Cookie banner design. What should it contain, and how to design it?

Monsters in cookies, browsers, and websites

Sooner or later, new technologies are regulated, especially if they potentially harm users' interests.

They're subject to regulations that are more or less practical, effective, and more or less convenient for everyday Internet use. However, they're universally binding and force organizations to adapt quickly.

GDPR is perhaps the most emblematic example of this.

Has GDPR and the data privacy laws it introduced solved the problems they were expected to solve? A reliable and honest answer to this question, as well as the adoption of accurate evaluation criteria, is still a matter of time.

One thing is sure: GDPR has created new problems and services that specialized companies are preventing and providing.

That is how consent management platforms (CMP) have appeared on the market. They're regulated by the law adopted under GDPR, among other things.

Usually, a new law doesn't fall from the sky overnight. Particularly when it's supposed to be universally binding and requires technical website adjustments, but that is only a little consolation.

The thing with the law is that even if its implementation is announced well in advance, there is still the problem of its unambiguity, interpretation, and enforcement.

As can be easily guessed, this raises many misunderstandings, controversies, fears, risks, and dilemmas that organizations usually don't want to experience. Is this also the case with cookies?

Well, to a large extent, yes. Welcome to the world of Cookie Monsters!

How to obtain user consent for using cookies?

The introduction of GDPR in 2018 in Europe is one of the milestones that mark one of the attempts to regulate cookies legally.

The solutions adopted in various European countries are far from homogeneous and unambiguous.

The legal landscape is quite unclear and complicated. It's also very far from establishing and adopting common standards, legal solutions, and interpretations for EU countries.

What kind of legal frameworks regulate cookie usage and user consent?

European Union:

• General Data Protection Regulation (GDPR)

USA:

• California Consumer Privacy Act (CCPA)
• California Privacy Rights Act (CPRA)
• Virginia Consumer Data Protection Act (VCDPA)
• The Connecticut Data Privacy Act (CTDPA)

Canada:

• Personal Information Protection and Electronic Documents Act (PIPEDA)

United Kingdom:

• Guidance on the use of cookies and similar technologies

Australia:

• Australian Privacy Principles (AAPs)

In practice, treating cookies as a type of personal data is widely accepted. That is why these regulations — while far from consistent — are treated as complementary.

All these rules are equally important when designing cookie banners, and it's recommended that the consequences of these rules be considered when developing and implementing specific solutions.

Of course, the core of the problem is obtaining the user's consent to use cookies.

Generally, user's consent can be obtained from the level of:

• Browser
• Website or mobile/web application

However, from a legal point of view, the first one is insufficient since GDPR requires explicit consent from users who use a given app or website, and they need to provide consent for each category of cookies. Consequently, we need help designing the cookie banner properly.

From a design perspective, the most relevant issue is how a user gives permission to use the data stored in cookies.

The most crucial issue is the so-called default consent. More specifically, the question is whether consent can be the default value in the selection form. In this regard, the matter is straightforward.

Consent for storing and processing cookies can't be set by default. It must result from a website user's active action.

When using a particular website, users shouldn't express their disagreement as much as they should give their consent.

The cookie preference management tools implemented on a website or web application (CMT — Cookie Management Tool, CMP — Cookie Management Platform, CMS — Cookie Management Software) should support the active expression of a user's consent.

Moreover, the owner of a website or web application is obligated to:

• Ensure accountability for transmitting relevant information and expressing consent from a specific user and content.
• Provide consent before storing cookies on their devices (the so-called opt-in model).
• Provide users with information that is understandable and sufficiently accurate to help them understand how cookies function.
• Offer the ability to give consent actively, even if it has already been given through browser settings.
• Offer consent and its refusal in an equally simple way (identical in the number of necessary clicks and similar in the level of availability of the corresponding field and tool).
• Provide the ability to consent or refuse all or each category of cookies separately.
• Determine all cookies, determine the period of their use, and identify third parties that can access them.

An important issue that can't be ignored is the type of information collected.

Even if a site using cookies doesn't acquire personal data, it still must obtain the user's consent to collect and process data.

The expression of a user's will must, first of all, be free (not resulting from any coercion, necessity, or inconvenience), specific (the description of the conditions should be exhaustive), and informed (the user should understand to whom and what they're giving their consent).

In summary, the consent of website users regarding cookies should be:

• Clear
• Readable
• Understandable and unambiguous
• Voluntary
• Informed
• Specific
• Constructive — the cookie consent banner should allow website visitors to give consent and withdraw it easily
• Exhaustive — the information on the cookie banner should specify all entities that will access the data, including third parties

At the same time, this means that user consent cannot be:

• Default — regarded as a probable and obvious value
• Universal in terms of purposes — each purpose must be confirmed in a separate consent
• Coerced by obstructing access to the information necessary to make a decision and express it
• Unspecified — in terms of its duration and scope

Owners of websites aren't only obligated to obtain consent for processing personal data and information collected in cookies but also to inform a user of the following issues:

• Purposes that will be realized with the help of the data.
• Identity of all administrators and organizations processing the data.

The benefits resulting from proper cookie management and CMT implementation include the following:

• Lower risk of complaints and fines imposed on the organization
• Lower risk of control
• Increased business credibility (e.g., among investors and business partners)
• Increased credibility for advertising systems and marketing partners

Cookie consent banner. What should it contain, and how to design it? Summary

1. Designing the cookie consent banner is a legal, technological, and user experience problem.
2. Cookies are usually defined as small pieces of text that a website sends to a browser and that a browser sends back on subsequent visits to a site.
3. Cookies are usually used to maintain sessions and to remember any data that can be encoded as a sequence of characters.
4. The majority of websites use cookies.
5. Cookies can be divided into essential and non-essential. It's the most basic division.
6. Cookies can also be divided into session cookies and persistent cookies.
7. According to another division, we can distinguish first-party cookies and third-party cookies.
8. Website owners often use cookies to save queries and customize responses, suggestions, recommendations, and advice during subsequent user visits. They also customize ads displayed on a site to a user's preferences and build consumer profiles (individual and group).
9. Cookies are regulated by data privacy regulations, including GDPR, CCPA, CPRA, VCDPA, CTDPA, PIPEDA, and AAP.
10. Website and application owners must obtain users' consent to collect personal data.
11. Obtaining user consent to use cookies is the core of their problem.
12. Consent for using cookies can be obtained from the browser and/or website or web application level.
13. A critical issue is the so-called default consent.
14. Consent for storing and processing cookies can't be set by default.
15. Consent must result from the active action of a web user.
16. Even if a website doesn't use cookies to obtain personal data, a website user's consent regarding cookies must be clear, readable, understandable, unambiguous, voluntary, informed, specific, constructive, and exhaustive.
17. When choosing a specific cookie management tool, it's worth checking whether it allows us to keep an inventory of cookies, give consent for particular purposes, provide consent for a category, withdraw consent easily, and include information about how long the consent will be valid.
18. If a website uses technical cookies and doesn't use any analytical or marketing tools, the cookie banner can be a very basic message created with a plug-in.
19. In all other situations, the owner must implement solutions and provide the necessary information in any site configuration and privacy policy model—from safe to very risky in legal and business terms.