The term “cookie notice” or “cookie banner” refers to a banner, splash page, or other notice that deploys on a website to inform visitors that the site uses cookies. While cookie banners are fairly ubiquitous in the European Union, owing to both the General Data Protection Regulation and the ePrivacy Directive, historically they have been less common in the United States. As companies consider strategies for complying with the CCPA’s notice, sharing, service provider, and sale provisions, attention is focused on whether businesses in the United States will begin to use cookie notices as a compliance or risk mitigation tool.

There are multiple ways in which cookie notices can be configured. Typically, a cookie notice will fall into one of three formats:

  1. Notice Only. A “notice only” disclosure informs visitors that the website deploys cookies, but does not give the website visitor any direct control concerning the use of cookies. In other words, the website visitor is not asked to permit / accept cookies, nor are they given a tool or mechanism for disabling cookies. Some notice-only cookie banners may, however, provide information to the visitor on how cookies can be disabled within the visitor’s website browser.
  2. Notice + Opt Out. A “notice + opt out” disclosure informs visitors that the website deploys cookies and provides the visitor with a mechanism for disabling the website’s future deployment of cookies. This may include a single option to “opt-out” of all cookies, or might provide more granular options to opt-out of some types of cookies (e.g., behavioral advertising cookies or analytic cookies).
  3. Notice + Opt In Consent. A “notice + opt in consent” disclosure informs visitors that the website would like to deploy cookies and asks the visitor to opt-in, or accept, cookies before they are deployed. This may include a single option to “opt in” to all cookies, or it might provide a more granular option to opt-in to some types of cookies (e.g., behavioral advertising cookies). It is worth noting that some companies have been criticized for providing “notice + opt-in” disclosures, but then ignoring whether the website visitor provides opt-in consent. In other words, deploying cookies regardless of whether consent is obtained.

In order to help companies understand and benchmark industry practice, BCLP analyzed a random sample of the homepages of the Fortune 500 to better understand their use of cookie notices and cookie banners.1 As of December 14, 2019, only 28% of companies were deploying some form of cookie notice.2 As the following chart illustrates, among the companies that were deploying notices there was little standardization in terms of whether notice, opt-out, or opt-in disclosures were utilized: