The GDPR and ePrivacy Directive are the two main regulations that govern data privacy for personal data collected from users in the EU. They apply to all companies who collect data from EU-based users, even if the companies are located outside the EU.
User consent must be explicit under the GDPR, which means EU-based users must receive an opt-in consent banner when they first visit a website, app, etc. Further, consent under the GDPR must be freely given, specific, informed and unambiguous.
Requirements for privacy banners compliant with the ePrivacy Directive and GDPR are:
- Clear information about cookies: The cookie banner must clearly explain that the website uses cookies, the types of cookies it uses and for what purpose, and for how long they’ll be stored on their user’s device. It should also inform users that, if they allow the website to use cookies, they have the right to withdraw their consent at any time from the cookie settings. The cookie banner must be written in simple language that is easy for anyone to understand and should avoid legalese.
- Explicit consent option: Users must actively consent to let the website use cookies, which means they should physically perform an action to opt in to data collection. This can be achieved with a button on the banner — clearly labeled “Accept”, “Allow” or “Confirm” — that they must click to give their consent. Pre-ticked boxes or presumed consent if they take no action are not valid forms of consent under EU laws.
- Option to reject cookies: Users must be given the choice to reject cookies easily, with a “Reject” or “Decline” button beside the opt-in button. Both options must be comparable in appearance and equally accessible. Declining cookies should not result in any penalties and users should still be able to use the website.
- Granular control over cookie preferences: For consent under the GDPR to be specific to a purpose, users must have the option to customize their cookie preferences if they wish. Some users may want to allow non-essential cookies for one purpose but reject non-essential cookies for another purpose. Offering granular choices on your GDPR compliant cookie banner enables users to have more control over how their personal information is used. Users must also be able to change or withdraw these choices in the future.
For the Digital Markets Act, your initial message on the cookie banner must also specify that you share information with advertising and analytics partners.
A compliant cookie banner example: