How to Create Law-Compliant Cookie Consent Notice According to GDPR, CCPA and The Cookie Law?

The following article explains the details of the General Data Protection Regulation (GDPR), ePrivacy Regulation (The Cookie Law), and California Consumer Privacy Act (CCPA) means for your cookie usage, and obtaining cookie consent.

Many modern websites have dozens of active cookies and online tracking tools in use. But, what exactly does that mean for website users’ privacy?

If you have a website with visitors from the EU and California, you need a cookie warning popup notice to become cookie law compliant.

Otherwise, you may be restricted from paying penalties up to €20 million!

Whatever, don’t get confused, we have a long way to go together, so let’s begin!

Create Your Law-Compliant Cookie Consent Popup for Free!

What are Cookies?

5 chocolate chip cookies representing website cookies on the heading of what are cookies

A cookie is a web file that is stored on a user’s computer to collect information about the user data.

There are essentially three types of party cookies and three kinds of primary cookies which are explained and exemplified below;

1. First Party Cookies

First party cookies refer to cookies constituted by the domain that a user is visiting.

For example, when you click on from a browser, our web infrastructure collects your behavioral data from your browser to enable us providing a good user experience for you.

Most browsers treat first-party cookies as trustworthy by default since their primary goal is to allow customization and improve user experience.

They allow website owners to;

  • Gather analytical data,

  • Remember language settings,

  • Enable login without entering user information,

  • Show which items were added to the shopping cart before.

2. Third-Party Cookies

Third-party cookies refer to cookies created by domains other than the one a visitor is browsing on. These cookies are mainly used for tracking and digital advertising purposes.

For example, when you have had a chat via a live-chat popup, it identifies you and creates third party cookies; the next time you visit the same website and click the chatbox, it will remember your name and all the previous conversation.

Or you visit Amazon and view a product, and third-party trackers will collect information about your activities on Amazon. Then, when you visit eBay, you will be shown ads of a similar product that you have previously viewed.

Here are some other third-party services that leave cookies;

In brief, there is no real difference between first-party cookies and third-party because they both collect similar information and can perform the same functions.

3. Second Party Cookies

On the other hand, second-party cookies are the ones that are transferred from one company to another company via some data partnership.

For instance, an airline company could sell its first-party cookies’ data to a hotel chain to enable them to reach their target audience’s browsing behavior data and advertise accordingly.

However, obtaining or selling second party cookies’ data is not an ethical way to collect information about your prospects.

4. Session Cookies

Session cookies are temporary cookies that store information about your current session and disappear when your browser is closed.

They are the least likely to raise privacy concerns and fall into the “strictly necessary” category.

This is why when you log off from your bank’s website, they recommend you to close the current browser window to remove any session cookies.

5. Permanent Cookies

Permanent cookies are placed on the hard drive of your device and not deleted when you close the current browser. They are also called “persistent cookies,” as well as “stored cookies.”

They are the type of cookies that raise much of the privacy concern over cookies.

However, they are handy for providing customized user experience, analyzing return visitor behavior, and advertising to the correct prospects because permanent cookies store information for an indefinite time.

6. Browser Independent Cookies

Browser independent cookies act like permanent cookies, altering by that they are not stored on your browser.

Instead, they are stored in separate program files, which makes them trickier to delete unless a user installs a separate cookie remover.

If you are utilizing browser independent cookies on your website, you definitely must disclosure the use of cookies to new users and get the consent of them.

Why Are Cookies Regulated?

a man working from his laptop there are security reflection icons, a key, representing cookie regulations under the heading of why are cookies regulated

The use of cookies may raise several privacy concerns.

Tracking cookies on websites can collect data about users’ browsing habits, see what types of products they view and what they purchase.

Actually, cookies are extremely useful for users because, in this way, e-commerce websites and service providers reach them quickly and customize their advertising messages according to prospects’ browsing behaviors.

It is also great for internet users because they are provided an excellent user experience like seeing customized ads, facing what they are thinking to buy and finding service solutions for their problem.

However, some website owners violate the rights of web users for their own personal gain.

Therefore, the regulators have felt internet users needed the right to understand what and how cookies are being used by the websites they visit.

What are “Strictly Necessary” Cookies?

Not all cookies are evil. In fact, some are fundamental for both in terms of user experience and the proper functioning of your website.

Thankfully, the regulators understand this and omit cookies that are “strictly necessary” to fulfill the requests of website visitors.

The strictly necessary cookie usage is especially important for online retailers.

The exact scope of what strictly necessary cookies is not well defined. However, you may think as it is about customer expectations.

If a customer does not accept cookies but still wants to see the items on the shopping card from her previous website visit, this type of cookie can be used without user consent.

