Having a cookie consent banner on your business website is required by the privacy laws of many different countries, such as the GDPR in the EU, the Data Protection Act in the UK, and the CCPA/CPRA in the United States.

This cookie consent banner informs your users that cookies are being used on your website, and allows them to accept or decline non-essential cookies. It should also provide a link to your Cookie Policy.

The details of what the cookie banner should display, and what kinds of buttons it should have, can be confusing. Some banners show "I Accept" and "I Decline" buttons, while others have things like "Reject All," "Settings," or "More information." But what is the correct design to use to ensure you're legally compliant? This article will help you figure that out.

If you are in the process of setting up your cookie banner, this article will go through what you need to do, and what the buttons should display.

This article will cover:

  • What cookies are
  • The differences between essential and non-essential cookies
  • What a cookie consent notice banner is
  • What the laws of different countries require for the buttons on your cookie consent banner

Let's get started.



What are Cookies?

Cookies are text files that include small pieces of data about a website user. They include information about user login details, language preferences, or other data related to that user. Cookies are placed on the user's computer when they use your website or browse through multiple websites.

Some cookies are known as "essential cookies," while others are non-essential. While there are a few main categories of cookies, they are often grouped differently since there is no specific rule or law that requires a specific grouping.

Here are a few of the different and most commonly used types of cookies:

  • Necessary cookies (also called "Functional" or "Essential" cookies): Necessary cookies allow users on your website to remain logged in. They also do things like save interface settings, or maintain the contents of a shopping cart. Basically, they help your website to work properly. Essential or necessary cookies do not require consent from your users.
  • Analytics cookies: Analytics cookies are used to track how your users move through your website. They can also track user engagement with your content and calls to action. These do require consent, as they use personal data.
  • Advertising cookies: Advertising cookies track user preferences for ad personalisation. Some advertising cookies apply only to your website, while others track users across multiple websites (including yours). Like analytics cookies, these require consent.

Here's an example from EuroSea of how these different types of cookies are explained in its Cookie Policy:

EuroSea Cookie Policy: Types of cookies clause

You can see that EuroSea explains its cookie usage in four categories: necessary, advertisement, performance, and analytics. Performance cookies are not strictly necessary cookies, so they require consent, like advertising and analytics cookies.

Note how EuroSea has highlighted the different cookie types in bold, making it easier for the reader to see this information. This is a good practice for your own Cookie Policy.

Cookies can also be divided into two additional categories: first-party cookies and third-party cookies.

  • First-party cookies: These are cookies that are generated from your own website. They can be both essential or non-essential cookies.
  • Third-party cookies: These are generated from other websites, particularly to track how users behave across multiple websites. This allows advertisers to build a profile of that user.

When you are using non-essential cookies, such as those for analytics or advertising, most laws around the world require you to get consent from your users.

Now let's look briefly at why you need to get consent to use cookies.

You need to get consent to use cookies because non-essential cookies contain legally-protected personal information such as personal preferences, location, and other data used to build an advertising or analytics profile.

To get this consent, you should use a cookie consent notice or banner that pops up when a user opens your website. This makes sure that they consent or decline any cookies before they begin using any of your services (i.e. before any cookies might be set).

A cookie consent notice is a banner or a pop-up notice that alerts your users that you are using cookies on your website that they need to accept or decline.

It will usually give a brief summary of cookies being used, and will provide a link to more information, such as with a Cookie or Privacy Policy.

Here's an example from Fortnum & Mason of what a cookie consent notice looks like, including a "Reject All" button:

Fortnum and Mason cookie consent notice

Other cookie consent notices may look like this example from Marks & Spencer:

Marks and Spencer cookie consent notice

You can see on both of these banners that an "Accept All" button is included, as well as a "Reject All" button, and a "Preferences" or "Manage cookies" button.

