Designing the Cookie Consent Banner is a problem that combines two aspects: the law and usability, user experience.
The Cookie Consent Banner is more of an issue in IT design – in terms of the most functional, convenient solutions for a user and a website owner – the more volatile the legal situation.
When it comes to issues of the legal obligation to inform the user, guarantee security, and obtain consent from users, we have to expect that we will be legally obligated to adapt a site to new standards from time to time.
The problem of the Cookie Banner, the adjustment of its content, particularly to legal standards, is a classic example of this.
How to deal with a Cookie Banner? What should the Cookie Consent Banner contain?
If you want to learn how to design a Cookie Consent Banner, use a free or paid plug-in to comply with the letter of the law, and at the same time not limit your website business-wise, be sure to read the following article.
We cordially invite you to read it.
Are you looking for a solution?
Monsters in Cookies, browsers, and websites
Sooner or later, new technologies are regulated, especially if they potentially harm users' interests.
They are subject to regulations that are more or less practical, effective, and more or less convenient for everyday Internet use. However, they are universally binding and force organizations to adapt quickly.
GDPR is perhaps the most emblematic example of this.
Has GDPR solved the problems it was expected to solve? A reliable and honest answer to this question is still a matter of time and the adoption of accurate evaluation criteria.
One thing is sure, GDPR has created new problems and services that specialized companies are preventing and providing.
That is how Consent Management Platforms (CMP) solutions have appeared on the market, which are regulated by the law adopted under GDPR, among other things.
Usually, a new law does not fall from the sky overnight. Particularly when it is supposed to be universally binding and it is supposed to require technical adjustments to websites. But that is only a little consolation.
The thing with the law is that even if its implementation is announced well in advance, there is still the problem of its unambiguity, interpretation, and enforcement.
And this, as it can be easily guessed, raises a lot of misunderstandings, controversies, and, most of all, fears, risks, and dilemmas that organizations usually do not want to experience. Is this also the case with Cookies?
Well, to a large extent, yes. Welcome to the world of Cookie Monsters!
What are Cookies?
Before we move on to patterns and recommendations for designing the Cookie Banner and its settings, let's say a little about Cookies themselves and the confusion they cause. And without question, these small, innocent files made quite a ruckus.
Cookies are usually defined as small pieces of text that a website sends to a browser and that the browser sends back on subsequent visits to the site.
This is the definition provided by the law firm Maruta Wachta.
Cookies are typically used for:
- Maintaining a session (by generating and returning a temporary identifier after logging in)
- Storing any data that can be encoded as a sequence of characters.
In the second variant, from the perspective of users of web applications, Cookies become very useful because users do not have to enter the same data each time.
Therefore, exchanging information through Cookies is essential for the smooth and comfortable use of websites.
The process begins when a user launches their Internet browser, types in the address of a website, or clicks on a link to it (e.g., in Google search results).
In response to such a user action, the server sends a Cookie with a unique ID, which is then stored on the disk of the user's device.
When a user revisits a web application or a website, the information about the Cookie is sent to the server from the user's computer so that it is possible to identify it by its unique ID and assign further information.
Most of the websites (e.g., websites of institutions, simple corporate websites, social networks, service websites, and E-Commerce related websites) that we deal with every day while using the Internet use Cookies.
Do they do it for the same purpose and in the same way every time? Of course not. We can distinguish several types of Cookies.
In the most general sense, Cookies can be divided into the following:
- Essential
- Non-essential
Essential Cookies include:
- Authentication Cookies
- User-Centric Security Cookies
- Multimedia Player Session Cookies
Non-essential Cookies are files that serve the following purposes:
- Analytical
- Marketing
- Advertising
- Functional (thanks to which it is possible to activate preferences)
According to another division, in which the criterion of time is crucial, we can distinguish the following Cookies:
- Session Cookies
- Persistent Cookies
Session Cookies are deleted when a user logs out of a website or closes their web browser.
Persistent Cookies are stored for a certain time. They are usually used for statistical and analytical purposes related to the personalization of a content of a site.
Persistent cookies also help speed up certain actions performed on a website (e.g., login, searching).
We can also look at Cookies from the perspective of their origin, and in this case, we can also distinguish two types:
- First-Party Cookies
- Third-Party Cookies
The first ones are saved on the user's device by the visited website, while Third-Party Cookies are files created and saved by entities that are not the application, website, or domain the user visits.
Regardless of which perspective we choose, it's worth remembering that the problem of tracking and identifying users is a problem that has been and will continue to be a procedural one.