Another instance is to eliminate a perpetual login process every time a user browsing on the same website as Facebook. Would not a user want to remain logged in on every page she visits? Probably, not. So, it can be considered strictly as a necessary cookie.

a girl holding a phone and uploading something on her laptop screen, there appears a privacy policy cookie consent popup to secure her online privacy

Let’s have a look at the strict requirements of privacy regulators on what makes a cookie popup non-compliant or compliant.

Remember that; you only need to get cookie consent for the first time a user visits your site. Once the consent is received, cookies will be able to identify return visits and won’t ask for further permissions each time the user returns.

You can control if your cookie consent popup meets with requirements below. The popup must;

  • Consist of specific information about data types,

  • Present clear information about the purposes of cookies,

  • Explain tracking technologies in use on the website,

  • Request before the settings of cookies in users’ browsers,

  • Clearly state which action will signify consent,

  • Have a link to your Cookie Policy, which includes the details of cookie usage, purpose, and related third-party activities.

  • Give users the opportunity to opt-in or opt-out of various types of cookies,

  • Enable users to make subsequent changes anytime,

  • Let users withdraw their consent whenever they want,

  • Record and send the data to be stored as evidence securely.

Don’t forget to renew your visitors’ cookie consent every 12 months to comply with the regulations of the ePrivacy Directive.

Because cookie laws do not let you install cookies before obtaining user consent, I recommend you to employ a script blocking cookies prior to user consent.

As I have said before, you don’t need to handle all of these bullet points. Hence, Popupsmart has already designed entirely compliant cookie consent popup templates that are ready to use!

Create Your Law-Compliant Cookie Consent Popup for Free!

Posting a comprehensive cookie policy on your website will help you avoid legal hassles and exposing hefty fines because of cookie laws.

To make sure your cookie policy must meet the legal requirements set forth by legal authorities, include these articles below to your the policy;

  • Describe details about the cookie installation purpose.

  • Indicate and explain the type of cookies installed.

  • Be presented in all languages in which the website has.

  • Indicate all third-parties that can install cookies.

  • Include a link to third-party policies.

  • Have visible opt-out forms.

  • Provide information on how users can withdraw consent.

GDPR General Data Protection Regulation 12 stars within a circle

The General Data Protection Regulation, also known as GDPR, was enforced on 25th May of 2018.

GDPR is the most significant initiative regarding online data protection for more than 20 years. The latest law on the protection of personal data extends over 1995.

GDPR has strict regulations on how personal data of users must be handled, and it sets strict rules on how personal data must be handled and imposes a sanction with heavy fines (up to €20 M or 4% of global annual turnover) for those websites that fail to comply.

The primary purpose of GDPR is to keep the EU legislation up to date with the digital age while protecting personal privacy and enabling users to have control over their own personal data.

The GDPR sets out strict requirements on data handling procedures, transparency, documentation, and user consent.

All websites located in the European Union, and websites that have EU citizens as users are held responsible for complying.

If you use cookies, you must ask for user consent before setting any cookies other than the strictly necessary, whitelisted ones.

You have to revise your website’s cookie policy or also known as privacy policy, if necessary so that they meet the requirements of accuracy and transparency.

Due to the new enforcement of the GDPR, simple “accept cookies,” popups are no longer considered as compliant.

Let’s look at a cookie consent popup that is compliant with GDPR;

cookie consent popup of nike GDPR-compliant cookie notice example

And, have a look at a non-compliant cookie consent popup;

cookie banner of airbnb non GDPR-compliant simple cookie notice example

Here, the user has no real choice, and there is no direct information about what cookies are set on the browser, where they come from, and which purposes they serve.

Official GDPR Law

What is "Personal Data" in the GDPR?

Personal data in GDPR is considered as the data that is directly personal such as name, a photo, an email address, bank details, and IP address.

If you are using cookies that may track and identify personal data directly, you must either take them away or update your cookie consent under the new regulations of GDPR.

In other words, all cookies that process personal data are subject to the new regulations;

  • Cookies for analytics,

  • Cookies for advertising,

  • Cookies for functional services like survey and chat tools.

What Should Data Records Come From Cookies Contain?

You must adequately record the users’ data coming from your website cookies. Here are what must be included in the cookies’ data folder in accordance with cookie laws;

  • Name of your company,

  • Contact details of your business,

  • Description of each cookie data subjects,

  • Categories of organizations receiving data,

  • The time limit for removal of data,

  • Description of security measures used while data processing.

 Who Needs a Data Protection Officer According to GDPR?

Employing a data protection officer is not always obligatory. It depends on the type and amount of data collection.