But, other banners like this one from Lookfantastic, don't include a "Decline All" button, or a "Decline" button at all, instead displaying a button such as "Set Preferences:"

Lookfantastic cookie consent notice

Seeing the wide variety of banners can make it hard to know which is the right way to do this. But there are laws, as well as guidelines from Data Protection Authorities that explain what is necessary for you to comply with the law.

As we'll see below, giving users the ability to decline non-essential cookies is required by laws in many different jurisdictions. This means that the "Decline" button in most cases is mandatory. In addition, it should be as obvious as, and equal to, the "Accept" button.

Let's take a look at those laws now.

Is the "I Decline" Button Mandatory?

In most jurisdictions, a requirement for an "I Decline" button is not specifically written in the legal text. However, interpreting laws such as the General Data Protection Regulation (GDPR) as well as guidelines from Data Protection Authorities throughout Europe and elsewhere, shows that this is indeed necessary.

EU

If your business is based in the EU, or deals with customers who are in the EU, you will have to comply with two main laws for cookie use: the ePrivacy Directive and the GDPR. These two laws are also enacted in each EU country through national laws.

First, the ePrivacy Directive (the EU Cookie Law) provides a set of rules for notifying website users about cookies. This is what the law says about cookies and notifying users about them:

ePrivacy Directive Section 25: Cookie notice and consent section

You can see that you are required to provide users with "clear and precise information" about the purposes of cookies you are using. You also have to provide users with "the opportunity to refuse to have a cookie or similar device stored on their terminal equipment."

The way in which you give them this information or right to refuse must be "as user-friendly as possible." However, the ePrivacy Directive doesn't specifically state that you have to have a "Decline All" or "Refuse All" button.

However, your Cookie Policy and cookie notice must also comply with the GDPR. Article 7 of the GDPR explains the conditions for consent that you have to comply with. One key point of the section is highlighted below:

GDPR Article 7 Section 3: Withdraw consent

When the GDPR requires that it must be as easy to withdraw as to give consent, this will generally mean that "Accept" buttons must be equally as easy to choose as "Decline" or "Reject" buttons.

Many EU countries have also provided specific guidance about what businesses should do in practice. Let's take a look at some of the individual guidelines from France, Germany, and Belgium. Then, we'll look briefly at the requirements in the UK and the United States.

France

In France, the rules of the GDPR and ePrivacy Directive are covered in the French Data Protection Act. In 2021, the French data protection regulator, Commission Nationale de l'Informatique et des Libertés (CNIL), released guidance on cookie consent notices.

CNIL stated that cookie banners must display equally obvious and equal-size buttons for accepting and declining cookies. Specifically, banners must "allow the user to refuse the deposit of cookies as easily as to accept it."

In addition, CNIL has released guidance on "I Accept" and "I Decline" buttons which you can read below from their Deliberation No. 2020-092 of September 17, 2020 (available in French). Here, CNIL states that the "same degree of simplicity" should be given to users to choose each option:

France CNIL Deliberation 2020-092 Section 30

In addition, the "I Refuse" button should be on the same screen and be of the same "ease" to choose as the "I Accept" button.

CNIL says that buttons such as "Configure" or "More information" being used instead of a "Refuse" or "Decline" button risk biasing the choice of the user (and would therefore not be valid consent):

France CNIL Deliberation 2020-092 Section 31

Below, you can see that CNIL recommends that the two buttons of accept and decline should be:

  • At the same "level" of the banner
  • In the same format
  • Using equivalent and sufficiently clear wording

France CNIL Deliberation 2020-092 Section 32

Finally, CNIL states very clearly that "misleading design practices" should not be used to highlight one choice over another:

France CNIL Deliberation 2020-092 Section 34

Now let's take a look at Germany.

Germany

The Conference of the Independent Data Protection Supervisory Authorities of Germany (available in German) from December 2021 sets out guidance from the German Data Protection Authority on this point.

The guidance explicitly says that you must have equivalent buttons for "Accept" and "Reject." Let's take a look at sections 47 and 48 of the guidance:

German Data Protection Authority guidance Section 47

You can see that effective consent is not given if users are only given two options that do not allow them to use your website "equally quickly." This would apply if one button says "Accept All," and the other button says "Settings," "More information," or "Details."

