Cookie Policy
Cookies are text files that websites store in your web browser to remember things such as your user name, your policy preferences, or your progress on a website. The GDPR’s full-force arrival in the European Union led websites scrambling to be compliant by the deadline, and that includes cookie script management. The most commonly used method for cookie compliance is by adding a cookie banner on the website. As per the EU cookie laws and the likes, your website must inform users about the use of cookies and their purpose before storing the cookies. However, this information must be created as per the law requirements, and that is exactly what we call a cookie text. We will cover all the essential details and the best practices for a legally compliant cookie text.
What is cookie text?
Cookie text is the message on a website to inform users about cookies and for what purpose they are used. Various data protection laws require websites to provide their users with this information to obtain voluntary consent for using cookies. This notification or message appears on a website’s consent banner.
Cookie texts differ from the cookie policy statements, which is a detailed account of what cookies are deployed on the site, how they will be used, and how the users can manage them (especially the third-party settings).
Website cookie consent text is usually the first thing the users will see when they visit a website. When the user visits a website for the first time, the website must ask for consent to use cookies before storing them on user devices. Therefore, a cookie banner or notice to inform them about cookies and to ask their permission is a mandatory requirement.
Here is an example of a cookie text:
The cookie text’s content may extend beyond just the first layer of message on the banner to the second layer, where you can see the explanation of different types of cookies used and settings to give consent to them.
GDPR cookie text requirements
The GDPR does not explicitly mention cookies in its official document. However, the scope of personal data identifiers in the regulation includes cookies. Any information that directly or indirectly links to a person is referred to as personal data in the GDPR. In that terms, cookies collect and use user data that can be used to identify the users. Therefore, cookie identifiers are considered personal data under GDPR, and using cookies is subject to the law. This only applies to cookies that collect and use personally identifiable information and share them with third parties. Therefore, cookies that are strictly necessary for a website to function are exempted from GDPR cookie consent.
As per the GDPR, a website must follow the following practices to make its use of cookies compliant.
- Inform users about using cookies and their purpose when they visit the website.
- Allow them to accept and reject cookies before storing them on their device.
- Keep cookies (except strictly necessary cookies) blocked until the user gives consent.
- Let users select what cookies they want the website to store on their device.
- Allow users to withdraw cookie consent if necessary.
- Keep a log of all the user consent.
- Renew cookie consent every 6 months (depends on the local data protection authority guidelines).
Cookie text is all about informing the users about these details. Well, at least some of them.
The cookie text on the consent banner must convey in simple and plain language that the website uses cookies and what they do. It must clearly explain how the users can opt-in or opt out of it or use settings to choose their preferences. The text should also link to the privacy or cookie policy for detailed information on cookies.
The GDPR emphasizes using clear and easy-to-understand language for such information. The users must be able to make an informed decision after reading the text. Therefore, it is wise to avoid legal or technical jargon in the cookie text.
Here is an example of a GDPR-compliant cookie text on a consent banne
Clicking on Customize will open the cookie preference settings, where users can choose between the cookie categories they want to consent. Here, the cookie text conveys why these cookies are used:
Want a cookie banner like this on your website?
Try CookieYes for a hassle-free cookie banner setup and cookie consent management for GDPR and CCPA compliance.
CCPA cookie text requirements
CCPA’s rules for regulating personal data resemble GDPR in many ways. However, one of the most striking differences is that US law does not demand businesses to obtain consent before collecting personal data. But if the users are not okay with the data collection, they must be able to opt out of it. Therefore, the CCPA requires businesses to adopt just the opt-out model rather than the opt-in and opt-out like GDPR.
Hence, a website that is subject to CCPA doesn’t have to get user consent to use cookies but the option to reject cookies. The point to remember here is that the website doesn’t have to let users opt out of all cookies but those that collect and sell their personally identifiable information to third parties. You can implement the opt-put via a “Do Not Sell My Personal Information” link, placed on the consent notice and the homepage. The DNSMPI page should explain how users can block the tracking technology that sells or shares their information with third parties.
for CCPA compliance, best practices for cookie notification are:
- Inform users about cookies and their source and purpose.
- Allow users to opt out of cookies (DNSMPI link) that sell personal information.
- Link to privacy or cookie notice that explains what type of cookies the site uses, the source, the data collected, their purpose, and how users can control them.
Example of a CCPA-compliant cookie text on a consent notice
Best practices for a legally compliant cookie text
As we’ve seen, the GDPR and CCPA have similar requirements for cookie text. IT depends on which law applies to your website. In case, both the laws apply, you can follow the common practices that will ensure that you are on the right side of the two laws. Not only that, these guidelines will even help if your website will be subject to other major privacy laws in the world.
On the first appearance, the cookie banner/notice text must satisfy these requirements:
- Use simple and easy-to-understand language.
- Avoid technical and/or legal terms that would confuse a layperson.
- Make it clear that the users have the option to opt out of cookies or accept only certain categories of cookies.
- Do not assume that the users are okay with cookies without giving them the option to opt out.
- Mention it clearly in case you use only necessary cookies that do not require consent.