No website can function without cookies because they not only make your website functional but also help your company analyse what the visitors to the website are interested in. The National Data Office put together guidelines on cookies in 2022, but creating adequate cookie notices is still a big problem. This article will talk you through steps in creating a pop-up cookie notice on your website that complies with the General Data Protection Regulation.

Step 1: You should always offer a choice

People using your website should be given a choice between allowing or blocking cookies, and users should be able to choose what cookies they want to allow. Of course, there are cookies without which your website cannot really function, so it’s not necessary to give the user discretion about using those. We recommend your pop-up notice should give the user three options: “Accept”, “Reject” and “More information”.

Step 2: Consent

Your pop-up notice should inform the user of your intended personal data processing through cookies, but you may wonder when the user’s consent is required and when it’s not necessary.

It’s not mandatory to ask the user’s consent for technical or essential cookies, but that does not mean you do not need to have a pop-up cookie notice that gives relevant information.

Consent should be sought if your website uses analytical cookies and marketing cookies, split into first-party cookies and third-party cookies.

Step 3: Splitting the information into layers

The first-layer information should include the controller’s identity, the intended uses of cookies, what party cookies are used, types of data collected in the case of profiling, how the user can make a decision about cookies, and a clear reference to the second-layer information.

The second-layer information contains information that helps the user understand the intended uses of cookies and why such uses are necessary. This means the user should have easy access to your privacy policy and/or cookie policy.

Step 4: Highlighting certain fields

It’s common for companies to highlight one of the selection tools, thereby prompting the user to choose the highlighted field. The National Data Office’s guidelines state that the user should be given discretion, without prompting them to make a certain choice (e.g. if the consent button is green but the rest are grey).

Step 5: Marking your choice

If the user wants to learn more about cookies in the pop-up notice, what they often see is that a choice is made for them. For example, it’s automatically stated that the user agrees to marketing cookies and statistical cookies. This practice should be abandoned, and the user should be allowed to mark any cookies they like.

Step 6: Revoking consent

The user should always find that revoking consent is as easy as giving consent. If the user needs to carry out any additional activities, such as phoning the company and requesting revocation of consent given electronically with a single click, this will be a breach of the General Data Protection Regulation.

Best practice: Once the user has allowed or blocked your cookies, your home page always displays a cookie the user can click to change their selection.

Best practice: The option to close your pop-up notice cannot be treated as the user’s consent, so your website cannot use cookies.