The new solutions (e.g., Google Privacy Sandbox) will not so much solve the problem with Cookies (in particular Third-Party Cookies) but open a new chapter in a technological and legal sense.
Keep in mind that Cookies are not just about technology but about protecting users.
That is why current legal solutions do not focus on a specific technology as on the problem. And it is the collection, archiving, and processing of information about users' identities, behaviors, and preferences.
As it can be easily guessed, such actions can be potentially detrimental or even harmful to a user, so collecting such information requires the user's consent.
What can we find in Cookies?
The scope and reasons for collecting and processing data contained in Cookies are quite repetitive.
Web application owners most often use Cookies to:
- Save queries and customize responses, suggestions, recommendations, and advice during subsequent visits
- Customize the ads displayed on a site to a user's preferences
- Build consumer profiles (individual and group)
- Learn about the types and characteristics of devices on which a website is displayed
- Optimize a site in terms of usability and functionalities.
Cookies very often contain information related to customer preferences.
In particular, they relate to the following:
- The way, form, and scope of searching on a website
- The popularity of given subpages and elements on a site
- The most frequently clicked elements
- Time spent on a website
- Performed activities and behaviors
- Frequency of website use.
The above information is most often used for marketing, sales, and programming purposes related to optimizing the User Experience (UX) of a website. Hence the need to regulate these issues.
The adopted legal solutions apply to the following:
- Any technology that tracks user activity
- Every website owner who is obligated to determine which technology is used and for what purpose
- Any action – not just those motivated by marketing matters.
How to obtain consent for using Cookies?
The introduction of GDPR in 2018 in Europe is one of the milestones that mark one of the attempts to regulate Cookies legally.
The solutions adopted in various European countries are far from homogeneous and unambiguous.
The legal landscape is quite unclear and complicated. It is also very far from establishing and adopting common standards, legal solutions, and interpretations for EU countries.
It should be noted that, in practice, treating Cookies as a type of personal data is widely accepted. That is why these regulations – while far from consistent – are treated as complementary.
From the perspective of designing Cookie Banners, all these rules are equally important, and it is recommended to consider their consequences in designing and implementing specific solutions.
Of course, the clue of the problem is obtaining the user's consent to use Cookies.
Generally, approval can be obtained from within the following:
- A browser
- A website, web application.
However, from a legal point of view, the first one is insufficient. Consequently, we are faced with the problem of designing the Cookie Banner properly.
The most relevant issue from a design perspective is how a user gives permission to use the data stored in Cookies.
The most crucial issue is the so-called default consent. More specifically, the question is whether consent can be the default value in the selection form. In this regard, the matter is clear.
Consent for the storage and processing of Cookies cannot be set to default. It must result from an active action of a website user.
When using a particular website, a user should not so much express their disagreement as they should give their consent.
The active expression of a user's consent should be supported by the cookie preference management tools implemented on a website or web application (CMT – Cookie Management Tool, CMP – Cookie Management Platform, CMS – Cookie Management Software).
Moreover, the owner of a website or web application is obligated to:
- Ensure accountability of the transmission of relevant information and expressed consent by a specific user and specific content
- Provide consent before storing cookies on their devices (the so-called Opt-In Model)
- Provide users with information in a way that is understandable and sufficiently accurate to allow them to understand the functioning of cookies
- Offer the ability to give consent actively, even if it has already been given through browser settings
- Offer consent and its refusal in an equally simple way (identical in the number of necessary clicks and similar in the level of availability of the corresponding field and tool)
- Provide the ability to consent or refuse all or each category of Cookies separately
- Determine all cookies, determine the period of their use, and identify third parties that can access them.
An important issue that cannot be ignored is the type of information collected.
Even if a site using Cookies does not acquire personal data, it still must obtain the user's consent to collect and process data.
The expression of a user's will must, first of all, be free (not resulting from any coercion, necessity, or inconvenience), specific (the description of the conditions should be exhaustive), and informed (the user should understand to whom and what they are giving their consent).
In summary, the consent of a user of a website regarding Cookies should be:
- Clear
- Readable
- Understandable and Unambiguous
- Voluntary
- Informed
- Specific
- Constructive – the Cookie Consent Banner should allow a website user to give consent and withdraw it easily
- Exhaustive – the information available on the Cookie Banner should specify all entities that will have access to the data, including third parties.
At the same time, this means that user consent cannot be:
- Default – regarded as a probable and obvious value
- Universal in terms of purposes – each purpose must be confirmed in a separate consent
- Coerced by obstructing access to the information necessary to make a decision and express it
- Unspecified – in terms of its duration and scope.
