Clear cookie banners
When people visit a website, they are often shown a cookie banner (also called cookie consent notice or cookie pop-up). A cookie banner is used by an organisation to explain to website visitors how cookies are used for collecting their personal data and why.
On this page
A cookie banner enables website visitors to choose which cookies they want to give consent for. It is important that they stay in control of their personal data. In practice, organisations often ask for consent in a misleading manner, such as by having pre-ticked choices. On this page, you will find some general rules, examples of clear cookie banners and examples of how not to do it.
Cookies and the GDPR
There are various types of cookies. Does your organisation use tracking cookies or similar technologies? Then you may assume that you process personal data. With some other types of cookies, you also process personal data. In this case, you must meet the requirements of the General Data Protection Regulation (GDPR).
Why is a clear cookie banner important?
What people do on the internet is highly personal. Tracking cookies enable organisations to watch the internet behaviour of visitors to their website. This is only allowed when website visitors explicitly agree to it. They must also have the option to refuse such cookies without negative consequences.
With comprehensible information about the use of such cookies, your website visitor can make a well-informed choice on whether or not to give consent. You should provide a clear cookie banner, ensuring that you meet the statutory requirements at the same time.
This also includes avoiding misleading ways (‘dark patterns’ or ‘deceptive patterns’) of obtaining consent for cookies, such as by making certain buttons less visible. In those cases, your website visitor will not be able to make a well-informed choice.
Supervision by the AP on cookie banners
Organisations have to handle personal data in a proper manner. The Autoriteit Persoonsgegevens (AP), the Dutch data protection authority, monitors and investigates this regularly. If an organisation fails to comply with the rules, the AP can take action, even if an organisation processes personal data using cookies and does not ask consent for this in the correct manner, such as by misleading website visitors.
The AP has been monitoring the use of cookies more strictly since 2024. We check if websites ask for consent for cookies and other tracking software in a correct manner, now more so than before. Continue reading: This is how the AP monitors the use of cookies.
Legal bases
Consent
Processing personal data by using tracking cookies requires the legal basis of consent. In doing so, make sure that:
- You obtain consent before placing such cookies.
- Your website visitors actively give their consent by clicking on something. You can not assume that you have obtained consent just because someone visits your website.
- It has to be obvious for website visitors that you ask for their consent with your cookie banner.
- Your website visitors must be able to give their consent in a free, specific, well-informed and unambiguous manner. Unambiguous means that it is very clear that someone has given consent. In doing so, it is obvious that your website visitors must have a neutral choice where one option does not carry more emphasis than the other.
- Your website visitors should be able to withdraw their consent just as easily. See the information in the 'quick answers' at the bottom of this page.
- You inform your website visitors properly, including about how you use cookies and for what purposes. You need separate consent for each purpose.
For more information about consent as a legal basis, see the EDPB guidelines on consent.
Legitimate interest
The processing of personal data through functional and limited analytics cookies can be based on a legitimate interest. Examples include cookies that are necessary for the security of your website, or to allow the website to remember which products have been placed in the shopping cart. For using more invasive cookies, such as tracking cookies, a legitimate interest as a basis is therefore not possible. The user must give consent.
How do you make a clear cookie banner?
The AP highlights 9 important aspects of cookie banners. These 9 general rules help you make a clear cookie banner. In addition, you must always check for yourself if you meet all requirements of the GDPR when you process personal data using cookies.
The general rules are:
- Provide information about the processing of personal data and the purpose thereof
- Do not use pre-ticked choice options
- Use plain text
- Place the different choices on one layer
- Do not hide certain choices
- Do not let someone make additional clicks
- Do not use inconspicuous links in the text
- Be clear about the withdrawal of consent
- Do not confuse consent with legitimate interest
Below you will find an explanation and examples.
Note: The examples and texts in the images are fictitious and for illustrative purposes only. The examples always show a part of a clear cookie banner. What exactly should be in your banner depends on how you use cookies and process personal data.
Provide information about the (type of) personal data and for what purposes they are processed
Give your website visitors the information that is necessary to make a well-informed choice. This includes explaining for what purposes you use cookies and what (type of) personal data you process, before a visitor makes a choice.
Does your website process a lot of personal data for many different purposes? In that case, working with a 2-layer cookie banner may be more suitable. In the first layer you clearly state that you process personal data and for what purposes you do this. The second layer provides further explanation about the personal data and purposes.
Ensure that it is clear what (type of) personal data are used for each purpose, thus enabling the website visitor to make an informed choice for each purpose.
In doing so, be sure that the website visitor already has a general idea of what the cookies mean for his or her personal data before giving consent. Any second layer is only intended to provide more detailed information: about what personal data are processed and for what purposes.
Do you share data with third parties for a specific purpose? If so, you must clearly state this in the first layer:
- The fact that you share data with third parties;
- for what purpose(s);
- and, per purpose, with how many third parties.
This way you help the website visitor to make an immediate initial assessment of the impact of the processing operation.
In order to fully inform website visitors, you must provide additional information about what data are shared for which processing purposes, and with which recipients. If there is a lot of additional information to be provided, you can include this additional information in a second layer, if you so wish.
You may not be vague or incomplete when stating your purposes for processing. In the example below, reference is made to 'social media', but how and for what purpose(s) personal data are processed is not clear.
Do not use pre-ticked choice options
Do you use ticks or slides in your cookie banner? Make sure that it is your website visitor who clicks on specific options and therefore actively makes a choice.
Do not tick the boxes automatically. That is not valid consent. If you use multiple layers, do not automatically tick boxes at the other layers either.
Use plain text
It must be completely obvious to your website visitor which choice this person makes. Therefore use plain words in buttons, such as 'accept', 'agree' or 'refuse'. In this way, it is obvious that someone gives consent.
In other words, do not make it unnecessarily complicated for your website visitor by using vague or misleading wordings or by leaving out text. The website visitor must clearly understand that he or she is giving consent for tracking cookies, and not just confirming that he or she has read the text.
Place different choices on a single layer
Your website visitors should have the freedom to accept or refuse cookies. You may not limit this freedom by making it more difficult to refuse cookies. Make sure, therefore, that you place the buttons for refusing and accepting on the same layer. This means that someone should not have to go through additional clicks to refuse, if that is not necessary for accepting (all) either.
Do not offer only one of the options on the first layer.
Do not hide certain choices
Make sure that the button for refusing cookies is clearly visible and readable.
Do not hide the button, for example by making your website visitor scroll unnecessarily in order to refuse cookies, if that is not necessary for accepting cookies either. Also avoid designing the decline button in a way that barely differs from the background of the cookie banner, making it unreadable for almost every user.
Do not let someone make additional clicks
Refusing cookies should not require more clicks than accepting them. For example, do not make your website visitor additionally confirm that this person wants to refuse the cookies.
Do not use inconspicuous links in the text
The option to refuse cookies should be as clearly visible as the option to accept cookies.
Do not hide the option to refuse, for example, as a link in a piece of text, thus forcing your website visitor to search unnecessarily.
Be clear about the withdrawal of consent
Make it clear as to how your website visitor can withdraw any consent given before this person makes a choice.
Not to use the wording 'withdraw consent' may be preferred. You may use other words, provided that it is clear to the website visitor that he or she can withdraw consent.
In addition, be clear about how consent can be withdrawn before the visitor makes a choice. Instead of providing an explanation of how to withdraw consent, you can also provide a link that allows the website visitor to withdraw consent directly. See the example above.
The ability to withdraw consent must always be easy and accessible, even outside the cookie banner. For example, via a floating button that is visible at all times.
Make sure that the website visitor does not have to actively search for information about withdrawing consent, or the possibility to do so.
For more information on how to inform website visitors about the right to withdraw consent, please see our explanation of the standard on withdrawing consent when using cookie banners (in Dutch).
Do not confuse consent with legitimate interest
Make a clear choice for each processing purpose: do you use consent or legitimate interest as a legal basis? This way, website visitors know what to expect. Never use both bases at the same time for a single processing purpose.
As stated under Legal Bases, you can only use legitimate interest as a legal basis for processing personal data for functional and limited analytical cookies.
The legal basis of consent does not apply in that case. In the case of functional cookies and limited analytics cookies, you do not need consent for placing and reading those cookies. A tick or slide in your cookie banner could create confusion in that case.
Note: Even if you do not need consent for placing cookies, you are nevertheless obliged to give clear information about the way in which you process perskonal data.
The example below shows a slide in combination with the legal basis of legitimate interest. Since giving consent does not apply here, the effect of enabling or disabling the slide is unclear. Moreover, legitimate interest is not a valid legal basis for showing personalised ads.
Quick answers
Do the general rules for cookie banners also apply to similar technologies?
Yes. The general rules for cookie banners are about cookies and all other technologies in which you store information or gain access to the user's device (such as a mobile phone or computer).
In addition to cookies, this also concerns:
- placing non-essential data on the user's device, such as via local storage;
- tracking pixels;
- web beacons;
- fingerprinting.
Which information should be on the first layer of my cookie banner?
Certain information has to be immediately visible in your cookie banner. In any case, it must be clear that personal data are being processed, who processes the personal data and for what purpose(s).
In addition, if applicable, you must state whether you share data with third parties for a purpose and how many third parties this involves.
You must also state that the website visitor has the right to withdraw consent and how to do this.
This is the information that you must show at the 'first layer'. This way, your website visitor knows what the consent is intended for. Other information may be placed at a second layer, if appropriate given the brevity. Of course, this does not change the fact that you must offer all information in a clear manner.
How does withdrawal of consent work with cookie banners?
Do you use a cookie banner for asking consent for processing the personal data of your website visitors? Do not forget that your website visitors must also be able to withdraw their consent.
Withdrawing consent must be possible at any time. It must be just as easy as giving consent. You are not allowed to require a user to pay money for this. In addition, the withdrawal of consent should not have any negative consequences for your website visitors.
You must give your website visitors information about how they can withdraw consent before they give it. This can be achieved by including a brief explanation in the cookie banner, with a button or a link. Make sure that there is always another way in which people can easily find the place where they can withdraw their consent.
Does it (also) concern consent for the processing of personal data by third parties? Then you also have to inform these third parties that someone has withdrawn the consent.
Also read the Dutch DPA's standard explanation about withdrawing consent with cookie banners (in Dutch).
Also view
More information
Where in the law?
- Article 4, paragraph 11 of the GDPR
- Article 7 of the GDPR
- Article 11.7a of the Telecommunications Act