Clear and misleading cookie banners

When people visit a website, they are often shown a cookie banner (also called cookie consent notice or cookie pop-up). A cookie banner is used by an organisation to explain to website visitors how cookies are used for collecting their personal data and why. 

On this page

A cookie banner enables website visitors to choose which cookies they want to give consent for. It is important that they stay in control of their personal data. In practice, organisations often ask for consent in a misleading manner, such as by having pre-ticked choices. On this page, you will find some general rules, examples of clear cookie banners and examples of how not to do it. 

Cookies and the GDPR

There are various types of cookies. Does your organisation use tracking cookies or similar technologies? Then you may assume that you process personal data. With some other types of cookies, you also process personal data. In this case, you must meet the requirements of the General Data Protection Regulation (GDPR). 

Why is a clear cookie banner important?

What people do on the internet is highly personal. Tracking cookies enable organisations to watch the internet behaviour of visitors to their website. This is only allowed when website visitors explicitly agree to it. They must also have the option to refuse such cookies without negative consequences.

With comprehensible information about the use of such cookies, your website visitor can make a well-informed choice on whether or not to give consent. You should provide a clear cookie banner, ensuring that you meet the statutory requirements at the same time.

This also includes avoiding misleading ways (‘dark patterns’ or ‘deceptive patterns’) of obtaining consent for cookies, such as by making certain buttons less visible. In those cases, your website visitor will not be able to make a well-informed choice.

Supervision by the Dutch DPA on cookie banners

Organisations have to handle personal data in a proper manner. The Dutch Data Protection Authority (Dutch DPA) monitors and investigates this regularly. If an organisation fails to comply with the rules, the Dutch DPA can take action, even if an organisation processes personal data using cookies and does not ask consent for this in the correct manner, such as by misleading website visitors. From 2024, the Dutch DPA will investigate more often how organisations ask consent for cookies. 

Legal bases

Consent

Generally, you process personal data via cookies on the legal basis of consent. In doing so, make sure that:

  • You obtain consent before placing such cookies. 
  • Your website visitors actively give their consent by clicking on something. You can not assume that you have obtained consent just because someone visits your website. 
  • It has to be obvious for website visitors that you ask for their consent with your cookie banner.
  • Your website visitors give their consent in a freely given, specific, informed and unambiguous manner. Unambiguous means that it is very clear that someone has given consent. Your website visitors should have a neutral choice and one option should not be given more emphasis than the other. 
  • Your website visitors should be able to withdraw their consent just as easily. See the information in the 'quick answers' at the bottom of this page. 
  • You  inform your website visitors properly, including about how you use cookies and for what purposes. You need separate consent for each purpose. 

Legitimate interest

When you process personal data using cookies, you have to carefully consider on which legal basis you rely. In the case of cookies, this is hardly ever the legal basis of legitimate interest. This legal basis might only be used in the case of functional and limited analytics cookies, such as if a cookie is necessary for the security of your website.

How do you make a clear cookie banner? 

The Dutch DPA highlights 9 important aspects of cookie banners. These 9 general rules help you make a clear cookie banner. In addition, you must always check for yourself if you meet all requirements of the GDPR when you process personal data using cookies. 

The general rules are:

  • Provide information about the purpose
  • Do not use pre-ticked choice options
  • Use plain text
  • Place the different choices on one layer
  • Do not hide certain choices
  • Do not let someone make additional clicks
  • Do not use inconspicuous links in the text
  • Be clear about the withdrawal of consent
  • Do not confuse consent with legitimate interest

Below you will find an explanation and examples. 

Provide information about the purpose

Give your website visitor the information that is necessary for making a well-informed choice. This includes that you state for each purpose why you use cookies before someone makes a choice. 

Cookie banner example

Do not be vague or incomplete when stating your purposes. In the example below, reference is made to ‘social media’, but it is not clear how and for what purpose or purposes personal data is processed. 

Cookie banner example

Do not use pre-ticked choice options

Do you use checkboxes or sliders in your cookie banner? Make sure that it is your website visitor who clicks (or does not click) on specific options and therefore actively makes a choice.

Cookie banner example

Do not use choice options that have been checked by default. That does not count as consent. 

Cookie banner example

Use plain text

It must be completely obvious for your website visitor which choice this person makes. Therefore use plain words in buttons, such as ‘accept’, ‘agree’ or ‘refuse’. In this way, it is obvious that someone gives consent. 

Cookie banner example

Do not make it unnecessarily complicated for your website visitor by using vague or leading statements or by omitting text. 

Cookie banner example
Cookie banner example
Cookie banner example

Place the different choices on one layer

Your website visitors must be able to refuse cookies as easily as accept them. Make sure, therefore, that you place the buttons for refusing and accepting on the same layer. This means that someone does not need to make additional clicks to refuse if that is not necessary for accepting (everything) either. 

Cookie banner example

Do not offer only one of the options on the first layer.

Cookie banner example

Do not hide certain choices

Make sure that the button for refusing cookies is clearly visible.

Do not hide the button, for example by making your website visitor unnecessarily scroll in order to refuse cookies, if that is not necessary for accepting cookies either. 

Cookie banner example

Do not let someone make additional clicks

Refusing cookies should not require more clicks than accepting them. 

For example, do not make your website visitor additionally confirm that this person wants to refuse the cookies.

Cookie banner example

Do not use inconspicuous links in the text

The option to refuse cookies should be as clearly visible as the option to accept cookies. 

Do not hide the option to refuse, for example, as a link in a piece of text, thus forcing your website visitor to search unnecessarily. 

Cookie banner example

Be clear about the withdrawal of consent

Make it clear as to how your website visitor can withdraw any consent given before this person makes a choice. 

Cookie banner example

Do not confuse consent with legitimate interest

As previously mentioned, legitimate interest as a legal basis for processing personal data is only possible for functional and limited analytical cookies. In those cases the legal basis of consent does not apply. For functional cookies and some analytical cookies, you do not need consent for placing and reading those cookies. Including a checkbox or slider for these cookies in your cookie banner could cause confusion.

In the example below, you see a slider together with the legal basis of legitimate interest. Since giving consent does not apply here, the effect of enabling or disabling the slider is unclear. 

Cookie banner example

Quick answers