With hundreds of cookie consent banner designs available online from dozens of providers, it can be confusing and difficult to pick the right one. For example, some designs simply state that “by continuing to use this website, you agree to the use of cookies,” others only have an “OK” or an “accept” option, while others have an “accept” and a “decline” option. Since the entire purpose of the cookie consent banner is to avoid fines by complying with applicable privacy laws, it is important to meet those requirements, which are relatively clear.
To cut to the chase, a compliant cookie consent banner must have an “accept” and a “decline” option. In this article, we will discuss what the cookie consent banner is, what purpose it must achieve, and why it must have both an “accept” and a “decline” option to be compliant with applicable privacy laws.
Table of Contents
What is a cookie consent banner?
A cookie consent banner is a popup that goes onto your website that stops certain cookies and trackers from firing (e.g. it stops Google Analytics from tracking the website visitor) until the user consents to those cookies. The cookie consent banner works to comply with applicable privacy laws that require website visitors to consent prior to them being tracked.
What privacy laws govern cookie consent banners?
You will need a cookie consent banner if the following privacy laws apply to you:
- ePrivacy Directive;
- General Data Protection Regulation (GDPR);
- United Kingdom’s Data Protection Act (UK DPA);
- California Privacy Rights Act;
- California Invasion of Privacy Act (CIPA);
- Personal Information Protection and Electronic Documents Act (PIPEDA);
- Quebec Law 25.
While the CPRA requires a different cookie consent banner layout (allowing individuals to opt out of the sale of their personal information), the remainder of the privacy laws require consent to be obtained prior to the placement of certain cookies on the user’s device.
What is consent?
Privacy laws generally define consent as “any freely given, specific, informed and unambiguous indication of the individual’s wishes by which they, by a statement or by a clear affirmative action, signifies agreement to the processing of their personal information.” Recital 32 of GDPR states that “silence, pre-ticked boxes or inactivity should not constitute consent.” This means that cookie consent banners, which control scripts and trackers that collect personal data, give users an actual choice as to whether those cookies and trackers are placed on their device, and should not assume that a continued use of the website constitutes consent.
Should a cookie consent banner include an “accept” and a “decline” option?
As stated above, consent must be shown through a clear affirmative action. Consent can be obtained by ticking a box, choosing the technical settings or by another clear statement that demonstrates that the user has agreed to cookies. For example, the United Kingdom Information Commissioner’s Office states that “to ensure consent is freely given, users should have the means to enable or disable non-essential cookies.” This means that an “accept” and a “decline” option must be presented to website visitors to comply with applicable legislation. The UK ICO’s guidance also states that you cannot use any pre-ticked boxes for non-essential cookies. Lastly, the European Data Protection Board has released guidance stating that most Data Protection Authorities considered the absence of a “decline” option on a cookie consent banner an infringement of applicable privacy laws.
In conclusion, to comply with applicable privacy laws, your cookie consent banner must include an “accept” and a “decline” option. If your current cookie consent banner does not include these options, make sure to check out the Termageddon/Usercentrics cookie consent banner solution, which includes both options.