Section 48 explains further:

German Data Protection Authority guidance Section 48

The communication effect of the buttons on the banner must be "equivalent." The German DPA notes that a deficit between the two buttons will encourage "users to make their decision not according to their clear will, but only according to which option clearly ends the consent query more quickly."

Without buttons that have the same effect (i.e. "Accept All" and "Decline All"), the requirements for effective consent will not be met.

This means that if you have website users in Germany, you should have clear buttons for both "Accept All" and "Decline All" on your cookie banner to comply with legal requirements.

Belgium

The Belgian DPA requires even stricter requirements than other EU countries, although it may be more in line with the actual requirements of the GDPR.

It states that consent cannot be effective even in the form of "Accept All" and "Reject All" buttons, even if each button is equal. Instead, individual consent must be given or rejected for each particular cookie.

You can see in the Belgian DPA's guidance below that it recommends a more "detailed choice" than simply "all or nothing."

Belgian DPA Guidance: Detailed choice for consent section

Some banners use approaches such as this from Hooked Foods, which provides more detail in which cookies are being accepted or declined:

Hooked Foods cookie consent notice

An example like this might be more in line with a detailed compliance requirement such as that in Belgium. However, you can see that even in this example, the "Allow all" button is highlighted compared to the "Deny" button, which could mean that the two choices are not perceived as equal (and therefore not compliant).

UK

In the UK, the main laws about privacy and cookie banners are the United Kingdom General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA). In addition, the UK has the Privacy & Electronic Communications Regulation (PECR).

All of these laws together implement the GDPR and ePrivacy Directive at the UK national level. This means that the same or similar requirements as the rest of the EU continue to apply, even though the UK is no longer a member.

The UK Information Commissioner's Office (ICO) has provided guidance on its website about cookies banners and the use of "Accept" and "Reject" buttons, in line with the UK GDPR, DPA, and PECR. The ICO says that consent mechanisms that emphasise "Allow" buttons over "Reject" or "Decline" buttons are non-compliant:

UK ICO: How do we comply with cookie rules guidance - Consent mechanism section

This is because users are influenced towards one option - the "Accept" option. The ICO further explains that any "nudge" behavior that encourages users to accept non-essential cookies would also not be compliant:

UK ICO: How do we comply with cookie rules guidance - Nudge behavior section

Finally, let's take a look at the United States.

U.S.

In the U.S., the California Consumer Privacy Act (CCPA/CPRA) requires you to inform your users about what personal information you are collecting about them and what this will be used for:

CCPA inform consumers section

You can see below that cookies are included in the CCPA's definition of a "unique personal identifier," which is considered to be "personal information:"

CCPA definition of unique identifier section

This means that you must tell your users when you are using third-party cookies.

In addition, the CPPA requires that you must provide users with an opt-out from selling or sharing any of their personal data. You should include this opt-out in your notification about cookies, along with telling your users what categories of cookies you use.

A well-designed cookie consent notice banner is a good way to do this, as it allows you to comply with both the CCPA and GDPR. This allows your website to be used by people from around the world, while remaining compliant.

Summary

Major data protection laws in both the EU, UK, and U.S., require you to notify your users that you are using non-essential cookies.

In the EU and UK, guidance from Data Protection Authorities has made it clear that a cookie banner with both "Accept" and "Decline" buttons is necessary. "Accept All" and "Decline All" buttons can be used, although they should both exist - not just "Accept All" - without an equal option to decline.

In addition, you should not hide a "Decline" option beneath a second layer of "Settings," "Configure," or similar buttons.

The buttons that you use on your cookie banner should be of equal size, color, and style, so that you don't prioritize one option over another, or encourage your users to accept non-essential cookies.

If you follow these guidelines, your cookie banner will be in good shape to comply with data privacy and cookie and privacy laws around the world.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy