Since the GDPR came into force in 2018, cookie banners have become an integral part of the digital user experience. Users now encounter these pop-ups almost everywhere, be it on websites, in apps or even on smart TVs. Accordingly, compliance with the GDPR on online platforms is being monitored more and more strictly. The fines imposed are also continuously increasing, as the regularly updated GDPR fine tracker shows.
In this article, we will discuss the legal basis of the GDPR and the key steps to create a GDPR compliant cookie banner. You will learn how to effectively implement a banner and what strategic benefits it offers for your marketing campaigns. Let’s get started!
Table of contents
- What is a cookie banner and why is it important?
- When is a GDPR-compliant cookie banner required?
- What does the GDPR say about a GDPR-compliant cookie banner?
- What does a GDPR-compliant cookie banner have to look like?
- How to create a GDPR compliant cookie banner?
- Additional rules for companies targeting customers outside the EU
- Standards & integration options for your GDPR-compliant cookie banner
- The role of cookie banners in your company
- Frequently Asked Questions (FAQs)
What is a cookie banner and why is it important?
A cookie banner, also known as a cookie notice, is a layer that appears on your website – usually the first thing users see when they enter your site. It informs about which cookies are set on the user’s browser, whether for basic site functionality or for marketing and analytics purposes.
Cookie banners also improve users’ online experience. Imagine an e-commerce website that uses cookies to track what products a user has viewed and displays personalized recommendations based on that. Or booking platforms like Airbnb that remember language preferences to make the process easier for the user. All of this is made possible by cookies.
When is a GDPR-compliant cookie banner required?
If you use cookies to collect personal data from users residing in the EU, the GDPR applies and you need a cookie banner. The cookie banner ensures that the user is informed that their data is being processed and gives them the opportunity to give or refuse consent.
What does the GDPR say about a compliant cookie banner?
According to Article 6 of the GDPR, a cookie banner must clearly and transparently inform about why cookies are used. The user must have the option to accept or reject them.
Important: Consent must be voluntary, informed and revocable at any time.
Go through the checklist here and check whether your cookie banner meets the most important requirements
✅ Checklist for a GDPR-compliant cookie banner
Clear information: Explain what cookies are used, for what purpose and how long they are stored.
Granular options: Offer users the opportunity to accept the use of different types of cookies (e.g. marketing, analytics).
Active consent: Consent must not be preset, but must be actively given by the user.
Clear choice between accepting/rejecting: Users must be able to easily choose between accepting or rejecting cookies.
Option to set preferences: Provide options such as “Settings” or “Customize” so that users can individually set their preferences.
Detailed descriptions: Provide clear descriptions of what each cookie is used for.
List of cookies: Include a complete list of cookies, their duration and categories.
Data examples: List the data processed (e.g. IP address, device data).
🔑 We have compiled all the details on the first and second level requirements of a GDPR compliant cookie banner in a PDF.
Download the checklist for free here: https://www.consentmanager.net/en/checklist-download/
What does a GDPR-compliant cookie banner have to look like?
A GDPR compliant cookie banner isn’t just about following the rules – it’s also about creating a frictionless user experience. If users are frustrated or feel like they can’t easily control their choices, it will leave a negative impression of your brand. To find the right balance, consider the following:
✅ Good design:
- Visual clarity: Make sure options like “Accept” and “Decline” are equally visible, without misleading design elements.
- Transparency: Provide clear explanations about the different types of cookies so that users can select or reject them individually.
- Usability: Make sure the banner adapts quickly to the language, device and system.
Bad design:
- Dark Patterns: Avoid misleading designs where, for example, the opt-in button stands out while the opt-out option is hidden.
- Hidden settings: Don’t make it difficult to access cookie settings by hiding them behind too many clicks.
Bad design leads to fines ❗In April 2023, the Italian data protection authority (“Garante”) imposed a fine of EUR 300,000 on an online marketing company that had recorded several violations of the GDPR, including the use of misleading “dark patterns” to manipulate user consent.
How to create a GDPR compliant cookie banner?
