What Are Cookies?
A cookie is a small web file stored on a user’s device to collect data about their behavior.
Before explaining cookie consent, it’s important to understand the different types of cookies. There are three types of party cookies and three main cookie categories, detailed and illustrated below:
1. First-Party Cookies
First-party cookies are created by the domain the user is actively visiting.
For example, when you visit popupsmart.com via your browser, our web infrastructure collects behavioral data to provide you with a better user experience.
Most browsers consider first-party cookies safe by default because their primary purpose is personalization and user experience improvement.
They help website owners with:
- Collecting analytical data
- Remembering language preferences
- Logging in without entering credentials again
- Displaying items previously added to the shopping cart
2. Third-Party Cookies
Third-party cookies are created by domains other than the website the visitor is currently browsing. They are typically used for tracking and digital advertising.
For instance, when you chat via a live support widget, it identifies you and generates third-party cookies. On your next visit, the chat window may remember your name and previous conversation.
Similarly, if you view a product on Amazon, third-party trackers collect information about your activity. Later, when you visit eBay, you may see ads related to similar products you previously viewed.
Some common third-party services that use cookies:
- MailChimp
- Google Analytics
- Google Tag Manager
- Retargeting providers
- Social media buttons
➡️ In short, there’s not much functional difference between first-party and third-party cookies, as both can collect similar data and perform similar functions.
3. Second-Party Cookies
Second-party cookies refer to data originally collected as first-party cookies by one company and then shared with another through a data partnership.
For example, an airline may sell its first-party cookie data to a hotel chain, allowing the hotel to understand browsing behavior and serve targeted ads to the airline’s customers.
⚠️ However, sharing or purchasing second-party cookie data is considered unethical and is not a recommended approach to gathering insights about potential customers.
4. Session Cookies
Session cookies store information temporarily during the current browsing session and are deleted once the browser is closed.
They fall under the “strictly necessary” category and are considered the least likely to raise privacy concerns.
This is why, for example, your bank may recommend closing your browser window after logging out to ensure any session cookies are cleared.
5. Persistent Cookies
Persistent cookies are stored on your device’s hard drive and do not get deleted when you close your browser. They are also known as “stored” or “persistent” cookies.
These cookies raise greater privacy concerns.
However, they are extremely useful for:
- Delivering personalized user experiences
- Analyzing returning visitor behavior
- Serving ads to the right target audience
Persistent cookies store information indefinitely unless manually removed.
6. Non-Browser Cookies
Non-browser cookies behave similarly to persistent cookies but are not stored inside the browser.
Instead, they are saved in separate program files, which makes them harder to delete—unless the user installs a dedicated cookie cleaner.
➡️ If you use non-browser cookies on your website, you must clearly notify new users and obtain explicit consent.
Why Are Cookies Regulated?
The use of cookies can raise certain privacy concerns.
Tracking cookies on websites can collect data about users’ browsing habits, showing what products they view and even what they purchase.
However, cookies are often extremely beneficial for users. They enable e-commerce sites and service providers to reach potential customers quickly and personalize advertising messages based on their browsing behavior.
From the internet user’s perspective, this results in a great experience, seeing relevant, personalized ads and quickly finding solutions to their needs.
That said, not all website owners act responsibly. Some misuse cookies to exploit users’ data for their own benefit and, in doing so, violate users' rights.
For this reason, regulatory bodies decided that internet users should have the right to understand what cookies are and how website owners use them.
What Are “Strictly Necessary” Cookies?
Not all cookies are bad. In fact, some are essential for both user experience and the proper functioning of a website.
Thankfully, regulators recognize this, which is why cookies that are classified as “strictly necessary” or “essential” are exempt from consent requirements.
These cookies are particularly important for online retailers.
Although the exact scope of strictly necessary cookies isn’t thoroughly defined, they are generally considered to be those that help meet and enhance customer expectations.
For example:
- If a user doesn’t accept cookies but still wants to see the items they previously added to their shopping cart on past visits, these cookies may be used without consent.
- Another example is eliminating the need to repeatedly log in on platforms like Facebook. A user likely wants to stay logged in while browsing different pages of the site, therefore, such cookies fall under the “strictly necessary” category.