Owners of websites are not only obligated to obtain consent for processing personal data and information collected in Cookies but also to inform a user of the following issues:
- Purposes that will be realized with the help of the data
- Identity of all administrators and organizations processing the data.
The value resulting from proper Cookie management, CMT implementation includes:
- Lower risk of complaints and fines imposed on the organization
- Lower risk of control
- Increased business credibility (e.g., among investors and business partners)
- Increased credibility for advertising systems and marketing partners.
Cookie Consent Banner Design
A significant number of ready-to-implement Cookie Management Tool solutions have appeared on the market.
When choosing a specific solution, a particular system, it is worth checking whether it provides the ability to:
- Keep an inventory of Cookies used on a website (First-Party Cookies and Third-Party Cookies)
- Express consent regarding purposes
- Express consent regarding a given category
- Learn about the consent period
- Easily withdraw consent
- Easily understand the content and scope of the consent
- Easily access information about Trusted Partners
- Update the CMT while maintaining existing consent.
When choosing a CMT service provider, we also should pay attention to the following:
- Ability to customize the tool
- Good usability and user experience
- Ease of implementation
- Availability of technical and legal support
- Expandability of standards (e.g., regulations from outside the EU).
No less important is the alignment of legal needs with business needs. We can distinguish three approaches to this issue. They will vary depending on our attitude toward the consequences with which we want to implement the legal norms and on which Cookies are used and for what purpose.
If a website uses technical Cookies and does not use any analytical or marketing tools, the Cookie Banner can take the form of a very basic message.
In all other situations, we should implement solutions using any of the following models.
The safe model gives a user the option to:
- Accept cookies in a general sense
- Reject cookies in a general sense
- Accept/Reject marketing and analytic Cookies
- Accept/Reject files of specific vendors
- Learn information about all Cookies.
The balanced model – which is, however, carrying some legal risk – offers a user the ability to:
- Accept Cookies in a general sense
- Accept/Reject marketing and analytic Cookies
- Accept/Reject files of specific vendors
- Learn information about all Cookies.
The highly risky, in legal and business terms, model provides a user with the option to:
- Accept/Reject Cookies in a general sense.
When designing a Cookie Consent Banner, also remember to prepare a Cookie Policy that can:
- Take the form of a separate document that is part of a website, web application
- Be a part of the Privacy Policy
- Be a part of the Terms and Conditions.
A standard Cookie Policy should include the following:
- Description of the used Cookies
- Description of the purposes that will be achieved through Cookies
- Complete list of Trusted Partners
- An indication of the time of use
- Description of how to manage the given consent
- Legal basis
- The rights of data subjects
Cookie Consent Banner. What should it contain, and how to design it? Summary
- Designing the Cookie Consent Banner is simultaneously a legal, technological, and user experience problem.
- Cookies are usually defined as small pieces of text that a website sends to a browser and that a browser sends back on subsequent visits to a site.
- Cookies are usually used to maintain sessions and to remember any data that can be encoded as a sequence of characters.
- The majority of websites use Cookies.
- Cookies can be divided into essential and non-essential. It is the most basic division.
- Cookies can also be divided into Session Cookies and Persistent Cookies.
- According to another division, we can distinguish First-Party Cookies and Third-Party Cookies.
- Website owners often use Cookies to save queries and customize responses, suggestions, recommendations, and advice during subsequent user visits, customize ads displayed on a site to a user's preferences and build consumer profiles (individual and group).
- One of the legal frameworks that regulate Cookies is GDPR.
- Obtaining user consent for the use of Cookies is the core of the problem with them.
- Consent for the use of Cookies can be obtained from the browser and/or website or web application level.
- An extremely important issue is the so-called default consent.
- Consent for the storage and processing of Cookies cannot be set to default.
- Consent must result from the active action of a web user.
- Even if a website does not use Cookies to obtain personal data, the consent of a website user regarding Cookies must be clear, readable, understandable, unambiguous, voluntary, informed, specific, constructive, and exhaustive.
- When choosing a specific Cookie Management Tool, it is worth checking whether it provides the ability to keep an inventory of Cookies, to give consent in terms of purposes, to provide consent in terms of a category, to withdraw the consent easily, and includes information about how long the consent will be valid for.
- If a website uses technical Cookies and does not use any analytical or marketing tools, the Cookie Banner can take the form of a very basic message which can be created with a plug-in.
- In all other situations, the owner must implement solutions and provide the necessary information in any of the site configuration and privacy policy models – from safe to very risky in legal and business terms.
