NEW! Listen to article

If you've worked in digital marketing at all in recent years, you know that the instructions for effective cookie use on company websites have been tweaked and tested more often than the secret recipe for Levain Bakery's award-winning chocolate chip cookie (my personal favorite type of cookie, I might note!).

Ever since the European Union passed the General Data Protection Regulation (GDPR) in 2016, governments worldwide have been regulating how businesses collect personal information about their users via cookies.

Those privacy laws are nuanced; therefore, although cookie compliance isn't necessarily hard, it can be complex. That is especially true in the US, where sectoral and state laws bear the responsibility for privacy legislation in lieu of federal laws.

But here's the scoop: Cookie compliance helps you build a strong privacy program that benefits your company and your customers.

Here's our secret recipe for achieving and maintaining cookie banner compliance.

6 Steps to Achieving and Maintaining Cookie Banner Compliance

Step 1: Determine applicable laws

Building a cookie consent management program that is agile and compliant with multiple regulations is much easier if you know all the rules before starting.

But here's the thing: Companies are often subject to more than one regulation, depending on...

  • The size of their organization
  • The number of data records they collect
  • Where their offices are located
  • Where their customers or employees live

The cookie banner requirements for GDPR are different from the obligations listed in other laws such as the California Consumer Privacy Act (CCPA), California Privacy Rights Act, the Colorado Privacy Act, or the Virginia Consumer Data Privacy Act (VCDPA).

Here's where working with privacy experts can be helpful: They'll be well-versed in who each regulation applies to—and how.

Step 2: Create a data inventory

A data inventory, sometimes called a data map, is a record of the totality of a company's data assets.

Data inventories reveal...

  • What types of data are collected and why
  • How the data is used
  • Whom the data is shared with
  • Where and how long the data is stored

A data inventory is a multitasking wonder. Here are a few examples of what it does for privacy programs:

  • Creates a comprehensive overview of your company's data practices
  • Evaluates and improves protocol for third-party vendor management
  • Assesses individual rights management practices
  • Creates a record of processing activity (ROPA), which is required per GDPR Article 30
  • Ensures that an organization's privacy policy and cookie notifications match daily data operations

Step 3: Set a notification launch sequence

Most data privacy laws and all data privacy best-practices require notifying website visitors—before the cookie does its job—what information the cookie is collecting and how that information will be used.

Depending on where you're located, cookies should:

  1. Be blocked until notifications have launched and consent has been received (GDPR), or
  2. Fire at notice or before time of collection (US)

Banner notifications should include detailed information about what data is being collected by the cookies, how it will be used, and whom it will be shared with—in jargon-free language so users can make an informed decision. Using cookie software—and working with a privacy professional to implement it—can help simplify implementation of that requirement.

Step 4: Establish opt-in or opt-out processes

The type of cookie consent you need to obtain varies by law.

Under most US consumer privacy laws, cookies can be set without direct consent from users. Although an assumption of consent is the baseline under the opt-out principle, laws still mandate that customers be given the ability to easily deny cookies as well as refuse the sale of their data to third parties.

GDPR is an opt-in system, in which consent must be "freely given, specific, informed, and unambiguous" through a "clear affirmative action." Since preselected boxes and continued site use do not constitute "clear affirmative action," users must actually click a button agreeing to the deployment of cookies.

Opt-in systems are not required by all laws, but they exceed the standards in opt-out laws and, as a result, they are considered the gold standard in data privacy management. Companies that implement opt-in consent from the start will likely be able to respond quickly and with more agility to the dramatic and rapid changes to consumer privacy laws and best-practices that are common in the current landscape.

Step 5: Link to privacy and cookie policies

It's no secret that cookie banners aren't a particularly popular part of any browsing experience, necessary as they may be. Putting entire privacy and cookie policies into a pop-up banner will turn a banner into a page, making people more likely to ignore it.

Instead, consider including a "Learn More" or "Privacy Policy" button on the cookie banner.

That button should link to not only the company's privacy policy but also a list of all cookies, as well as a more detailed description of the site's cookie settings.

Step 6: Ensure secure storage of consent records

Most experts recommend that companies maintain a record of consent for five years. Those records should be securely stored, but they also need to be easily accessible if a customer files a data subject access request (DSAR) or an individual rights request. They will also be critical to proving compliance in the event of an audit.

Building Your Privacy Cookbook

Dessert is not a meal, and a privacy program needs more than compliant cookie banners to be successful. But learning to bake cookies builds fundamental skills that can transfer to other dishes, and establishing cookie management policies in line with data privacy best-practices will make building out a fully functional privacy program a (ginger)snap.

More Resources on Cookies and Data Compliance

Adapting Marketing Measurement to a Post-Cookie World [Infographic]

Heads Up, B2B Marketers: Data Rights Aren't Just a Consumer Issue

What You Need to Know About GDPR and Data Privacy: Lisa Loftis of SAS Talks to Marketing Smarts [Podcast]

Enter your email address to continue reading

The Secret Six-Ingredient Recipe for Perfectly Compliant Cookie Banners

Don't's free!

Already a member? Sign in now.

Sign in with your preferred account, below.

Did you like this article?
Know someone who would enjoy it too? Share with your friends, free of charge, no sign up required! Simply share this link, and they will get instant access…
  • Copy Link

  • Email

  • Twitter

  • Facebook

  • Pinterest

  • Linkedin

  • AI


image of Jodi Daniels

Jodi Daniels is a certified informational privacy professional and the CEO of Red Clover Advisors, a data privacy consulting and compliance company. She has 20+ years of experience helping businesses in privacy, marketing, strategy, and finance roles.

LinkedIn: Jodi Hoffman Daniels