What Makes Cookie Consent Popups Compliant?
Let’s take a closer look at the strict requirements set by privacy regulators that determine whether your cookie consent notifications are compliant or not.
👉 Remember: Asking for cookie consent only on a user’s first visit is sufficient. Once consent is granted, cookies can recognize returning visitors and do not require approval during every visit.
You can check if your cookie consent popup meets the following requirements. A compliant popup must include:
✔️ Requirements for a Compliant Cookie Consent Popup
- Clear information about the types of data collected
- Transparent details on the purpose of cookies
- Explanation of any tracking technologies used on the website
- A prompt to ask users for consent before cookies are stored in their browser
- A clear explanation of which action constitutes consent
- A link to your Cookie Policy, detailing the purpose of cookies and third-party activities involved
- Options for users to opt in or opt out of different cookie categories
- The ability for users to modify their preferences at any time
- The option for users to withdraw their consent whenever they wish
- Secure storage of the consent data for audit or legal evidence
📌 To comply with the ePrivacy Directive, remember to renew visitors’ cookie consent every 12 months.
Cookie laws do not allow cookie placement without user consent. Therefore, it’s recommended to use a script that blocks cookies prior to consent.
As mentioned earlier, you don’t have to handle all these rules manually.
Popupsmart offers multiple ready-to-use cookie consent popup templates that are already fully compliant!
👉 Create Your Legal Cookie Consent Popup for Free!
How to Create a Cookie Policy
Publishing a comprehensive Cookie Policy on your website helps prevent legal issues and heavy fines due to non-compliance.
To ensure your cookie policy meets the requirements set by legal authorities, make sure it includes the following elements:
- A detailed explanation of why cookies are used
- A description of the types of cookies installed
- Availability in all languages used by the website
- A list of all third parties that may set cookies
- A link to third-party cookie policies
- Visible opt-out forms or mechanisms
- Information on how users can withdraw their consent
GDPR and Cookie Usage Consent
The General Data Protection Regulation (GDPR), officially enforced on May 25, 2018, represents the most significant initiative in online data protection in over 20 years. The previous major legislation on personal data protection dates back to 1995.
GDPR introduces strict regulations regarding how users’ personal data must be processed. Websites that fail to comply face severe penalties—up to €20 million or 4% of annual global revenue, whichever is higher.
The primary goal of GDPR is to modernize EU legislation for the digital age, protect personal privacy, and enable users to have full control over their own personal data.
GDPR imposes rigorous requirements concerning data processing procedures, transparency, documentation, and user consent.
All websites located in the European Union or targeting EU citizens as users are legally required to comply.
If you use cookies on your website, you must obtain user consent for all non-essential cookies.
Additionally, you should review your website’s cookie policy (i.e., privacy policy) to ensure it meets the standards of accuracy and transparency, if necessary.
➡️ Due to the updated GDPR framework, simple “Accept cookies” popups are no longer considered compliant.
Let’s Take a Look at a GDPR-Compliant Cookie Consent Popup:
And now, let’s take a look at a non-compliant cookie consent popup:
In this example, the user is not presented with a real choice, nor are they given direct information about which cookies are being installed in the browser, where they come from, or what purposes they serve.
What Is “Personal Data” Under GDPR?
Under GDPR, personal data refers to any information that directly identifies a person—such as their name, photos, email address, bank details, or IP address.
If you are using cookies that track or identify personal data, you must either remove those cookies or update your cookie consent mechanism to align with the new GDPR regulations.
In other words, all cookies that process personal data are subject to the revised rules, including:
- Analytics cookies
- Advertising cookies
- Cookies used by functional services such as survey tools or live chat widgets
What Should Cookie Data Logs Include?
You must sufficiently document the user data collected through cookies on your website. To comply with cookie legislation, your cookie data folder/log should include:
- Your company name
- Your business contact information
- A description of each cookie data subject
- Categories of organizations that receive the data
- Data retention period
- Details of security measures applied during data processing
Who Needs a Data Protection Officer (DPO) Under GDPR?
Appointing a Data Protection Officer is not always mandatory. It depends on the type and volume of data collected.
