Creating an Effective and GDPR-compliant Cookie Banner: Best Practices and Pitfalls to avoid.



What is a Cookie?

For almost any modern website to work properly. it needs to collect certain basic information on its users. To do this, a site will create files known as cookies —which are small text files — on its users’ computers. These cookies are designed to allow the website to recognise its users on subsequent visits, or to authorise other designated websites to recognise these users for a particular purpose.

Cookies do a lot of different jobs which make your experience of the internet much smoother and more interactive. For instance, they are used to remember your preferences on sites you visit often, to remember your user ID and the contents of your shopping baskets, and to help you navigate between pages more efficiently. They also help ensure that the advertisements that you see online are more relevant to you and your interests. Some data collected is designed to detect browsing patterns and approximate geographical locations to improve user experience. Marketers use cookies to monitor user behaviour across websites in order to more precisely target advertisements. Although this method is often used to create a more tailored user experience, some individuals perceive it as an invasion of privacy.

Lou Montulli of Netscape Communications invented the cookie in 1994 in an effort to improve the online commercial transaction experience. The name "cookie" was taken from an older programming phrase, "magic cookie," which referred to a packet of data programmes that preserved data even after being repeatedly delivered and received.


Kinds of Cookies

1.      Session-based cookie

Cookies used during a session are sometimes known as transitory cookies or per-session cookies. Session cookies retain information for the duration of a user's visit to a website. When the user terminates their session, these cookies are removed.

2.      Persistent cookie

Persistent cookies are kept for a certain period of time. These cookies are stored on your device until they either expire or are erased. Persistent cookies are frequently referred to as tracking cookies since they are used to gather user information such as browsing preferences and browsing behaviour.

There are both first-party and third-party cookies.

First-party cookies are those that are placed by websites that users visit directly. These cookies often hold site-related or relevant information, such as the user's preferred settings or location.

Third-party cookies are cookies that accompany third-party content, such as embedded videos, advertisements, web banners, and scripts, on a user's visited website. Marketers often use third-party cookies to monitor user activity.

3.      Supercookie

Supercookies are similar to session cookies in that they additionally monitor user activity and browser history. Yet, they are also capable of recreating user profiles, even after standard cookies have been removed. Moreover, supercookies are stored in distinct locations than ordinary cookies. This makes it harder for the typical user to notice and remove them. Sometimes, supercookies are referred to as "zombie cookies" or "evercookies."

4.      Internet cookie

Flash cookies or "local shared objects" [LSOs] are data files kept on PCs by websites that use Adobe® Flash®. Flash cookies, like browser cookies, may save user data in Flash applications. Flash cookies are sometimes utilised as a "backup" after the browser cookie has been removed.


Laws related to Cookies.

1.      GDPR

The most notable change in privacy standards has been the management of cookies. The GDPR comprises approximately 50,000 terms, yet "cookie" is not one of them. Notwithstanding this, the GDPR has important ramifications for the Cookies Policy of your website. Several websites continue to be non-compliant despite the lack of clarity in the legislation. 

Do You Need a Privacy, Cookies, or Both Policies?

A Privacy Statement is required by EU legislation if businesses handle the personal data of EU residents. This includes cookie use. Article 12 of the GDPR mandates that businesses give information about any personal data they handle "in a brief, transparent, comprehensible, and readily available manner, using clear and simple language."

Although this does require businesses to disclose information about cookies, a separate Cookies Policy is not necessarily required. One might just add the information regarding cookies in the primary Privacy Policy.

Several businesses choose to publish cookies-related information in a separate Cookies Policy, which is a sensible approach. Just has to be sure to add a link to this distinct policy wherever it is necessary, most notably in the primary Privacy Policy.

The Cookies Policy must adhere to both the GDPR and another EU regulation, the ePrivacy Directive. Together, these two regulations set extremely stringent requirements regarding cookies. Cookies Policy should reflect the nature of your website. Some websites just use the most fundamental session cookies to execute key services. Several websites employ sophisticated marketing cookies to target visitors with advertisements. Regardless of how you use cookies, you must inform your users precisely how you do so.

Steps to be followed.

       1. You should begin by explaining what cookies are and what they do.

       2. It is hard to avoid using technical jargon totally; nonetheless, you should do your best to place everything into a context that is easy to understand.


   3. Use of Cookies- Using straightforward language, describe the sorts of cookies the website use and the objectives for which you employ them.

       4. Third Party Cookies- Article 13 of the GDPR mandates that "the receivers or categories of recipients of [your users'] personal data" be disclosed. This indicates that you must inform your users if their information will be shared with other parties- It is usual for websites to enable third parties to set information-collecting cookies on visitors' devices. If you utilise a programme such as Google AdSense, Google's terms of service require you to advise your consumers that Google displays targeted advertisements on your website.

       5. If your website interacts with social networks, this may have consequences for your Cookies Policy, which you should disclose.

       6. Analytics- Analytics enables you to monitor and analyse the ways in which people engage with your website. There are many different analytics providers, and there are many various ways that you may utilise analytics. Each of these uses of analytics has significant repercussions for the privacy of your customers. It is recommended that you detail how you make use of analytics in either your Cookies Policy or your Privacy Policy.



       7. Remarketing- Remarketing, which is often referred to as "retargeting," is an extremely effective kind of advertising. It gives you the ability to "follow" visitors who have left your website and show your advertisements on other websites that those users visit. If you make use of remarketing, then your Cookies Policy must make a particular note of this fact.


         8. Other Tracking Technologies- There are many websites that make use of various tracking technologies, such as web beacons and pixel tags, in order to identify and keep tabs on its visitors. While they are not cookies, there may be privacy concerns associated with them, and they may interact with cookies. These technological advancements must likewise be included in your policy about cookies.

       9. Inform the users that:

·         You make use of these technological devices.

·         What they are in a nutshell

·         How you put them to use (for what purpose)

·         How do users have the ability to restrict any of this

        10. Cookie List- It is considered standard practise to provide a comprehensive list of all of the various types of cookies used on a website, including first-party cookies, along with an explanation of what each one is responsible for doing.

        11. How to Control Cookies- A lot of websites include something called a "privacy centre" or a control panel that users may use to enable, decline, or revoke their consent for different kinds of cookies.

       12. How to Request Acceptance of Cookies based on the GDPR- According to Recital 25 of the ePrivacy Directive, "users shall have the option to prevent cookies and similar devices from being kept on their terminal equipment." This implies that authorization must be obtained before using the majority of cookies.

        When the EU uses the term "consent," it means: The GDPR prohibits opt-out consent. It fully adheres to the opt-in paradigm of consent.

        Article 7 of the GDPR stipulates that consent must be:

·         Freely provided,

·         Provided via a clear, affirmative act, and

·         Simple to revoke at any moment.

       The majority of websites seek cookie consent through a banner or landing page. It is crucial to implement features on the website that enable users to accept, decline, and revoke consent for various kinds of cookies.                

        13.   Consent By an Extremely Clear, Affirmative Act- Users must affirmatively agree to cookies with clear action. The user should be able to click "I accept" or "OK" or anything similar when asked to agree to cookies.

       14.  Easily Withdrawn- Article 7 of the GDPR states that "it should be as simple to withdraw as it is to obtain consent." When it comes to this issue, following the "letter of the law" is quite challenging. One can do everything right with the cookie banner, but it's probably going to have to be a bit tougher for users to withdraw their consent than it was for them to provide it in the first place.