What is cookie text?
Cookie text is the message on a website to inform users about cookies and for what purpose they are used. Various data protection laws require websites to provide their users with this information to obtain voluntary consent for using cookies. This notification or message appears on a website’s consent banner.
Here is an example of a cookie text:
The cookie text’s content may extend beyond just the first layer of message on the banner to the second layer, where you can see the explanation of different types of cookies used and settings to give consent to them.
GDPR cookie text requirements
The GDPR does not explicitly mention cookies in its official document. However, the scope of personal data identifiers in the regulation includes cookies. Any information that directly or indirectly links to a person is referred to as personal data in the GDPR. In that terms, cookies collect and use user data that can be used to identify the users. Therefore, cookie identifiers are considered personal data under GDPR, and using cookies is subject to the law. This only applies to cookies that collect and use personally identifiable information and share them with third parties. Therefore, cookies that are strictly necessary for a website to function are exempted from GDPR cookie consent.
- Inform users about using cookies and their purpose when they visit the website.
- Allow them to accept and reject cookies before storing them on their device.
- Keep cookies (except strictly necessary cookies) blocked until the user gives consent.
- Let users select what cookies they want the website to store on their device.
- Allow users to withdraw cookie consent if necessary.
- Keep a log of all the user consent.
- Renew cookie consent every 6 months (depends on the local data protection authority guidelines).
Cookie text is all about informing the users about these details. Well, at least some of them.
The GDPR emphasizes using clear and easy-to-understand language for such information. The users must be able to make an informed decision after reading the text. Therefore, it is wise to avoid legal or technical jargon in the cookie text.
Here is an example of a GDPR-compliant cookie text on a consent banne
Clicking on Customize will open the cookie preference settings, where users can choose between the cookie categories they want to consent. Here, the cookie text conveys why these cookies are used:
Want a cookie banner like this on your website?
Try CookieYes for a hassle-free cookie banner setup and cookie consent management for GDPR and CCPA compliance.
CCPA cookie text requirements
CCPA’s rules for regulating personal data resemble GDPR in many ways. However, one of the most striking differences is that US law does not demand businesses to obtain consent before collecting personal data. But if the users are not okay with the data collection, they must be able to opt out of it. Therefore, the CCPA requires businesses to adopt just the opt-out model rather than the opt-in and opt-out like GDPR.
for CCPA compliance, best practices for cookie notification are:
- Inform users about cookies and their source and purpose.
- Allow users to opt out of cookies (DNSMPI link) that sell personal information.
- Link to privacy or cookie notice that explains what type of cookies the site uses, the source, the data collected, their purpose, and how users can control them.
Example of a CCPA-compliant cookie text on a consent notice
Best practices for a legally compliant cookie text
As we’ve seen, the GDPR and CCPA have similar requirements for cookie text. IT depends on which law applies to your website. In case, both the laws apply, you can follow the common practices that will ensure that you are on the right side of the two laws. Not only that, these guidelines will even help if your website will be subject to other major privacy laws in the world.
On the first appearance, the cookie banner/notice text must satisfy these requirements:
- Use simple and easy-to-understand language.
- Avoid technical and/or legal terms that would confuse a layperson.
- Make it clear that the users have the option to opt out of cookies or accept only certain categories of cookies.
- Do not assume that the users are okay with cookies without giving them the option to opt out.
- Mention it clearly in case you use only necessary cookies that do not require consent.