TermsBox
PricingBlog
LoginGet Started
PricingBlogLogin
Get Started
  1. Home
  2. Blog
  3. Cookies Notice: What It Is, Why You Need One, and How to Comply
Privacy Policy

Cookies Notice: What It Is, Why You Need One, and How to Comply

Learn what a cookies notice is, which laws require one, and how to create a compliant notice for your website. Covers GDPR, ePrivacy, and CCPA.

TermsBox Team|April 4, 202613 min read

A cookies notice is the first thing visitors see when a website uses cookies that require consent. It is the mechanism that bridges the gap between legal requirements and actual user interaction, giving visitors meaningful control over which cookies are placed on their devices. Getting the cookies notice wrong is one of the most common compliance failures regulators target, and one of the easiest to avoid.

This guide explains what a cookies notice must include, which laws require one, how to build a notice that actually satisfies regulators, and the mistakes that lead to enforcement actions. This is educational content and does not constitute legal advice. Consult a qualified attorney for guidance specific to your situation.

What Is a Cookies Notice?

A cookies notice is a visible interface element, typically a banner or modal, that appears when a visitor first arrives on a website. Its purpose is to inform the visitor that the site uses cookies and to collect their consent before any non-essential cookies are placed on their device.

The term is sometimes used interchangeably with "cookie banner" or "cookie consent pop-up," but the function is the same: disclosure plus consent collection. A cookies notice is distinct from a cookie policy, which is the full legal document listing every cookie, its purpose, duration, and the parties involved. The notice is the front door. The policy is the detailed reference document behind it.

Under EU law, the requirement for a cookies notice comes from Article 5(3) of the ePrivacy Directive (Directive 2002/58/EC), which mandates prior informed consent before storing or accessing information on a user's device. The GDPR (Regulation 2016/679) defines what "valid consent" means in Articles 4(11), 6, and 7: it must be freely given, specific, informed, and unambiguous.

Why Your Website Needs a Cookies Notice

The legal obligation to display a cookies notice depends on two factors: what cookies your website uses and where your visitors are located.

Regulatory requirements by jurisdiction

  • EU and EEA: Article 5(3) of the ePrivacy Directive requires opt-in consent for all non-essential cookies. The GDPR reinforces this with strict consent standards. Every website accessible to EU visitors that uses analytics, marketing, or functional cookies must display a cookies notice that blocks those scripts until consent is given.
  • United Kingdom: The UK GDPR and Privacy and Electronic Communications Regulations (PECR) impose equivalent requirements. The ICO has confirmed that implied consent through continued browsing is not valid.
  • California (CCPA/CPRA): California uses an opt-out model. A cookies notice is not strictly required for consent, but websites must disclose data collection practices and provide a "Do Not Sell or Share My Personal Information" link. Honoring the Global Privacy Control (GPC) browser signal is mandatory.
  • Brazil (LGPD): Brazil's data protection law includes consent provisions that apply to cookies containing personal data. A cookies notice supporting opt-in consent is the safest approach.
  • Canada (PIPEDA): Canada requires meaningful consent for the collection of personal information, which can include cookie data. The Office of the Privacy Commissioner has indicated that implied consent may suffice for less sensitive data, but explicit consent is recommended.

Business reasons beyond compliance

Beyond legal obligations, a cookies notice builds trust with visitors. Websites that are transparent about data collection practices see higher engagement from privacy-conscious users. A well-designed notice also protects against complaints to data protection authorities, which can trigger audits even when fines are not imposed.

What a Compliant Cookies Notice Must Include

Regulators have been specific about what a cookies notice must contain and how it must function. The European Data Protection Board (EDPB) Guidelines 05/2020 on consent provide the most detailed requirements.

Required elements

  1. Clear identification of cookies: State that the website uses cookies and briefly describe the categories (necessary, analytics, marketing, functional).
  2. Purpose explanation: Explain what each category of cookie does in plain language, not legal jargon.
  3. Identity of data controllers: Identify who is responsible for the data collection, especially when third-party cookies are involved.
  4. Link to full cookie policy: Provide a direct link to the complete cookie policy where visitors can read detailed information about every cookie.
  5. Granular consent controls: Allow visitors to accept or reject cookies by category rather than forcing an all-or-nothing choice.
  6. Equal accept and reject options: Both the accept and reject buttons must have equal visual prominence. Hiding the reject option behind a secondary menu or using a muted color is a dark pattern that regulators have penalized.
  7. Withdrawal mechanism: A persistent link on every page (often a small icon or "Cookie Settings" link in the footer) that lets visitors change their preferences at any time.

What the notice must do technically

A cookies notice is not just a visual element. It must function as a gatekeeper that prevents non-essential scripts from executing until consent is recorded.

  • Non-essential scripts must be blocked on initial page load
  • Scripts should only fire after the visitor makes an active choice
  • The visitor's consent state must be stored (typically in a first-party cookie) and respected on subsequent visits
  • If the visitor rejects cookies, no non-essential cookies should be set at any point during the session

Cookies Notice vs. Cookie Policy: Understanding the Difference

These two documents serve different purposes and both are required for full compliance.

Aspect Cookies Notice Cookie Policy
Format Banner, modal, or pop-up Full-page legal document
Purpose Inform and collect consent Detailed disclosure of all cookies
Visibility Appears on first visit Linked from notice and site footer
Content depth Summary of categories and purposes Complete list with names, durations, providers
Legal basis ePrivacy Directive Article 5(3) GDPR Articles 13 and 14 (transparency)
User interaction Accept, reject, customize Read-only reference

Your privacy policy should also reference your cookie practices and link to the full cookie policy. Together, the cookies notice, cookie policy, and privacy policy form the core of your website's data transparency framework.

How to Create a Cookies Notice That Passes Regulatory Scrutiny

Building a compliant cookies notice involves both design decisions and technical implementation. Here is what regulators expect.

Design principles

  • First layer clarity: The initial banner should be concise. State that the site uses cookies, summarize the categories, and present accept, reject, and customize buttons. Do not overwhelm visitors with a wall of text.
  • No dark patterns: The EDPB and CNIL have specifically targeted designs where "Accept All" is a bright, prominent button and "Reject All" is a small text link. Both options must be presented with equal visual weight on the first layer.
  • No pre-selected categories: Consent must be opt-in. Displaying the cookie settings modal with analytics and marketing pre-checked violates the CJEU's Planet49 ruling (Case C-673/17, 2019).
  • Mobile responsive: The notice must be fully functional on mobile devices. A banner that covers the entire screen on mobile without a visible reject option has been flagged as a dark pattern by the CNIL.

Technical implementation

  1. Script modification: Change non-essential script tags from type="text/javascript" to type="text/plain" and add a data attribute identifying the cookie category. Your consent management system reads these attributes and re-enables scripts only after consent.
  2. Consent storage: Store the visitor's choice in a first-party cookie. Include a timestamp, the categories consented to, and a version identifier so you can re-prompt if your cookie usage changes.
  3. Server-side respect: If your server sets cookies (not just client-side scripts), the consent state must be checked server-side before setting those cookies in the HTTP response.
  4. Consent logging: Maintain a server-side log of consent events. Under GDPR Article 7(1), you must be able to demonstrate that consent was given. Client-side storage alone is insufficient for this purpose.

Common Cookies Notice Mistakes That Lead to Fines

Data protection authorities across Europe have published detailed enforcement decisions that reveal recurring patterns of non-compliance.

Mistake 1: Notice without script blocking

Displaying a cookies notice while simultaneously loading Google Analytics, Facebook Pixel, and advertising scripts defeats the entire purpose. CNIL's 2022 enforcement actions against Google (150 million EUR) and Facebook (60 million EUR) specifically cited the placement of cookies before users could make a choice.

Mistake 2: Hiding the reject option

Placing "Accept All" on the first layer of the banner while requiring visitors to open a settings panel to find the reject option violates the equal prominence requirement. The Italian Garante, French CNIL, and Spanish AEPD have all issued fines for this pattern.

Mistake 3: Treating continued browsing as consent

Before the GDPR, some jurisdictions accepted implied consent through continued use of the site. That standard is dead in the EU. The CJEU's Planet49 decision and subsequent EDPB guidance make clear that consent requires an affirmative act. A banner that says "By continuing to browse, you accept cookies" is not compliant.

Mistake 4: No option to withdraw consent

GDPR Article 7(3) states that withdrawing consent must be as easy as giving it. If your cookies notice appears once and there is no persistent way for visitors to revisit their choices, you are non-compliant. A footer link or floating icon that re-opens the consent interface satisfies this requirement.

Mistake 5: Not re-prompting after changes

If you add new cookie categories or third-party services, existing consent no longer covers the new usage. Your cookies notice must detect when consent was given for a previous version of your cookie configuration and re-prompt the visitor.

Managing Your Cookies Notice at Scale

For websites with significant traffic or multiple properties, manual management of a cookies notice becomes impractical. Key considerations include:

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.

Generate Now
  • Automatic cookie scanning: Your cookie inventory changes as you add analytics tools, marketing pixels, or third-party integrations. Automated scanning detects new cookies and flags ones not covered by your current notice. TermsBox's compliance scanner identifies cookies on your site and maps them to your consent categories, reducing the risk of undisclosed tracking.
  • Consent rate monitoring: Track what percentage of visitors accept, reject, or ignore your cookies notice. Low acceptance rates may indicate a design problem or may simply reflect your audience's preferences. Either way, the data informs decisions.
  • Multi-language support: If your website serves visitors in multiple countries, the cookies notice must appear in the visitor's language. The GDPR's transparency requirements in Articles 12 through 14 mandate that information be provided in clear, plain language.
  • Consent records for audits: When a data protection authority requests proof that your consent mechanism works, you need server-side consent logs with timestamps, not just a screenshot of your banner.

Cookies Notice Requirements by Website Type

Different types of websites have different cookie profiles, which affects what the cookies notice must address.

E-commerce websites

Online stores typically use session cookies (strictly necessary for cart functionality), analytics cookies (Google Analytics, Hotjar), and marketing cookies (retargeting pixels, affiliate tracking). The cookies notice must separate these clearly. Cart and checkout cookies are exempt from consent, but everything else requires opt-in for EU visitors.

SaaS and web applications

Applications that require login often use authentication tokens and session cookies that qualify as strictly necessary. However, product analytics tools (Mixpanel, Amplitude, Heap), error tracking (Sentry), and in-app messaging (Intercom) typically set cookies that require consent.

Content and media websites

Blogs, news sites, and content platforms tend to rely heavily on advertising cookies for revenue. These sites face a tension between consent requirements and ad revenue. The cookies notice must still offer genuine choice. Using a cookie wall that blocks content unless cookies are accepted has been ruled non-compliant by the EDPB, with narrow exceptions.

Small business websites

Even a simple brochure website can trigger consent requirements if it uses Google Analytics, an embedded YouTube video, or social media sharing buttons. All of these set cookies. A lightweight cookies notice that covers these common integrations is sufficient for most small business sites.

Keeping Your Cookies Notice Up to Date

A cookies notice is not a one-time implementation. Your website changes over time, and your notice must keep pace.

Review your cookie inventory whenever you add or remove third-party services. Update the cookie categories and descriptions in your notice to reflect current usage. Re-prompt visitors whose consent was recorded under a previous version of your cookie configuration.

Periodic compliance audits help catch discrepancies between your cookies notice and the actual cookies your site places. Tools that scan your website and compare the results against your declared cookie inventory automate this process. TermsBox provides automated scanning that flags undisclosed cookies and generates updated cookie policies to match your current site configuration.

For a comprehensive privacy policy that covers your cookie practices alongside broader data handling, use our privacy policy generator as a starting point. Pair it with a dedicated cookie policy that your cookies notice links to.

