When you create a Cookiebot account, the default banner configuration will automatically be GDPR compliant. Below you can find all the possible settings for your banner and how to make sure these are according to the requirements made by GDPR, published May 2018.
You can choose between our standard Swift template or create your own custom banner:
We offer 2 different methods for user consent:
- Implied consent: This is the type of cookie banner that disappears if a user ignores the banner and continues to use the website. Specifically, if the user clicks on a link on your website and (optional) if the user continues to scroll or refreshes the page.
- Explicit consent: The cookie banner will keep showing on each page until the visitor has provided a consent choice.
In order for a consent to be sufficient and valid under GDPR, you must make sure that the cookie consent banner is visible and easily accessible to the user when they first enter your website. The "Overlay" position will make sure users have no way of ignoring the cookie consent banner, as it will pop up in the middle of your website and fade out all other website elements until a consent choice is provided.
All banner types are GDPR compliant, except for the type "accept only" (which means the user can only use the website by accepting all cookies) and "Do not sell" (which is used for CCPA compliance).
We recommend using the default type "multilevel", which provides the user the option to opt-in or out per cookie category.
Opting out of cookies should be just as easy as opting in, which means the "reject" button should be on the same level as the "accept" button. This can easily be achieved by using the "Reject all / Selection / Allow all" banner type.
The Article 29 Data Protection Working Party (WP29) has recently finalized and issued an updated Guidelines on consent under Regulation 2016/679 (wp259rev.01). In these guidelines they clearly state that the use of pre-ticked checkboxes is not valid under GDPR.
Applicable only when using the banner types "Multilevel" and "Inline Multilevel", as these open up new configuration options to check category boxes.
In order to be GDPR compliant, make sure that none of the checkboxes in your cookie consent banner are pre-ticked:
- Select "Multilevel" or "Inline multilevel" from the "Type" dropdown to menu ensure that all category checkboxes are unchecked. The “Necessary” category will always be pre-checked in the banner as they are required for the normal functioning of the website, or for the website to be able to provide the service it is intended to provide. Therefore, cookies in this category do not require consent.
- Save your settings (tick mark in the blue bar on the left-hand side)
Some data protection legislations, such as the Italian Data Protection Authority (See official guidelines here), require the consent banner to contain a "✕" close button. This is optional for a GDPR compliant setup.
See also: Adding a close icon to the banner
Adding a withdrawal option
Article 7(3) GDPR states that your website visitors should have the right to withdraw consent at any time and this withdrawal should be just as easy as it was to give consent in the first place. The Privacy Trigger allows you to offer this possibility with minimal effort, offering a plug 'n play solution that can be enabled easily by checking the "Activate Privacy Trigger" box on your Cookiebot CMP account.
If you prefer not to activate the Privacy Trigger on your website, the possibility to withdraw and/or change consent is still included in the Cookie Declaration. Alternatively, you can construct your own mechanism for allowing users to withdraw consent: How can the user change or withdraw a cookie consent?
The standard banner templates we offer are GDPR compliant. If you want to customize the banner text then please see How can I customize the content in the cookie consent banner?
Renew existing user consent
If you have previously used a cookie consent banner that may not be compliant under GDPR after 25 May 2018, you can change the banner type and then renew your user consents. Please see Renew existing user consents.
Please note that the above should not be seen as legal advice. If you are in doubt about your website's use of personal data or how to interpret the legal text, please reach out to a trusted legal source or to the Data Protection Authority in your own country.