Clear cookie banners

When people visit a website, they are often shown a cookie banner (also called cookie consent notice or cookie pop-up). A cookie banner is used by an organisation to explain to website visitors how cookies are used for collecting their personal data and why.

On this page

A cookie banner enables website visitors to choose which cookies they want to give consent for. It is important that they stay in control of their personal data. In practice, organisations often ask for consent in a misleading manner, such as by having pre-ticked choices. On this page, you will find some general rules, examples of clear cookie banners and examples of how not to do it.

Cookies and the GDPR

There are various types of cookies. Does your organisation use tracking cookies or similar technologies? Then you may assume that you process personal data. With some other types of cookies, you also process personal data. In this case, you must meet the requirements of the General Data Protection Regulation (GDPR). 

Why is a clear cookie banner important?

What people do on the internet is highly personal. Tracking cookies enable organisations to watch the internet behaviour of visitors to their website. This is only allowed when website visitors explicitly agree to it. They must also have the option to refuse such cookies without negative consequences.

With comprehensible information about the use of such cookies, your website visitor can make a well-informed choice on whether or not to give consent. You should provide a clear cookie banner, ensuring that you meet the statutory requirements at the same time.

This also includes avoiding misleading ways (‘dark patterns’ or ‘deceptive patterns’) of obtaining consent for cookies, such as by making certain buttons less visible. In those cases, your website visitor will not be able to make a well-informed choice.

Supervision by the AP on cookie banners

Organisations have to handle personal data in a proper manner. The Autoriteit Persoonsgegevens (AP), the Dutch data protection authority, monitors and investigates this regularly. If an organisation fails to comply with the rules, the AP can take action, even if an organisation processes personal data using cookies and does not ask consent for this in the correct manner, such as by misleading website visitors.

The AP has been monitoring the use of cookies more strictly since 2024. We check if websites ask for consent for cookies and other tracking software in a correct manner, now more so than before. Continue reading: This is how the AP monitors the use of cookies.

Legal bases

Consent

Processing personal data by using tracking cookies requires the legal basis of consent. In doing so, make sure that:

  • You obtain consent before placing such cookies.
  • Your website visitors actively give their consent by clicking on something. You can not assume that you have obtained consent just because someone visits your website.
  • It has to be obvious for website visitors that you ask for their consent with your cookie banner.
  • Your website visitors must be able to give their consent in a free, specific, well-informed and unambiguous manner. Unambiguous means that it is very clear that someone has given consent. In doing so, it is obvious that your website visitors must have a neutral choice where one option does not carry more emphasis than the other.
  • Your website visitors should be able to withdraw their consent just as easily. See the information in the 'quick answers' at the bottom of this page.
  • You inform your website visitors properly, including about how you use cookies and for what purposes. You need separate consent for each purpose.

For more information about consent as a legal basis, see the EDPB guidelines on consent.

Legitimate interest

The processing of personal data through functional and limited analytics cookies can be based on a legitimate interest. Examples include cookies that are necessary for the security of your website, or to allow the website to remember which products have been placed in the shopping cart. For using more invasive cookies, such as tracking cookies, a legitimate interest as a basis is therefore not possible. The user must give consent.

How do you make a clear cookie banner? 

The AP highlights 9 important aspects of cookie banners. These 9 general rules help you make a clear cookie banner. In addition, you must always check for yourself if you meet all requirements of the GDPR when you process personal data using cookies.

The general rules are:

  • Provide information about the processing of personal data and the purpose thereof
  • Do not use pre-ticked choice options
  • Use plain text
  • Place the different choices on one layer
  • Do not hide certain choices
  • Do not let someone make additional clicks
  • Do not use inconspicuous links in the text
  • Be clear about the withdrawal of consent
  • Do not confuse consent with legitimate interest

Below you will find an explanation and examples.

Note: The examples and texts in the images are fictitious and for illustrative purposes only. The examples always show a part of a clear cookie banner. What exactly should be in your banner depends on how you use cookies and process personal data.

Provide information about the (type of) personal data and for what purposes they are processed

Give your website visitors the information that is necessary to make a well-informed choice. This includes explaining for what purposes you use cookies and what (type of) personal data you process, before a visitor makes a choice.

Cookie banner_Provide information about the (type of) personal data and for what purposes they are processed

Does your website process a lot of personal data for many different purposes? In that case, working with a 2-layer cookie banner may be more suitable. In the first layer you clearly state that you process personal data and for what purposes you do this. The second layer provides further explanation about the personal data and purposes.

Ensure that it is clear what (type of) personal data are used for each purpose, thus enabling the website visitor to make an informed choice for each purpose.

In doing so, be sure that the website visitor already has a general idea of what the cookies mean for his or her personal data before giving consent. Any second layer is only intended to provide more detailed information: about what personal data are processed and for what purposes.

