Clear and misleading cookie banners
When people visit a website, they are often shown a cookie banner (also called cookie consent notice or cookie pop-up). A cookie banner is used by an organisation to explain to website visitors how cookies are used for collecting their personal data and why.
On this page
A cookie banner enables website visitors to choose which cookies they want to give consent for. It is important that they stay in control of their personal data. In practice, organisations often ask for consent in a misleading manner, such as by having pre-ticked choices. On this page, you will find some general rules, examples of clear cookie banners and examples of how not to do it.
Cookies and the GDPR
There are various types of cookies. Does your organisation use tracking cookies or similar technologies? Then you may assume that you process personal data. With some other types of cookies, you also process personal data. In this case, you must meet the requirements of the General Data Protection Regulation (GDPR).
Why is a clear cookie banner important?
What people do on the internet is highly personal. Tracking cookies enable organisations to watch the internet behaviour of visitors to their website. This is only allowed when website visitors explicitly agree to it. They must also have the option to refuse such cookies without negative consequences.
With comprehensible information about the use of such cookies, your website visitor can make a well-informed choice on whether or not to give consent. You should provide a clear cookie banner, ensuring that you meet the statutory requirements at the same time.
This also includes avoiding misleading ways (‘dark patterns’ or ‘deceptive patterns’) of obtaining consent for cookies, such as by making certain buttons less visible. In those cases, your website visitor will not be able to make a well-informed choice.
Supervision by the Dutch DPA on cookie banners
Organisations have to handle personal data in a proper manner. The Dutch Data Protection Authority (Dutch DPA) monitors and investigates this regularly. If an organisation fails to comply with the rules, the Dutch DPA can take action, even if an organisation processes personal data using cookies and does not ask consent for this in the correct manner, such as by misleading website visitors. From 2024, the Dutch DPA will investigate more often how organisations ask consent for cookies.
Legal bases
Consent
Generally, you process personal data via cookies on the legal basis of consent. In doing so, make sure that:
- You obtain consent before placing such cookies.
- Your website visitors actively give their consent by clicking on something. You can not assume that you have obtained consent just because someone visits your website.
- It has to be obvious for website visitors that you ask for their consent with your cookie banner.
- Your website visitors give their consent in a freely given, specific, informed and unambiguous manner. Unambiguous means that it is very clear that someone has given consent. Your website visitors should have a neutral choice and one option should not be given more emphasis than the other.
- Your website visitors should be able to withdraw their consent just as easily. See the information in the 'quick answers' at the bottom of this page.
- You inform your website visitors properly, including about how you use cookies and for what purposes. You need separate consent for each purpose.
Legitimate interest
When you process personal data using cookies, you have to carefully consider on which legal basis you rely. In the case of cookies, this is hardly ever the legal basis of legitimate interest. This legal basis might only be used in the case of functional and limited analytics cookies, such as if a cookie is necessary for the security of your website.
How do you make a clear cookie banner?
The Dutch DPA highlights nine important aspects of cookie banners. These nine general rules help you make a clear cookie banner. In addition, you must always check for yourself if you meet all requirements of the GDPR when you process personal data using cookies.
The general rules are:
- Provide information about the purpose
- Do not use pre-ticked choice options
- Use plain text
- Place the different choices on one layer
- Do not hide certain choices
- Do not let someone make additional clicks
- Do not use inconspicuous links in the text
- Be clear about the withdrawal of consent
- Do not confuse consent with legitimate interest
Below you will find an explanation and examples.
Note: The examples and texts in the images are fictitious and for illustrative purposes only. The examples always show a part of a clear cookie banner. What exactly should be in your banner depends on how you use cookies and process personal data.
Provide information about the purpose
Give your website visitor the information that is necessary for making a well-informed choice. This includes that you state for each purpose why you use cookies before someone makes a choice.