You are required to appoint a DPO if you:
- Process personal data to run targeted advertising campaigns based on users’ online behavior (e.g., through search engines)
- Process personal health or genetic data (e.g., within hospitals or medical facilities)
You are not required to appoint a DPO if you:
- Send promotional messages once a year to promote your local business
- Collect patients’ health records as a family doctor
ePrivacy Regulation (ePR) and Cookies
The ePrivacy Regulation (also known as the ePrivacy Directive) was introduced to define guidelines and expectations concerning digital privacy, this includes the use of cookies.
It largely aligns with the scope of the GDPR and introduces additional requirements to protect users’ electronic communications. It is also commonly referred to as the “Cookie Law.”
The Cookie Law first came into effect in 2002 and evolved into a fully enforceable regulation in 2019. As a result, cookie consent popups have become increasingly common across websites.
Both of these EU laws—the Cookie Law and the GDPR—have a major influence on the use of cookie consent banners to notify users about tracking and marketing activities.
According to the Directive, all websites must display a cookie notice informing visitors that cookies are being placed in their browsers.
The law also requires that users be given the option to refuse or withdraw their consent.
👉 If a user withdraws consent, you are permitted to keep existing cookie data but you may not continue collecting data during future visits.
Moreover, under the Cookie Law, you are not required to manage consent directly for third-party cookies, this responsibility lies with the third-party service providers themselves.
However, you must make the process easier for users by including links to relevant third-party policies and clearly specifying their categories and purposes.
📌 Consent must be given freely, any coercive method invalidates the consent and can be detected.
Cookie Types Exempt from Consent Requirements
Some cookie types are exempt from Cookie Law requirements, including:
- Technical cookies such as preference cookies and session cookies
- Statistical cookies that are managed by the website itself
- Anonymized third-party statistical cookies, such as those from Google Analytics or Google Tag Manager
The Cookie Law does not require that user consent records be stored. However, it does state that you must be able to prove that consent was obtained before applying any cookies.
What Are the Cookie Usage Requirements Under the Cookie Law?
The Cookie Law requires that users be informed before any cookies are stored or tracking activities take place.
Cookie consent must be based on a clearly defined affirmative action, such as navigating the site, clicking, or scrolling.
You are required to provide detailed information over time on how cookie data will be used.
If visitors refuse cookie usage on your website, you must ensure that no cookies are placed on their device.
Although the law does not require storing user consent records, it does state that you must be able to prove that consent was obtained before cookies were applied.
You must obtain informed consent and provide users with the option to withdraw their consent at any time.
The categories and purposes of third-party cookies must be indicated by linking to their respective cookie policies—but you do not need to list each one individually.
What Is a Cookie Consent Banner?
A cookie consent banner is the notification displayed to users when they visit a website for the first time, asking for permission to collect their data through cookies.
This banner informs users about cookies and allows you to request consent before data collection or tracking begins.
The primary purpose of cookie consent banners is to inform website visitors about cookies and obtain permission to enable them.
To comply with the 2002 EU ePrivacy Directive, websites must display a cookie consent banner.
Additionally, according to the European Court of Justice, no cookie categories—other than those strictly necessary—may be pre-selected in your cookie banner.
CCPA and Cookies
The California Consumer Privacy Act (CCPA) can be considered a more concise version of the GDPR. This law protects a specific group of citizens in the U.S. by preventing their data from being collected or sold without consent.
CCPA came into force on January 1, 2020.
Although the federal government does not take a major role in online privacy laws, individual states adopt strict privacy approaches. California regulators implemented this new law from the beginning of 2020, which also introduced cookie-related requirements.
The law obligates companies to inform California residents about how cookie data is collected.
Under CCPA, customers have the right to request website owners not to sell their personal data to third parties. In such cases, the business must refrain from selling visitors’ personal information to comply with the law.
Companies that fail to comply with CCPA may face penalties ranging from $2,500 to $7,500.
This law applies to businesses that exceed certain user or revenue thresholds and requires them to disclose:
- What types of personal data they collect
- The purpose for which they intend to use this data
- The third parties with whom cookies or personal data will be shared
- Why this data sharing takes place
According to CCPA, any business operating in California must include on its website a clear link titled “Do Not Sell My Personal Information.” Additionally, users must not be required to create an account to opt out.