You need a data protection officer if you;

  • Process personal data to advertising through search engines and to reach the target audience by considering web users’ behavior online.

  • Process personal health data for genetics or hospitals.

On the other hand, you don’t need a data protection officer, if you;

  • Send an advert to your customers once a year to promote your local business.

  • Are a general practitioner and collect your patients’ health records.

ePrivacy Regulation (ePR) and Cookies

ePrivacy Regulation ePR The EU Cookie Law 12 stars create a circle around the logo

ePrivacy Regulation or ePrivacy Directive was established to put guidelines and expectations for digital privacy, including cookie usage.

It carries much of the same scope as the GDPR and stipulates additional requirements to protect web users’ electronic communications. Also known as “The Cookie Law.”

The Cookie Law was implemented in 2002 and had become an actual regulation in 2019. This is why cookie consent popups started to be shown increasingly on lots of websites.

These two EU laws, The Cookie Law and GDPR, both have a significant impact on the use of cookie consent banners to warn users about marketing and tracking.

According to the Directive, all websites had to ask for a cookie disclaimer from their users about the fact that they set cookies on the visitors’ browser.

The law also states that users must be given the possibility to refuse or withdraw their consent.

In case a user opts-out her consent, you can keep his previous cookie data but cannot gather further data on his next visits.

Furthermore, according to The Cookie Law, you are not required to manage consent for third-party cookies directly; this responsibility must be held by third-parties.

However, you are required to facilitate the process by leaving links to the relevant policies of third-parties. You also must indicate their categories and purposes.

The law mandates that user consent must be freely given for considering it as valid. Using coercive methods render the permission and can be detected.

Some type of cookies are exempt from cookie requirements such as;

  • Technical cookies like preference cookies and session cookies.

  • Statistical cookies that are managed by the website itself.

  • Anonymized statistical third-party cookies like Google Analytics and Google Tag Manager.

The Cookie Law does not require records of user consent kept in files. However, it indicates that you should be able to prove that you get users’ consent prior to install cookies.

Official EU Cookie Law

what are cookie requirements on cookie usage a woman lists all the necessary requirements to comply with cookie laws

The cookie law requires informing users before storing cookies on their device or tracking them.

Consent to cookies must be based on an explicit affirmative action like browsing, clicking, and scrolling.

You must provide detailed information about how the cookie data will be utilized over time.

If visitors refuse the use of cookies on your site, you need to ensure that cookies will not be placed on their machine.

The law does not require records of consent to be kept but still indicates you have to prove that users’ permission is obtained.

You need to provide an option for obtaining informed consent and a means for withdrawal of consent.

You have to state third-party cookies’ category and purpose with a relevant link to their cookie policies but are not required to list them individually.

A cookie consent banner is a cookie warning that appears on a user’s first website visit and asks for consent to collect data about the user.

The banner declares the cookies and gives the user a choice of prior consent before gathering data.

The purpose of cookie consent banners, therefore, is to alert the users of the website about the cookies and try to get consent for setting cookies.

Cookie consent banners are shown up on websites to be compliant with the EU ePrivacy Directive of 2002.

Additionally, according to the EU Court of Justice, your website’s cookie banner cannot have marked checkboxes on any cookie category except strictly necessary ones.

CCPA and Cookies

California Consumer Privacy Act CCPA, a lock

California Consumer Privacy Act (CCPA) is a light version of GDPR. It enshrines protections for a subset of US citizens against their data being collected and sold without their knowledge.

The CCPA takes effect on January 1, 2020.

While the federal government does not play a vital role in online privacy laws, the states are taking a strict approach to the subject.

California state regulators have enacted new legislation which will be binding from the beginning of 2020, which gives rise to cookie requirements.

The Act requires companies to give notice to California residents about their cookie data collection practices.

CCPA gives customers the right to demand website owners not to sell their personal information to third parties. Then, the business is prohibited from selling the visitors’ personal information to comply with the law.

Companies that are non-compliant with the CCPA may be issued penalties from $2.500 to $7.500 per violation.

The law requires businesses over a specific user and revenue threshold to the disclosure;

  • What personal data they collect,

  • The purpose they intend to use this data for,

  • Third-parties that cookies will be shared with,

  • Third-party cookie disclosure reasons.

According to CCPA, all businesses providing service to Californians must provide a clear link on their website with the title of “Do not sell my personal information.” Moreover, the link must not require customers to create an account to opt-out.

If a customer chooses to opt-out from selling of her data to third parties, that business is not allowed to charge different prices for its services, deny giving customer support or provide a different level of quality services.

Customers have the right to access and obtain a copy of their personal information, which has been gathered by the business in the past 12 months.

