Cookies are small text files websites store in your browser to remember preferences, login details, and usage progress. Due to data protection regulations like the GDPR in the EU, websites must manage cookie scripts responsibly. A common compliance method is using a cookie popup or banner. EU cookie laws mandate informing users about cookie usage and purpose before deploying them. This essential information is conveyed through what is known as "cookie text."
This article will explain what cookie text is and provide best practices for creating a legally compliant message.
What is Cookie Text?
Cookie text is the message displayed on a website to inform users about the use of cookies and their purposes. Various data protection laws require websites to provide this information to obtain valid consent for using cookies. This notification is typically part of the website's consent banner.
It's important to distinguish cookie text from a cookie policy, which is a detailed document listing all deployed cookies, how they are used, and how users can manage them (especially third-party cookies). Website cookie consent text is usually the initial information users encounter upon visiting a site.
According to regulations, websites must request consent before storing cookies on a user's device during their first visit. Therefore, a cookie banner or notice explaining cookie usage and seeking permission is mandatory.
Here is an example of typical cookie text on a consent banner:
Example of cookie text on a consent banner
The content of the cookie text may extend beyond the initial banner message to a second layer. This layer often provides explanations of different cookie types and settings for managing consent for each category.
GDPR Cookie Text Requirements
While the GDPR doesn't explicitly mention cookies, they fall under the scope of personal data identifiers within the regulation. Any information directly or indirectly linked to an individual is considered personal data under GDPR. Cookies collect and use user data that can be used for identification, making cookie identifiers personal data subject to the law.
This applies specifically to cookies that collect personally identifiable information and share it with third parties. Cookies strictly necessary for a website's core function are exempt from the GDPR's consent requirements.
Under GDPR, websites must follow these practices for cookie compliance:
- Inform users about cookie usage and purpose upon visiting the website.
- Allow users to accept or reject cookies before storing them (except strictly necessary ones).
- Keep non-essential cookies blocked until the user provides consent.
- Enable users to select which cookie categories they consent to.
- Provide a mechanism for users to withdraw cookie consent.
- Maintain a record of all user consents.
- Renew cookie consent periodically (typically every 6 months, depending on local data protection authority guidelines).
Cookie text is crucial for conveying these details simply and directly. The text on the consent banner must clearly state that the website uses cookies, what they do, and how users can opt-in, opt-out, or manage their preferences via settings. The text should also include a link to the privacy or cookie policy for comprehensive information.
The GDPR mandates using clear, easy-to-understand language. Users should be able to make an informed decision after reading the text, so avoid legal or technical jargon.
Here is an example of GDPR-compliant cookie text:
Example of a GDPR-compliant cookie banner
Clicking on a "Customize" or "Manage Settings" option typically leads to cookie preference settings where users can choose consent for different cookie categories.
Example explaining cookie categories within preference settings
CCPA Cookie Text Requirements
The California Consumer Privacy Act (CCPA) shares similarities with GDPR in regulating personal data, but a key difference lies in the consent model. CCPA does not require explicit opt-in consent before collecting personal data. Instead, it mandates that users must be able to opt-out if they do not wish for their data to be collected or sold.
Therefore, CCPA requires an opt-out model rather than the GDPR's opt-in/opt-out approach. Websites subject to CCPA don't need to get user consent for all cookies but must provide an option to reject cookies that collect and sell personally identifiable information to third parties.
This opt-out mechanism is often implemented through a "Do Not Sell My Personal Information" (DNSMPI) link on the consent notice and website homepage. The DNSMPI page should explain how users can block tracking technologies that sell or share their information with third parties.
For CCPA compliance, best practices for cookie notification include:
- Inform users about cookies, their source, and purpose.
- Provide users with an option to opt out of cookies (via a DNSMPI link) that sell personal information.
- Link to the privacy or cookie notice detailing the types of cookies used, their source, data collected, purpose, and how users can control them.
Here is an example of CCPA-compliant cookie text:
Example of CCPA-compliant cookie text
Best Practices for Legally Compliant Cookie Text
Both GDPR and CCPA have similar requirements for conveying information through cookie text, though the underlying consent model differs. If your website is subject to both laws, following common best practices will help ensure compliance with both. These guidelines are also beneficial for adhering to other major global privacy laws.
Upon initial display, the cookie banner/notice text should meet these requirements:
- Use simple, clear, and easy-to-understand language.
- Avoid technical or legal jargon that could confuse non-experts.
- Clearly state that users have the option to opt out of cookies or accept only specific categories.
- Do not assume user consent; provide clear opt-out options.
- Explicitly state if you only use necessary cookies that don't require consent (though this alone is not compliant if other third-party cookies are used).
- Include prominent opt-in and opt-out options (e.g., "Accept All," "Reject All"), ideally with the same visual prominence.
- Include a link to the privacy policy and/or DNSMPI page (for CCPA) within the text for detailed information.
When users access cookie settings, the text should explain:
- The meaning and purpose of each cookie category.
- Provide separate and clearly presented consent options for each category.
- Include a button to save their cookie preferences.
Frequently Asked Questions
How do cookies track you?
Cookies are small pieces of data websites use to track users. When you visit a site, the web server sends a cookie with a unique ID. On subsequent visits, your browser sends this cookie back, allowing the site to identify you.
Why do I constantly see cookie messages?
Laws like GDPR and CCPA require websites to inform users about the use and purpose of cookies before deploying them. Cookie messages or texts are the means of delivering this information, letting users know which cookies will be stored if accepted and providing an option to reject them. Increased enforcement of these laws has prompted websites to be more diligent about displaying cookie messages.
Should you accept cookies?
Accepting cookies depends on the type of cookies and your comfort level with data sharing. You can generally accept cookies if they don't share your personal data with third parties or infringe on your privacy. However, if third parties set cookies that are likely to track you using your personal data, you may reconsider accepting them. It's advisable to block cookies if you are sharing private or sensitive information (like banking details or medical data) or if the website is not encrypted.
What is the purpose of cookies?
Cookies serve to enhance a website's functionality, services, or to perform additional tasks. Common purposes include remembering login details, maintaining items in a shopping cart, enabling targeted advertising, gathering analytics, and improving user experience. The specific purpose varies depending on the cookie type and source.
Should I delete cookies?
Whether to delete cookies is a personal choice based on cookie type, website security, and the sensitivity of shared data. It is generally recommended to delete cookies if: they collect and track your information, the website is insecure, or you've shared private or sensitive information. Most web browsers offer options to delete or clear cookies in their settings.