Frequently Asked Questions

Is a cookies notice the same as a cookie policy?

No. A cookies notice is the visible banner or pop-up that informs visitors about cookie usage and collects their consent. A cookie policy is the full legal document that details every cookie your site uses, its purpose, duration, and the third parties involved. Most compliance frameworks require both: the notice as the front-end interaction and the policy as the comprehensive disclosure.

Does every website need a cookies notice?

If your website uses any non-essential cookies and is accessible to visitors in the EU, UK, or other jurisdictions that adopted the ePrivacy Directive, yes. Article 5(3) of the ePrivacy Directive requires prior informed consent before placing non-essential cookies. Websites that use only strictly necessary cookies (such as session cookies for login) are exempt from the consent requirement but still need a cookie policy explaining their use.

What are the penalties for not displaying a cookies notice?

Under the GDPR, data protection authorities can impose fines of up to 20 million EUR or 4% of global annual turnover, whichever is higher. CNIL fined Google 150 million EUR and Facebook 60 million EUR in 2022 specifically for cookie consent violations. Under the CCPA, each intentional violation carries a fine of up to $7,500, with $2,500 for unintentional violations.

Can I use a cookies notice that only informs visitors without blocking scripts?

Not if your visitors are in the EU or UK. A notice-only approach that does not block non-essential scripts before consent violates Article 5(3) of the ePrivacy Directive. The CJEU's Planet49 ruling (Case C-673/17) confirmed that valid consent must be an active, affirmative action. Loading tracking scripts before consent, regardless of what the banner says, is a compliance failure.

Related Tools

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app

Cookie Policy Generator

Create a cookie policy for GDPR compliance

Related Articles

Privacy Policy

Android Privacy Policy: What to Include and How to Add One

Learn how to create an Android privacy policy that meets Google Play requirements and privacy laws. Step-by-step guide for app developers.

April 4, 202611 min read
Privacy Policy

Data Protection Policy Template: Free Guide for 2026

Get a data protection policy template with GDPR-compliant sections, practical guidance, and step-by-step instructions to build your own policy.

April 4, 202612 min read
Privacy Policy

GDPR Compliance Statement Example for Your Website

See a GDPR compliance statement example with required clauses, legal bases, and step-by-step instructions for building your own.

April 4, 202610 min read

Ready to Create Your Legal Documents?

Generate professional privacy policies, terms of service, and more in minutes. Free to start, no credit card required.

View All Generators

On This Page

  • What Is a Cookies Notice?
  • Why Your Website Needs a Cookies Notice
  • Regulatory requirements by jurisdiction
  • Business reasons beyond compliance
  • What a Compliant Cookies Notice Must Include
  • Required elements
  • What the notice must do technically
  • Cookies Notice vs. Cookie Policy: Understanding the Difference
  • How to Create a Cookies Notice That Passes Regulatory Scrutiny
  • Design principles
  • Technical implementation
  • Common Cookies Notice Mistakes That Lead to Fines
  • Mistake 1: Notice without script blocking
  • Mistake 2: Hiding the reject option
  • Mistake 3: Treating continued browsing as consent
  • Mistake 4: No option to withdraw consent
  • Mistake 5: Not re-prompting after changes
  • Managing Your Cookies Notice at Scale
  • Cookies Notice Requirements by Website Type
  • E-commerce websites
  • SaaS and web applications
  • Content and media websites
  • Small business websites
  • Keeping Your Cookies Notice Up to Date
  • Frequently Asked Questions
TermsBox

Scan your website, auto-generate legal documents, add a consent banner, and stay compliant. One platform for everything.

Product

  • Cookie Scanner
  • Consent Banner
  • Cookie Policy Generator
  • Pricing

Generators

  • Privacy Policy Generator
  • Terms and Conditions Generator
  • EULA Generator
  • Disclaimer Generator
  • Return and Refund Policy Generator

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
GDPR
ePrivacy
CCPA
LGPD
Google Consent Mode v2
IAB TCF 2.2
© 2026 TermsBox. All rights reserved.