Website users also have the right to request personal data deletion. In this case, the company which gathers data of a visitor claimed deletion must permanently clear all personal data except the strictly necessary ones.

Furthermore, businesses cannot sell the personal information of customers under the age of 16 unless parents first authorize them in the first place.

Official CCPA Law

Who is Responsible for CCPA Regulations?

who is responsible for ccpa regulations 6 people pointing out a man like blaming him the man is surprised for being pointed

In the CCPA, a business is defined as companies, partnerships, legal entities, and associations that are operated for the financial benefits of its stakeholders.

To be bounded by the CCPA, a company has to meet at least one of the attributes below;

  • Generate an annual gross revenue exceeding $25 million.

  • Obtain 50% or more of its revenue from selling customers’ personal information.

  • Purchase, receive, and sell the personal information of more than 50.000 Californians a year.

If you are not meet one of the requirements above, CCPA does not apply to your business. However, if you share common branding with a company meeting one of the above thresholds, your business is subject to CCPA compliance.

What is Personal Information in CCPA?

Personal information word phrase is defined in the CCPA as;

“Information that identifies, relates, describes, or is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Personal information may include;

  • Biometric data like fingerprints, DNA, and voice recordings.

  • Data regarding personal characteristics, religion, and sexual preferences.

  • Geo-locational data, such as browsing history and location history via devices.

  • Identifier data like IP addresses account names, cookies, and pixel tags.

How to Create a CCPA Compliant Privacy Policy?

To become CCPA compliant, your privacy policy must be updated and include;

  • A description of customer rights and how to exercise these rights,

  • List of categories of personal information that your website collects sells and discloses.

The list of personal data categories must be updated every year.

What Is The Difference Between CCPA and GDPR?

You can think as GDPR is prevention, whereas the CCPA is transparency.

According to GDPR, personal data of a website visitor cannot be collected until the user gives her consent to do so, whereas CCPA does not require prior consent to handle personal information but grants the user the right to request disclosure and deletion.

In other words, the main difference between GDPR and CCPA is the opt-out opportunity and prior consent necessity.

GDPR’s obligations comprise a broader area. Even though GDPR seems to affect only websites in Europe, it has an extra-territorial scope since any website may offer services to European visitors. On the other hand, CCPA laws are only binding to sites that sell the personal data of Californians.

EU data protection authorities have investigatory powers non-compliant websites, yet CCPA violations are solely up to the Attorney General to start investigations.

GDPR is a broader privacy law that forms a data protection framework under the EU, in comparison to CCPA, which is a smaller and more sectoral law.

Website Privacy Audit

a checklist on a computer screen a cup of coffee a tablet, the photo represents online privacy audit

The General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and ePrivacy Regulation (ePR) affect how you must get and store cookie consents from your visitors.

To comply with these requirements, you must have a thorough and compliant setup for managing the consents for cookie usage on your website. You may start by identifying what cookies are in action on your website, then evaluate their compliance levels.

If you are in doubt whether or not the use is compliant, there are some free compliance test tools to check that your website’s use of cookies and online tracking processes are accurate.

How to Make Your Website Laws-Compliant Infographic

How to make your website cookie laws-compliant explained in an infographic

We like sharing our knowledge with our visitors! You are very welcome to use our infography on your own website for presenting a excellent infographic about how to your website cookie laws compliant!

You may think that if visitors are prominently exposed to the cookie policy, they may get confused, irritated, and unconcerned.

Believe me, paying heavy penalties is more sorrowful than losing some visitors who do not care about their own privacy policy.

In fact, lots of well-known companies continuously show up a cookie consent popup notification to their users. Let’s look at some companies which insistently ask for cookie consent;

1. Google

Google's cookie consent notice popup example

Google enables its users to get the most accurate information about cookie usage by making them read the cookie policy of Google.

2. Jet Brains

jet brains resharper cookie consent notice popup example

Jet Brains chose to show up a plain text-only prompt and included balanced options to opt-in or opt-out of cookie consent.

3. Nielsen

nielsen norman group's cookie consent notice popup example

Nielsen Norman Group has grouped all cookies. The popup says necessary cookies cannot be opted out while other groups of cookies can be disabled within a few taps.

4. MailChimp

MailChimp's cookie consent notice popup example

MailChimp has tabbed cookies as groups and enabled its visitors to opt-out from any group of cookies they want, except the strictly necessary ones.

5. Daily Mesh

Daily Mesh's cookie consent banner popup example

Daily Mesh provides an option to customize privacy settings to accept or reject some type of cookies. Also, there are “Accept All” and “Reject All” option to ease visitors’ cookie choice process.

