legal requirement to obtain users’ consent to process cookies (meaning a cookie banner is not required).
The Law on Protection of Personal Data No. 6698 (LPPD) does not make specific references to cookies. Under Article 3 (1)(d) of the LPPD “personal data” means any information relating to an identified or identifiable natural person.
The Turkish Data Protection Authority (Kişisel Verileri Koruma Kurumu – the KVKK) has published guidelines (the Guidelines) regarding cookies, stating that the LPPD is applicable to cookies, which was also stated in the decision of the KVKK dated 27.02.2020 No. 2020/173.
Under Article 5 of the LPPD, personal data cannot be processed without the explicit consent of the data subject unless one of the conditions, mentioned in Article 5 (2) of the LPPD, is met (the legitimate interest of the controller is one of them). This means that necessary cookies can be collected without users’ consent.
“Explicit consent” means freely given, specific and informed consent (Article 3 (1)(a)). Thus, rules similar to the GDPR apply. Under Article 5 (f) of the Communique on principles and procedures to be followed in fulfilment of the obligation to inform – privacy policies and obtaining explicit consent procedures must be separate, meaning a cookie banner is required.
Generally speaking, there is no need yet to obtain the user’s explicit consent for cookies (e.g. via cookie banner). However, in 2020 the Swiss Parliament approved a comprehensive Federal Data Protection Act, which is supposed to enter into force on September 1, 2023.
Under the Federal Data Protection Act, websites that process personal data from Swiss users will have to obtain prior, freely given, informed and explicit consent from these users (including consent to process cookies via cookie banners).
Chinese law doesn’t make any references to cookies. Under Article 4 of the Personal Information Protection Law (PIPL) personal information is “all kinds of information recorded by electronic or other means related to identified or identifiable natural persons, not including information after anonymization handling”. Following this statement, it may include cookies.
Under Article 13 of the PIPL, personal data can be processed only on the basis of: 1) Obtaining individuals’ consent; … 6) other circumstances provided in laws and administrative regulations. Unlike the GDPR, legitimate interest is not one of them.
Consent for handling personal data must be given by individuals under the precondition of full knowledge and in a voluntary and explicit statement of wishes (Art. 14).
A cookie banner is not required but advised.
However, Argentina does have a law on data protection, namely the Personal Data Protection Act. According to Article 2 of the Personal Data Protection Act, personal data is information of any kind that identifies or could identify an individual or legal entity.
Processing of personal data is illegal under the Personal Data Protection Act without free, express and informed consent, which must be expressed in writing, or by other means (Article 5).
Thus, if cookies can be used to identify an individual and can therefore be defined as personal data under the Personal Data Protection Act, consent may be required.
Due to the imprecision of the Argentinian legislation, cookie banners can be different. Some are GDPR compliant (as at https://www.seidor.com/es-ar) and some are not (as at https://www.bureauveritas.com.ar the cookie banner only allows you to automatically accept all cookies after clicking on any link on the website).
In Singapore, the primary law that applies to cookies is the Singapore’s Personal Data Protection Act (PDPA).
The PDPA has a broad definition of personal data, which may include cookies. If cookies can be used to identify an individual, they are subject to the PDPA.
In general, in order to process personal data, the PDPA requires consent. Thus, a cookie banner is advised. For instance, the cookie banner on the Go-Ahead Singapore website at https://go-aheadsingapore.com allows users to either accept all cookies or decide which types of cookies, besides the necessary ones, they allow. Moreover, the website also allows changing the cookies settings at any time:
In some exceptions, personal data in Singapore may be processed based on the basis of deemed consent (including deemed consent by notification) or without the individual’s consent (on the basis of the legitimate interest).
In April, 2022 the amended Act on the Protection of Personal Information (APPI) came into force. The amended APPI in Article 2(7) defines a new category, Personally Relatable Information (PRI), which is information about living individuals that does not fall into any of the categories of personal information, pseudonymous processing information and anonymous processing information. Cookies are PRI according to the Guidelines of the Personal Information Protection Commission (the Guidelines).
Article 31 of the APPI requires prior consent for the transmission of cookies if they are transmitted to a third party in possession of additional, related data, which combined with cookies can become personal data.
Websites transferring marketing cookies to third parties are advised to place a cookie banner. According to the Guidelines, an example of the complaint cookie banner would state “We obtain the web browsing history, collected through cookies, from third party data management platforms and their analysis, link it to your personal data and use it to deliver advertisements and for other purposes” and would be followed by “I agree with the above” button:
Kazakhstan`s legal framework does not explicitly govern cookies or define them as personal data. However, if cookies can be used to identify a specific individual, they may be subject to the data privacy law, namely the Law of Kazakhstan “On Personal Data and Its Protection”.
As a general rule, according to Article 7 of the above law, collection and processing of personal data must be carried out on the basis of the consent of the personal data subject or his/her legal representative (meaning a cookie banner is advised).
It should be noted that Kazakhstan`s law does not have such strict consent requirements, as, for instance, in Europe (under the GDPR). In practice, this means that cookie banners may rely more on the opt-out principle rather than on explicit consent (e.g. at https://aix.kz) or do not have an option to reject or manage cookies at all (as at https://spubl.kz/kk).