PrivacyOps Certification

Course content

Create Account

Log in / Create account to save progress and earn badges

PrivacyOps Certification
View course details →

What is Cookie Consent Management?

Mark Complete Enroll now to save progress and earn badges. Click to continue.

Cookie Consent Management enables organizations to effectively capture consent before storing cookies and other similar tracking technologies such as beacons, pixels, local storage, and more on data subject’s devices.


Why is consent needed for the use of cookies?
Website publishers use cookies and similar tracking technologies for cross-site tracking, cross-context behavioral advertising, contextual advertising, and other types of advertising.
Cookies collect data to identify website users and build their profiles.
This data is then sold on to several third parties, including ad networks, social media companies, and analytics providers.
Most global privacy laws now require the data subject’s consent before installing cookies and similar tracking technologies on their devices.

Cookie Consent under GDPR and e-Privacy Directive

The GDPR and e-Privacy Directive require organizations not to load any non-essential cookies on web pages unless they have a cookie consent banner on their website and data subjects have consented to the use of those cookies.

A GDPR and e-Privacy Directive compliant cookie consent banner must:

Have clear and comprehensive information about cookies:

The cookie consent banner must contain plain and understandable information about the cookies that an organization intends to use. The information must include at the least
  • The information on general purposes of cookies,
  • The data subject’s ability to withdraw and change consent along with the method of doing so,
  • The data controller’s name and identity,
  • The data processors’ name and identities,
  • A complete list of recipients or categories of recipients who will obtain personal data through the processing of cookies, and
  • All relevant Information on individual cookie properties

Data subject’s ability to withdraw and change the consent:

The cookie consent banner must give equal prominences to accept and reject options. The data subject must be allowed to withdraw consent or change consent at any time, without any detriment in a user-friendly and easy mechanism.

Selection and deselection of individual cookies categories:

The cookie consent banner must allow the selection and deselection of respective cookie categories based on their purposes. This requires organizations to have separate opt-in and opt-outs for different categories of cookies based on their purposes.

No pre-selected checkboxes or cookie walls:

The cookie consent banner must not have pre-selected preferences by default for non-essential cookies. Similarly, an organization must not access a service or functionality of a website conditional on the data subject’s consent to the collection and processing of non-essential cookies.

Cookie Consent under CCPA

The CCPA requires organizations to not load any non-essential cookies before displaying relevant information to users about cookies.

A CCPA compliant cookie consent banner must include the following:

Information about the use of cookies and their purposes

Under the CCPA, organizations must inform data subjects at or before collecting the categories of cookies collected and the purposes for which the organization will use cookies.

Notice of the right to opt-out of the sale of personal data

Under the CCPA, organizations must allow data subjects to opt-out of the sale of their personal data via cookies by displaying a clear message and prominent link titled “Do Not Sell My Personal Information,” enabling data subjects to opt-out of the sale of their personal data.

A link to the organization’s privacy policy

Under the CCPA, organizations must display a link to the organization’s privacy policy that should be posted online through a prominent and conspicuous link using the word “privacy” on the organization’s website homepage or the download or landing page of a mobile application.

Besides, organizations must allow consumers to opt-out of the sale or sharing of personal information and limit the use of their sensitive personal information (under the new law, California Privacy Rights Act). Therefore, organizations must not load any non-essential cookies before notifying data subjects adequately, providing them an opt-out option, and letting them acknowledge the notification.

Moreover, the CCPA requires organizations to obtain the data subject’s consent to sell personal data belonging to minors. Where an organization has actual knowledge that the data subject is less than 16 years of age, it must rely on the explicit opt-in consent for the sale of their personal data and obtain consent from data subjects if they are at least 13 years of age and less than 16 years of age and from parents or guardians of data subjects where they are less than 13 years of age.

GDPR (opt-in consent regime) and CCPA (opt-out consent regime) are not the only examples of data protection laws that require cookie consent notices. Many countries have drafted their laws based on the framework set up by GDPR and CCPA, and therefore, cookie consent notices are required by most global privacy regulations.

A summary of cookie consent banner requirements under opt-in and opt-out consent regimes.

XML Sitemap

Gartner Customers Choice Gartner Cool Vendor Award Forrester Badge IDC Worldwide Leader Gigaom Badge RSAC Leader CBInsights Forbes Security Forbes Machine Learning G2 Users Most Likely To Recommend IAPP Innovation award 2020