Do you share data with third parties for a specific purpose? If so, you must clearly state this in the first layer:

  • The fact that you share data with third parties;
  • for what purpose(s);
  • and, per purpose, with how many third parties.

This way you help the website visitor to make an immediate initial assessment of the impact of the processing operation.

In order to fully inform website visitors, you must provide additional information about what data are shared for which processing purposes, and with which recipients. If there is a lot of additional information to be provided, you can include this additional information in a second layer, if you so wish.

Cookie banner_Provide information about the (type of) personal data and for what purposes they are processed_2

You may not be vague or incomplete when stating your purposes for processing. In the example below, reference is made to 'social media', but how and for what purpose(s) personal data are processed is not clear.

Cookie banner_Provide information about the (type of) personal data and for what purposes they are processed_3

Do not use pre-ticked choice options

Do you use ticks or slides in your cookie banner? Make sure that it is your website visitor who clicks on specific options and therefore actively makes a choice.

Cookie banner example

Do not tick the boxes automatically. That is not valid consent. If you use multiple layers, do not automatically tick boxes at the other layers either.

Cookie banner example

Use plain text

It must be completely obvious to your website visitor which choice this person makes. Therefore use plain words in buttons, such as 'accept', 'agree' or 'refuse'. In this way, it is obvious that someone gives consent.

Cookie banner example

In other words, do not make it unnecessarily complicated for your website visitor by using vague or misleading wordings or by leaving out text. The website visitor must clearly understand that he or she is giving consent for tracking cookies, and not just confirming that he or she has read the text.

Cookie banner example
Cookie banner example
Cookie banner example

Place different choices on a single layer

Your website visitors should have the freedom to accept or refuse cookies. You may not limit this freedom by making it more difficult to refuse cookies. Make sure, therefore, that you place the buttons for refusing and accepting on the same layer. This means that someone should not have to go through additional clicks to refuse, if that is not necessary for accepting (all) either.

Cookie banner example

Do not offer only one of the options on the first layer.

Cookie banner example

Do not hide certain choices

Make sure that the button for refusing cookies is clearly visible and readable.

Do not hide the button, for example by making your website visitor scroll unnecessarily in order to refuse cookies, if that is not necessary for accepting cookies either. Also avoid designing the decline button in a way that barely differs from the background of the cookie banner, making it unreadable for almost every user.

Cookie banner example

Do not let someone make additional clicks

Refusing cookies should not require more clicks than accepting them. For example, do not make your website visitor additionally confirm that this person wants to refuse the cookies.

Cookie banner example

Do not use inconspicuous links in the text

The option to refuse cookies should be as clearly visible as the option to accept cookies. 

Do not hide the option to refuse, for example, as a link in a piece of text, thus forcing your website visitor to search unnecessarily. 

Cookie banner example

Be clear about the withdrawal of consent

Make it clear as to how your website visitor can withdraw any consent given before this person makes a choice.

Cookie banner example

Not to use the wording 'withdraw consent' may be preferred. You may use other words, provided that it is clear to the website visitor that he or she can withdraw consent.

Cookie banner_Be clear about the withdrawal of consent

In addition, be clear about how consent can be withdrawn before the visitor makes a choice. Instead of providing an explanation of how to withdraw consent, you can also provide a link that allows the website visitor to withdraw consent directly. See the example above.

The ability to withdraw consent must always be easy and accessible, even outside the cookie banner. For example, via a floating button that is visible at all times.

Make sure that the website visitor does not have to actively search for information about withdrawing consent, or the possibility to do so.

Cookie banner_ Be clear about the withdrawal of consent2

For more information on how to inform website visitors about the right to withdraw consent, please see our explanation of the standard on withdrawing consent when using cookie banners (in Dutch).

Do not confuse consent with legitimate interest

Make a clear choice for each processing purpose: do you use consent or legitimate interest as a legal basis? This way, website visitors know what to expect. Never use both bases at the same time for a single processing purpose.

As stated under Legal Bases, you can only use legitimate interest as a legal basis for processing personal data for functional and limited analytical cookies.

The legal basis of consent does not apply in that case. In the case of functional cookies and limited analytics cookies, you do not need consent for placing and reading those cookies. A tick or slide in your cookie banner could create confusion in that case.

Note: Even if you do not need consent for placing cookies, you are nevertheless obliged to give clear information about the way in which you process perskonal data.

The example below shows a slide in combination with the legal basis of legitimate interest. Since giving consent does not apply here, the effect of enabling or disabling the slide is unclear. Moreover, legitimate interest is not a valid legal basis for showing personalised ads.

Cookie banner example

Quick answers

This page was last edited on
.