If a user chooses to prevent their data from being shared with third parties, the business:
- Cannot charge different prices
- Cannot refuse customer support
- Cannot reduce the quality of service
Users also have the right to access and request a copy of the personal data collected in the last 12 months.
Furthermore, website users have the right to request the deletion of their personal data. In this case, the business must permanently delete all personal data collected, except for data strictly necessary for legal or operational purposes.
Additionally, businesses cannot sell the personal data of users under 16 years of age without obtaining parental consent.
Who Is Responsible Under CCPA?
Under CCPA, a “business” is defined as companies, partnerships, legal entities, and associations operating with the financial interests of shareholders.
To be subject to CCPA, a company must meet at least one of the following criteria:
- Have more than $25 million in annual gross revenue
- Generate 50% or more of its revenue from selling customers’ personal data
- Buy, receive, or sell the personal data of more than 50,000 California residents per year
If your business does not meet any of these criteria, CCPA does not apply directly.
However, if you co-brand or partner with a company that meets these thresholds, your business becomes subject to CCPA compliance as well.
What Is Personal Information Under CCPA?
CCPA defines personal information as:
“Any information that identifies, relates to, describes, or is reasonably capable of being associated with a particular consumer or household, directly or indirectly.”
This may include:
- Biometric data such as fingerprints, DNA, and voice recordings
- Personal characteristics, religious information, and sexual orientation
- Geolocation information such as browser history and device-based location data
- Identifiers such as IP address, account names, cookies, and pixel tags
How to Create a CCPA-Compliant Privacy Policy
To comply with CCPA, your privacy policy must be updated and include:
- A clear definition of customer rights and how to exercise them
- A list of the categories of personal data your website collects, sells, or discloses
The list of personal data categories must be updated annually.
What Is the Difference Between CCPA and GDPR?
You can think of GDPR as a preventive framework, while CCPA focuses on transparency.
- Under GDPR, a website cannot collect personal data without prior consent.
- Under CCPA, prior consent is not required—but users must be informed and have the right to request data deletion.
In other words, the main difference between GDPR and CCPA is “opt-in” vs. “opt-out.”
GDPR obligations cover a broader scope. While GDPR appears to apply only to websites within Europe, its extraterritorial reach extends to any website that serves EU visitors.
Conversely, CCPA is only binding for websites that sell the personal data of California residents.
EU data protection authorities have the power to investigate non-compliant websites.
CCPA violations, however, can only be investigated by the California Attorney General.
In summary:
GDPR is a broader privacy framework under EU jurisdiction, while CCPA is a more limited and sector-specific regulation.
Website Privacy Audit
GDPR, CCPA, and the ePrivacy Regulation (ePR) affect how you obtain and store cookie consent from your website visitors.
To comply with these requirements, you must implement a comprehensive and compliant cookie management setup on your website.
Start by identifying which cookies are active on your site, then assess their level of compliance.
If you’re unsure whether your current implementation meets the standards, you can use free compliance testing tools to check whether your cookie usage and online tracking processes are correctly configured.
Some commonly used tools include:
Legal Compliance Infographic: How to Make Your Website Cookie-Law Compliant
We love sharing our knowledge with our visitors!To help you visually explain how to ensure cookie compliance on your website, feel free to use this infographic below, here you go!
Good Examples of Cookie Consent Notifications
You might think that when visitors are clearly exposed to cookie policies, they may feel confused, annoyed, or even concerned.
But believe me, paying heavy fines is far more painful than losing a few visitors who may not care about their privacy.
In fact, many well-known companies display cookie consent notifications to their users persistently and transparently.
Let’s take a look at some brands that consistently request cookie consent:
1. Google
Google directs users to read its cookie policy, ensuring they receive accurate and transparent information regarding the use of cookies.
2. Jet Brains
JetBrains takes a balanced approach by displaying a simple text-only warning and providing users with options to either accept or reject cookies.
3. Nielsen
Nielsen Norman Group groups all of its cookies in a single popup. This popup indicates that essential cookies cannot be disabled, while other cookie groups can be turned off with just a few taps.
4. MailChimp
MailChimp organizes cookies into grouped tabs, allowing visitors to disable any cookie group except the essential ones.