Do not be vague or incomplete when stating your purposes. In the example below, reference is made to ‘social media’, but it is not clear how and for what purpose or purposes personal data is processed.
Do not use pre-ticked choice options
Do you use checkboxes or sliders in your cookie banner? Make sure that it is your website visitor who clicks (or does not click) on specific options and therefore actively makes a choice.
Do not use choice options that have been checked by default. That does not count as consent.
Use plain text
It must be completely obvious for your website visitor which choice this person makes. Therefore use plain words in buttons, such as ‘accept’, ‘agree’ or ‘refuse’. In this way, it is obvious that someone gives consent.
Do not make it unnecessarily complicated for your website visitor by using vague or leading statements or by omitting text.
Place the different choices on one layer
Your website visitors must be able to refuse cookies as easily as accept them. Make sure, therefore, that you place the buttons for refusing and accepting on the same layer. This means that someone does not need to make additional clicks to refuse if that is not necessary for accepting (everything) either.
Do not offer only one of the options on the first layer.
Do not hide certain choices
Make sure that the button for refusing cookies is clearly visible.
Do not hide the button, for example by making your website visitor unnecessarily scroll in order to refuse cookies, if that is not necessary for accepting cookies either.
Do not let someone make additional clicks
Refusing cookies should not require more clicks than accepting them.
For example, do not make your website visitor additionally confirm that this person wants to refuse the cookies.
Do not use inconspicuous links in the text
The option to refuse cookies should be as clearly visible as the option to accept cookies.
Do not hide the option to refuse, for example, as a link in a piece of text, thus forcing your website visitor to search unnecessarily.
Be clear about the withdrawal of consent
Make it clear as to how your website visitor can withdraw any consent given before this person makes a choice.
Do not confuse consent with legitimate interest
As previously mentioned, legitimate interest as a legal basis for processing personal data is only possible for functional and limited analytical cookies. In those cases the legal basis of consent does not apply. For functional cookies and some analytical cookies, you do not need consent for placing and reading those cookies. Including a checkbox or slider for these cookies in your cookie banner could cause confusion.
Note: Even if you do not need consent, you are nevertheless obliged to give clear information about the way in which you process personal data.
In the example below, you see a slider together with the legal basis of legitimate interest. Since giving consent does not apply here, the effect of enabling or disabling the slider is unclear.
Moreover, legitimate interest is not a valid legal basis for showing personalised advertisements.
Quick answers
Do the general rules for cookie banners also apply to similar technologies?
Yes. The general rules for cookie banners are about cookies and all other technologies in which you store information or gain access to the user's device (such as a mobile phone or computer).
In addition to cookies, this also concerns:
- placing non-essential data on the user's device, such as via local storage;
- tracking pixels;
- web beacons;
- fingerprinting.
Which information should be on the first layer of my cookie banner?
Certain information should be immediately visible in your cookie banner. It must be clear as to who processes the personal data and for what purpose or purposes. This is the information that you put on the ‘first layer’ of your cookie banner. In this way, your website visitor knows what the consent is intended for.
Other information may be placed on a second (or lower) layer. Of course, this does not change the fact that you must offer all information in a distinct manner.
How does withdrawal of consent work with cookie banners?
Do you use a cookie banner for asking consent for processing the personal data of your website visitors? Do not forget that your website visitors must also be able to withdraw their consent.
Withdrawing consent must be possible at any time. It must be just as easy as giving consent. You are not allowed to require a user to pay money for this. In addition, the withdrawal of consent should not have any negative consequences for your website visitors.
You must give your website visitors information about how they can withdraw consent before they give it. This can be achieved by including a brief explanation in the cookie banner, with a button or a link. Make sure that there is always another way in which people can easily find the place where they can withdraw their consent.
Does it (also) concern consent for the processing of personal data by third parties? Then you also have to inform these third parties that someone has withdrawn the consent.
Also read the Dutch DPA's standard explanation about withdrawing consent with cookie banners (in Dutch).