You see it on almost every website – the cookie consent banner that asks you to agree to cookies being placed on your device. While some websites give you an actual choice to agree or deny, others ask you to just agree, and others just say that cookies are being placed on your website without you having the ability to disagree, there is no doubt that the cookie consent banner is everywhere in every form imaginable. This feature helps websites obtain consent for the placement of cookies on a user’s device. So, whether you call it a cookie consent banner, a cookie consent tool, or a cookie management platform, you may be wondering if your website needs to have one as well. In this article, we will help you understand which privacy laws require websites to have a cookie consent banner and determine whether your website needs one too.
What are cookies?
While we all normally think of cookies as a delicious treat, when it comes to websites, cookies (also called tracking technologies) are a small piece of code is put on a user’s device or browser and that tracks them as they use that website (to determine what pages they clicked on, for example) or as they go from your website to different websites (to show Facebook advertisements, for example). Usually, cookies are put on a user’s device automatically.
Why are website cookies regulated?
While certain cookies are used for purposes that a website visitor would expect such as protecting the website from hacking, displaying images, or displaying the website in general, other cookies can be more intrusive by tracking website visitors to show them advertisements or to send them marketing messages. Many consumers are not aware of the fact that advertising cookies can track the products that they viewed online and then use that data to show them Facebook advertisements for those same products. Regulators have passed multiple privacy laws that require certain websites to obtain the consent of the user for placing cookies on their device that were not strictly required for the proper operation of the website. A website cookie consent banner does just that – helps websites obtain the consent of the website user to the collection of certain types of cookies.
When do you need a cookie consent banner?
The first step to determine whether your website needs a cookie consent banner is to determine whether your website has cookies (or other tracking technologies that act as cookies). You can use this complimentary cookie scanner from Usercentrics to determine if your website collects cookies. If your website does not have cookies, then you do not need to have a cookie consent banner as there is nothing that the users of your website have to consent to. If your website does collect cookies, then you should consider adding a cookie consent banner to your website to gather the consent of your website’s users as you may be required to provide one by law.
What laws require websites to have a cookie consent banner?
- ePrivacy Directive 2002/58/EC (also called the “Cookie Law”): this Directive requires European Union countries to create laws that state that websites need to provide information about cookies and tracking technologies and obtain the consent of users before putting such cookies or technologies on their devices. The laws passed by EU countries under this Directive protect the privacy of residents of the European Union so they can apply to websites of businesses outside of the EU. The ePrivacy Directive will soon be replaced by the ePrivacy Regulation 2021, which, when finalized, will update these rules.
- General Data Protection Regulation (GDPR): requires the consent of website users for the collection of personal data, which includes the data collected by certain types of cookies. GDPR applies to you if you:
- Have an establishment in the European Union;
- Offer goods or services to European Union residents, regardless of your location;
- Monitor the behavior of European Union residents, regardless of your location.
- United Kingdom’s Data Protection Act 2018 (UK DPA): requires the consent of website users for the collection of personal data, which includes the data collected by certain types of cookies. UK DPA applies to you if you:
- Have an establishment in the United Kingdom;
- Offer goods or services to United Kingdom residents, regardless your location;
- Monitor the behavior of United Kingdom residents, regardless of your location.
- California Consumer Privacy Act (CCPA): requires websites that sell personal information to provide users with a means to opt out of such sales. This is usually done through the cookie consent banner that asks users whether they would like to opt out of sales of their personal information. CCPA applies to for-profit entities that collect and process the personal information of California consumers, that do business in California and that meet one of the following thresholds:
- Has annual gross revenues in excess of $25,000,000;
- Annually buys, receives, sells or shares the personal information of 50,000 or more California consumers, households or devices;
- Derives 50% or more of its annual revenue from selling the personal information of California consumers.
- Personal Information Protection and Electronic Documents Act (PIPEDA): this Canadian privacy law requires website users to consent prior to the collection of personal data, which can be defined as the data that is collected through cookies and other tracking technologies. PIPEDA applies to private companies across Canada that collect, use or disclose personal information in the course of a commercial activity. In addition, PIPEDA can also apply to businesses outside of Canada if they collect the personal information of Canadians in the course of a commercial activity.
Where can you get a cookie consent banner?
Now that you know what laws require websites to have a cookie consent banner, you are probably wondering where you can get one for your website. The Termageddon/Usercentrics integration means that all Termageddon accounts include a cookie consent banner that you can enable right from your license.
Donata is the Co-founder and President of Termageddon, an auto-updating generator of website and application policies. She is a licensed attorney and Certified Information Privacy Professional. She also serves as the Vice-Chair of the American Bar Association’s ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals. In her free time, Donata enjoys beekeeping, hunting for morel mushrooms, and walks with her husband and two dogs.