5. Daily Mesh
Daily Mesh provides customization options to accept or reject certain types of cookies. It also offers “Accept All” and “Reject All” options to make the cookie selection process easier for visitors.
6. Indie Web Camp
Indie Web Camp displays cookie settings in a panel, opting to explain cookie usage patterns, which enhances the transparency of data collection processes.
7. Fandom
Fandom presents a cookie consent popup when visitors enter the website for the first time. This popup explains which types of cookies are used and the purposes for which they are used.
8. Jamie Oliver
Jamie Oliver keeps all options disabled by default to ensure visitor safety and allows visitors to adjust their cookie settings as they wish—even enabling cookies if they choose.
9. Iamsterdam
Iamsterdam allows website visitors to modify their cookie settings and explains all cookie types, their purposes, and how the data is processed.
10. Osano
Osano uses a tab-style cookie popup to allow website users to adjust their cookie consent levels as they wish.
11. Cookiebot
Cookiebot uses a cookie banner that allows website users to access detailed information about all cookie types without having to visit the cookie policy page.
FAQs about Cookie Consent Notification
1. What should I do to ensure cookies comply with GDPR, ePrivacy, and CCPA regulations?
- Obtain user consent before using any cookies other than strictly necessary ones (e.g., those related to secure access and login).
- Provide accurate and detailed information about the data each cookie tracks.
- Store and document user consent records.
- Allow users to access your website content, even if they reject non-essential cookies.
- Ensure users can withdraw their consent at any time.
- Regularly audit your website and update cookie-related information.
2. How do I implement a cookie consent message on my website?
The most effective way to comply with cookie regulations is to use popup messages. Popupsmart offers legally compliant cookie consent popup templates that require no coding or design skills to create.
3. Do I need a cookie banner for cookies that don’t require consent?
Yes. Users must still be informed about cookie usage through your Cookie Policy.
However, if the policy is visible and accessible on every page, a cookie banner is not strictly mandatory.
4. What should I do if a user rejects cookies on my website?
- Ask the user to update their browser settings to remove cookie consent (easier, but not ideal for UX), or
- Automatically disable cookie usage on your website when consent is withdrawn. Allow users to specify which cookie types should be deactivated.
5. If my website is not cookie-compliant, how can someone report it?
Visitors have the right to report your website to regulatory authorities if they believe their cookie data is collected without consent. If noncompliance is confirmed, fines can reach up to $20 million.
6. Do I need cookie consent if I use Google Analytics, MailChimp, Salesforce, or social media buttons?
Yes. These third-party tools automatically place cookies when users visit your website. You must clearly disclose how this data is used by both your business and third parties.
7. What if a user clicks the exit (close) icon instead of Accept or Reject?
If no explicit action is taken, apply default cookie settings.
- Enable only strictly necessary cookies by default.
- Other cookie types must remain disabled until actively approved.
8. Does the EU Cookie Law apply to U.S.-based websites, or only to CCPA?
There is no definitive answer. Some privacy concerns derive from the ePrivacy Regulation, while CCPA lacks full clarity.
Because GDPR has extraterritorial scope, it may still apply if your website receives visitors from the EU.
👉 For a fully defendable and tailored privacy strategy, we recommend consulting Popupsmart.
Conclusion
It’s easy to feel overwhelmed while trying to comply with multiple privacy regulations.
If you need assistance, please don’t hesitate to contact us via live chat—our Data Protection Officer will be happy to help.
We hope this guide helps you understand Cookie Laws and how to ensure your website’s cookie usage is compliant so you can avoid costly penalties.
👉 If your website visitors are from outside the European Union, it’s still safe to use Popupsmart’s free tool to add a simple cookie consent popup.
Best of all, Popupsmart cookie popups and consent banners are:
🟢 Ready to use
🟢 Fully compliant with cookie regulations
🟢 Professionally designed
🟢 No coding or design expertise needed
🎉 Create Your Free, Legally Compliant Cookie Consent Popup!
When making an announcement or displaying cookie consent popups, don’t forget to keep user experience (UX) in mind. Here’s how: Target Black Friday Shoppers with UX-Friendly Gamified Popups.