6. Indie Web Camp

Indie Web Camp's cookie consent notice popup example

Indie Web Camp choose to display cookie settings in a dashboard and explains all the patterns of cookie usage, which increased the transparency of the data collection process.

7. Fandom

Fandom's cookie consent notice popup example

Fandom presents a cookie consent popup to its users when visitors first entered the website. The popup explains which type of cookies are in use and for what purpose they are used.

8. Jamie Oliver

Jamie oliver's cookie consent notice popup example

Jamie Oliver sets all options off by default to be safe from the regulator cookie laws until a visitor adjusts cookie usage settings as on.

9. Iamsterdam

Iamsterdam's cookie consent notice popup example

Iamsterdam allows its website visitors to alter cookie settings, and explains all types of cookies, what they are used for and how they proceed information.

10. Osano

Osano's cookie consent notice popup example

Osano has used a tab cookie popup to enable website users to adjust their level of cookie consent whenever they want.

11. Cookiebot

Cookiebot's cookie consent notice popup example

Cookiebot has a cookie banner enabling website users to reach very detailed information about all types of cookies without the necessity of going to the cookie policy page.

Frequently Asked Questions About Cookie Consent

What should I do to comply with the regulations governing cookies under GDPR, ePrivacy, and CCPA laws?
  • Ask for user consent before you use any cookies except strictly necessary ones such as accessing secure areas and login related cookies.
  • Provide accurate and detailed information about the data each cookie tracks.
  • Store and document consent received from users.
  • Allow users to access your website content even if they refuse the use of certain cookies.
  • Enable your users to withdraw their consent whenever they want.
  • Regularly audit your site for changes and update any relevant cookie information.

How do I implement a cookie consent message on my website? The most efficient way to become compliant by cookie regulations is to have popups on your website. Luckily, [Popupsmart]( offers law-compliant cookie consent popup templates that do not require any coding or designing knowledge to create one.

Don’t I need to have a Cookie Banner if I only use cookies that are exempt to cookie consent requirements? You still must inform the user about the use of cookies via your cookie policy. The banner is not necessarily required for this instance if the cookie policy is visible and accessible on every page of your website.

What should I do if a user opts-out of the cookies on my website? If a user decides to opt-out of the cookies on your site, you may handle the request with two different options that do not create compliance conflict; Ask the user to update their browser settings to remove his cookie consent. This option eases your job but not provide the best user experience. Set your website up to shut off cookie usage when the user withdraws his consent. In this case, it is better to allow the user to select what type of cookies should be removed.

How may somebody report me if my website is non-compliant with cookie laws? Your website visitors deserve privacy, and they are very aware of that. If you get a visitor and suspects that you are collecting cookie data without her consent, she has the right to report your website to regulate institutions. Moreover, if those institutions agree about the non-compliance, you may be penalized up to $20 M for violating the rights of your website users.

Do I need a cookie consent if I use Google Analytics, MailChimp, Salesforce, and social media buttons? All of the services and features mentioned above are examples of third-parties on your website. Those service providers instantly deposit cookies on browsers as a visitor comes to your website. Therefore, you are restricted to protect your website users’ privacy and give them clear information about how their data is being used, both by you and by third parties in use on your website.

What should I do if a user clicks on the exit icon instead of accept or reject cookie usage button? You should set the cookie settings by default if a user clicks on the exit icon instead of accept or reject cookie usage button. When you generate default settings, I recommend you to include strictly necessary cookies as selected to be safe from hefty fines. Other cookie settings should be changed by only website visitors.

Does the EU Cookie Law appeal to US websites? Or are US websites only responsible for CCPA regulations? This question does not have a bright answer. Certain privacy matters are coming from the ePrivacy Regulation but are lack of clarity in the CCPA GDPR employs long territorial arms that may reach you. Therefore, I recommend you contact Popupsmart for obtaining assistance with developing a defensible and customized policy for your online business.


It is easy to get lost, trying to keep track of the many privacy-related rules or get confused. In this case, please feel free to communicate with us via live chat, and our data protection officer will gladly help you.

I hope this guide on Cookie Laws and how to make your website cookie usage compliant with those policies would prevent you from fining massive fees.

If you do not have website visitors located in countries that are not a member of the European Union, it is safe to have a simple cookie consent popup on your website by using Popupsmart’s free tool.

Lastly, remember that Popupsmart has cookie popups and cookie banners that are ready-to-use, utterly compliant with Cookie Laws, and professionally designed. What’s more, you don’t need to have coding and designing expertise to build one of our popups.

Create Your Law-Compliant Cookie Consent Popup for Free!

Show Comments