In recent years, several privacy regulations have been enacted, including GDPR, CPRA, and LGPD, all of which aim to protect users' data. A key requirement across these laws is the implementation of cookie banners, which have become essential for complying with data privacy regulations.
To maintain your website’s SEO rankings and avoid potential fines, it is crucial to include a consent banner and ensure it meets all the requirements. In this article, we will cover what a cookie banner is, who needs to implement one, how to create a GDPR-compliant cookie banner, and more.
| Cookie banners became prominent after the 2002 ePrivacy Directive, also known as the European Cookie Law, addressed concerns about online data privacy and tracking. However, many associate their rise with the 2018 GDPR, which required businesses to get explicit user consent before using cookies to collect personal data. Besides GDPR, there are numerous regulations that apply to different areas around the globe (e.g., LGPD in Brazil, POPIA in South Africa, and PDPA in Singapore, etc.) |
A cookie banner is a pop-up that appears when a person visits your website to inform them about storing cookies on the user's device. The banner serves two main purposes:
After the General Data Protection Regulation (GDPR) came into force, cookie banners became required for websites. Although GDPR is applied to the EU zone only, there are a lot of other regulations across the globe that are aimed at data protection (e.g., LGPD in Brazil, POPIA in South Africa, and PDPA in Singapore) and also require consent for using user data.
Yes, Google Consent Mode is required for server-side tracking. When you integrate Consent Mode, you should ensure that user consent is obtained both on the client-side tagging and the server-side. For more details, follow the section on how to add Consent Mode in the server Google Tag Manager.
Website owners must implement a cookie banner to comply with data privacy laws and protect SEO rankings. Failing to do so, or using a banner format that doesn't meet requirements, could result in the following consequences:
A cookie banner pops up when a user visits a website for the first time. It provides users with details about the cookies used on your site and interacts with the user's browser to manage consent preferences. At this point, a user can accept, decline, or customize the cookies that can be gathered.
Once a website visitor obtains user consent, the consent banner gathers the user's preferences. It sends them to the tag you select to transmit consent status from the web to the server Google Tag Manager (e.g., Google Tag) if you stick to server-side tracking.
This tag includes a parameter that conveys the consent status to server GTM.
Within the server, the tag's behavior is adjusted based on the parameter's value that reflects the user's consent status.
You can't fully control the data they collect when you use third-party web tracking scripts (e.g., Google Analytics and Google Tag Manager snippets). These scripts may gather sensitive personal data without notifying you.
With server-side tracking, you can avoid such a problem. Unlike client-side tracking, you have higher control over data and can set up what data you want to collect.
Certain industries (e.g., healthcare) impose additional regulations that restrict the transmission of specific Personally Identifiable Information (PII) to third-party platforms.
These requirements are often difficult to meet with web tracking alone. However, with server-side tracking, you have full control over the transmitted data. Using server-side Google Tag Manager, you can either remove sensitive data or hash it before sending it to external platforms.
| If you work in the health industry, you should comply with the Health Insurance Portability and Accountability Act (HIPAA); read our blog post on how to set up HIPAA-compliant data tracking with Stape. |
Personal Identifiable Information can include a wide range of data, not only email or phone numbers. In the healthcare industry, for example, disease or equipment names can be in URLs. Such data doesn't comply with the policies of different platforms such as Facebook.
With Server GTM, you can modify website URLs before sending them to third-party platforms. This allows you to remove parameters or replace specific keywords in the URL.
| Use Anonymizer power-up by Stape to remove or anonymize data from Google Analytics 4. |
Setting up server-side tracking helps comply with privacy regulations. However, it doesn’t mean you can skip asking for the user’s consent to process the personal data. The ePrivacy Directive incorporated into privacy laws states that any type of data collecting and storage requires consent.
So, if you are using server-side tracking, to comply with data privacy regulations, you should configure consent mode in server GTM, add a compliant cookie banner to your website, and consult with your legal department.
Opt-in consent asks users to grant permission for a website to use cookies actively. To collect data, the website user has to choose "Allow," "Allow selection," or "Deny".
That's the most popular type of cookie banner. Compared to an opt-out banner, this one is GDPR compliant cookie banner. Moreover, it will comply with other regulations around the globe, such as Brazil’s LGPD, South Africa’s POPIA, and Thailand’s PDPA.
The opt-out cookie banner just discloses the use of cookies. By continuing to view the website, the visitor allows the use of cookies unless they choose to withdraw the permission manually. So, no active action is required to start collecting data.
Opt-out cookie banners will comply with CPRA regulations in the USA. Lately, however, the regulations have become stricter in the US. For example, in California and Virginia, active visitor consent is now required.
To make sure that you comply with consent regulations, follow these requirements:
You should also consider Consent Mode parameters in terms of the setup itself. Although Google has not released the official documentation, we have another article on Consent Mode parameters that we wrote based on our own experience.
Google Tag Manager for the web includes a built-in Consent Mode, which you can find in the web container settings. This feature enables tags to adjust their behavior according to the user's consent status.
Native Google tags do not require additional consent checks; however, you will need to manually specify when other tags, such as Google Analytics, Facebook, and TikTok, are permitted to fire.
You'll also need a Consent Management Platform (CMP) to configure Consent Mode. The main role of the Consent Management Platform is to display a cookie banner on your site. Many CMPs are compatible with Consent Mode in Google Tag Manager, and Google provides a list of CMPs that can integrate with this feature.
To integrate Consent Mode with server-side tracking, you need to ensure that user consent is respected on both the client-side and server-side. This involves the following steps:
| See our step-by-step guide on how to set up Consent Mode in server GTM. |
We have useful articles related to Consent Mode and the GDPR cookie banner:
Cookie banners let users know that you are using cookies and help obtain their consent for data collection. Just adding the cookie banner isn't enough; you need to ensure that it complies with all privacy regulations. Otherwise, you may lose your SEO ranking and, in some cases, receive fines.
Adding an opt-in cookie banner is more versatile than an opt-out banner and will comply with most current laws and regulations. Also, consider switching to server-side tracking (if you haven't done so yet), as it helps you gain more control over data collection and ensures you comply with all privacy laws.
Stape has lots of tags for server GTM! Click on Try for free to register and check them all.
