When it comes to what exactly needs to be in a cookie banner, website operators – maybe even you – are often at a loss. But good news: If it is possible to mount a car on a rocket and catapult it into the vastness of space (thanks Elon!), you will definitely succeed in creating an ePrivacy Directive- and GDPR-compliant Cookie Banner 🚀
In this article, we explain to you what types of cookie banners there are, what you need to pay attention to when creating a text in the cookie banner, show you great and not-so-great cookie consent text examples and tell you where you can quickly and easily obtain data protection-compliant templates for your cookie banner.
When you start looking for the ideal cookie consent banner for your needs, you will increasingly come across plugins and cloud cookie banners that often falsely claim to be legally compliant. They are often implemented according to now outdated legal requirements or the statement of the supposedly perfect cookie banner is used for marketing purposes to attract desperate cookie banner newbies.
That’s why we explain to you what types of cookie banners there are, so that you can distinguish them yourself. This is important so that you don’t mistakenly use a cookie notice banner that could get you into legal trouble.
It should be noted that some integrated WordPress plugins or services technically set several cookies or cookie-like information. For the sake of simplicity, we will refer to these as “cookies” in the following.
Cookie consent banners, which ask for the active and informed consent of your visitors whether cookies may be set, are referred to as opt-in cookie banners.
This type of cookie banner ensures that when your visitors visit your website for the first time, they are presented with a dialogue or banner in which they can select which services may be loaded and cookies set. It is important that the user is free to choose which cookies they want to accept, and that each cookie can be rejected individually. The cookie banner must not pre-select cookies. This is explicitly forbidden by law.
The opt-in cookie banner ensures that cookies are only set after consent has been given. Conversely, this also means that services such as Google Analytics may only be integrated after the user has explicitly agreed to this.
The counter model to opt-in cookie banners are the opt-out cookie banners – who would have thought it 😉
With this type of cookie banner, cookies are initially set. However, the user of your website must be given the opportunity to object to this immediately after entering your website. Typically, these solutions display a “Do Not Sell My Personal Information” link at the bottom of the screen. If the user objects, all cookies must be deleted again and the use of the corresponding plug-ins and services must be prevented.
This type of cookie banner is required by the California Consumer Privacy Act (CCPA), but not by EU law. This law is intended to protect residents of California in the United States. Consequently, this type of cookie notification is only relevant for websites targeting the US market. At the same time, the more restrictive opt-in cookie banner process from the EU should meet the requirements of the CCPA in the same way.
There are numerous false – if not already illegal – cookie banners. But what is the reason for this?
In short: the legal requirements. Who doesn’t love reading heaps of legal texts? We can definitely understand if reading laws written in legalese – let alone understanding them – is not part of your preferred reading 🤯 Especially when it comes to a small hobby blog, the effort usually seems to be far too great for many website operators. As a result, the simplest requirements, such as the presence of a cookie banner, usually fail.
We can understand the legislator’s intention to ensure more data protection on the internet. This is to prevent large (personal) data collections. However, practice shows that implementing the legislator’s wishes is simply far too complex and can only be done with great effort, even by professionals.
Now we come to the much-awaited core of the article: What must be included in the cookie notice?
This is how a cookie banner on your website could be structured. In the following, we will explain to you what you should pay attention to when creating your cookie notice text. For this purpose, we will take a closer look at the English text examples of our cookie banner 🔎
💡Tip: The Real Cookie Banner Plugin for WordPress already includes all text templates in English and German.
Title of the dialogue
Transparency is the key. Therefore, you should explain to your user right at the beginning that privacy settings can be made in the following.
Information on data processing and legal notice
Therefore, we advise you to explain to your user:
- What exactly is used and processed incl. example.
- Why this data is used and processed.
- How consent can be revoked or changed at any time.
Data processing in the USA
Some services process personal data in the USA. By consenting to the use of these services, you also consent to the processing of your data in the USA in accordance with Art. 49 (1) lit. a GDPR. The USA is considered by the ECJ to be a country with an insufficient level of data protection according to EU standards. In particular, there is a risk that your data will be processed by US authorities for control and monitoring purposes, perhaps without the possibility of a legal recourse.
In this cookie banner sample text section, we inform our users that some services used on our website process data in the USA. It is therefore not enough to tell your users that data is processed in general. You should also inform them that this also happens in countries outside the EEA – in this case the USA.
Why? The Privacy Shield was declared invalid by the ECJ in July 2020. This agreement between the EU and the US was supposed to guarantee the same level of data protection as within the EU also in the US for EU citizens. The ECJ said that the agreement could not fulfil this mandate. How can services like Google Analytics from the USA still be used?
One idea is to inform the visitor to your website about the danger of data transfer to the USA and to obtain consent from you as the website operator. The visitor to your website must agree to surrender parts of his or her fundamental rights. Whether this is really possible has not yet been confirmed by the highest courts. However, this is the sensible approach to continue using services from the USA (as of mid-2021).
Age warning for the protection of minors
You are under 16 years old? Then you cannot consent to optional services, or you can ask your parents or legal guardians to agree to these services with you.
According to Article 8 of the GDPR, consent to services that process personal data and/or set cookies can only be given from the age of 16 (different in some EU countries) or together with a parent or guardian. Therefore, as a website operator, you must take appropriate measures to ensure that persons under this age limit only consent together with their parent or guardian.
A legally suitable remedy here would again appear to be to instruct the children and young people. Because we all know, at this age, people are keen on reading these texts 😉
● Essential ● Functional ● Statistics ● Marketing
If you divide cookies and services into groups, show your website visitor which cookie groups exist on your website and how they are composed. Your visitor should always be able to reject individual groups and individual services in these groups. Exceptions are essential – also called technically necessary cookies. Without such cookies, the basic functionality of your website would not be possible.
Choices for the website visitor
Buttons in the cookie banner are important to make it as easy as possible for your user to consent and decline. The buttons should be equally visible and easy to understand in the cookie banner. It is important that you do not slip into the legal grey area of dark patterns.
Continue without consent
Your user must always have the option to reject cookies or not give consent. Just like the “Accept all” button, the button for rejecting cookies should also be placed clearly visible on the first level of the cookie message. These two buttons should appear on the same level! You also need to name this button so that your user understands the functionality easily and quickly. Depending on how your cookie banner is structured, “Continue without consent” or “Reject all” could be a suitable label.
Individual privacy preferences
By clicking on “Individual privacy settings”, we enable the user to individually configure their preferred settings. Often this function is also called “Configure cookies”. The website visitor should in any case be able to decide which services are allowed to read/set cookies and process personal data.
Is a cookie notice generator your saviour in need? – we say no. Even if it may seem tempting that you can integrate a supposedly perfect cookie banner on your website in just a few steps and for free, we strongly advise you not to use a cookie generator. They promise to generate an “optimal” cookie notice with one or two clicks. Many cookie banner generators are simply not legally up-to-date and/or do not cover all the legal requirements. The same also applies to the use of many cookie banner plugins.
You should rather carefully select a suitable cookie banner solution – as a plugin or for integration as a script – for your website. You should always check predefined texts again for each individual case. In case of doubt, you should always seek the advice of a lawyer.
The headaches are over: With our WordPress Cookie Banner plugin, you can quickly and easily create a cookie banner tailored to your needs. In Real Cookie Banner you will find relevant text examples that you can use in your cookie banner or modify as you wish.
Try Real Cookie Banner now and create your legally compliant cookie banner that even data protectionists will like! 🍪