Step 1: Register for free with consentmanager. Create a free account on our platform in just a few minutes.
Step 2: Customize your cookie banner: Use our intuitive editor to personalize text, design and features to your liking. Watch our recorded dashboard walkthrough:
Step 3: Enable GDPR compliance: Go to the Integrations section and enable GDPR compliance.
Step 4 : Insert the cookie banner on your website: Simply insert the provided script code into your website and you’re ready!
Additional rules for companies targeting customers outside the EU
If you also target customers outside the EU, your cookie banner should offer the possibility to adapt to the data protection regulations of other regions. Below is an overview of some important regulations:
Region | What privacy regulations require for cookie banners |
EU (GDPR) | Requires explicit consent to data collection and clear information about the purpose of cookies. Users must be able to refuse cookies. |
Switzerland ( FADP ) | Requires the user’s consent, especially when transferring data abroad. Requires keeping records of data processing activities in accordance with the FADP. |
USA (CCPA/CPRA) | Users must be informed and have the opportunity to object to the sale of personal data (Do Not Sell). |
Brazil (LGPD) | Requires clear consent to data collection and valid records of the consents you obtain. |
Canada (PIPEDA) | Consent and transparent information about the collection and processing of personal data are required. |
Sources:
- European General Data Protection Regulation (GDPR): https://gdpr-info.eu/art-6-gdpr/
- Swiss Federal Act on Data Protection (FADP): https://www.fedlex.admin.ch/eli/cc/2022/491/en
- California Consumer Privacy Act (CCPA): https://oag.ca.gov/privacy/ccpa
- California Privacy Rights Act (CPRA): https://oag.ca.gov/privacy/ccpa
- Lei Geral de Proteção de Dados (LGPD): https://lgpd-brazil.info/
- Personal Information Protection and Electronic Documents Act (PIPEDA): https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents -act-pipeda
🇺🇸❗Note: In addition to CCPA and CPRA, several US states (e.g. Colorado, Virginia, Utah) have their own data protection laws with specific requirements.
Standards & integration options for your GDPR-compliant cookie banner
A cookie banner isn’t just for your website – it needs to be seamlessly integrated with the services you use. For example, if you run advertising campaigns through Google, it’s crucial that your banner is integrated with Google Consent Mode. Google’s EU User Consent Policy for the EEA and Switzerland is also closely linked to GDPR requirements. GDPR-compliant use of third-party tracking services will ensure your campaigns run smoothly and you avoid delays or lost revenue.
With our partnership as a certified Google Gold CMP partner, consentmanager makes it easy – customers can activate the integration directly from their dashboard. ✅
Here are some integration options available to you:
- consentmanager with Google Consent Mode
- consentmanager with IAB TCF v2.2
- consentmanager for Connected TVs (CTV)
- consentmanager for mobile apps
- List of integration guides on our help page
The role of cookie banners in your company
- Protection from fines: As already mentioned, with a GDPR-compliant cookie banner you can avoid the ever-increasing GDPR fines.
- Privacy and transparency: Give your customers control over their data and show that you respect their privacy and value their trust.
- Better data for more effective campaigns: The data collected through user consent allows you to personalize your marketing campaigns. This leads to more relevant ads and ultimately better conversion rates.
- Optimization through A/B testing and machine learning : With consentmanager you can optimize your banners through A/B testing to find the best performing versions. These optimizations can increase your cookie acceptance rates by up to 15%.
An optimized, GDPR-compliant cookie banner creates the perfect balance between protecting user data and the success of your marketing processes.
Frequently Asked Questions (FAQs)
Is it illegal under the GDPR not to have a cookie banner?
Yes, if your website uses cookies that are not strictly necessary, such as for marketing or analytics purposes. You must obtain explicit consent from users.
Is a cookie banner alone sufficient?
This depends on the type of service you provide or the functionality of your website, as well as the data protection laws that apply to you. We recommend that you run a quick cookie scan to learn more.
What are “strictly necessary” cookies?
These are cookies that are essential to the basic functionality of the website and are important for accessing different features of the website, such as login information. No consent is required for these cookies.