Set up a cookie notification banner

With the Editor's cookie notification feature, you can set up a fully compliant cookie message and collect the type of consent required by your local or regional privacy framework - and you can enable the visitor to withdraw that consent again at any time.

Cookies are small files that a website sends to your browser when you visit a website. Your browser stores the cookies on your computer/device. Some cookies are essential for the website to function properly and are often referred to as strictly necessary cookies. Others, such as marketing cookies, track your online activity to help advertisers deliver more relevant advertising or to limit how many times you see an ad.

Many privacy laws around the world stipulate that website visitors must be notified about a website's use of cookies and must be able to provide consent before those cookies load.

Which cookies load on my website?

A website built in the Editor load a number of cookies by default in order to make the website function smoothly and to be able to generate visitor statistics on your Editor dashboard.

When you add content on your website, for example Social media modules or content embedded through HTML, be aware that you may also be loading third-party cookies and will need to describe these in your cookie/privacy policy.

The following cookies load by default:

Strictly necessary cookies

These cookies are essential for visitors to be able to browse the website and use its features. None of this information can be used to identify visitors as all data is anonymized.

• Site session
  Purpose: To remember different visitor preferences on the website.
  Duration: For duration of browser session.
• Preferred language
  Purpose: To be able to provide the website in the visitor's preferred language (if the website contains multiple languages).
  Duration: 1 year.
• Currency
  Purpose: To be able to show prices in the currency matching the visitor's preferences.
  Duration: 30 days.
• Google Recaptcha
  Purpose: To be able to validate whether the visitor is human and to limit the amount of spam from contact forms.
  Duration: 1 year.
  Provider: Google.

Third-party cookies

These cookies collect information about how visitors use the website, like which pages they've visited and which links they've clicked on. None of this information can be used to identify visitors as all data is anonymized.

• ga 
  Purpose: Registers a unique ID that is used to generate statistical data on how the visitor uses the website.
  Duration: 1 year.
  Provider: Google.
• git
  Purpose: Used to throttle request rate.
  Duration: 1 year.
  Provider: Google.
• gat
  Purpose: Used by Google Analytics to throttle request rate.
  Duration: 1 year.
  Provider: Google.

Enable cookie banner and select a consent type

To activate a cookie notification banner in the Editor, navigate to Settings > Cookie notification.

Tick the box Enable info-bar on your site in order to display the banner on your website.

Consent type

Your cookie notification banner can have three different behaviors, each determining when cookies are loaded and which actions the visitor is able to take.

1. Users will be informed that the website uses cookies: both strictly necessary and third-party cookies/scripts load immediately when the website opens. The visitor sees your cookie notification message and can click an "OK" button but doesn't get any option to provide consent prior to loading cookies. 
   
   
2. Users should opt-out if they do not wish to have cookies enabled: both strictly necessary and third-party cookies load immediately when the website opens. The visitor sees your cookie notification message and can click either an "Accept all" button to continue loading all cookies, or untick the Third-party cookies category and click an "Accept selected" button to stop loading third-party cookies/scripts. Strictly necessary cookies will still remain even if the visitor unticks Third-party cookies and clicks the "Accept selected" option.
   
   
3. Users should opt-in for cookies to be allowed: only strictly necessary cookies load immediately when the website opens. Third-party cookies/scripts do not load. The visitor sees your cookie notification message and can click an "Accept all" button to also load third-party cookies/scripts, or click an "Accept selected" button to continue loading only strictly necessary cookies.
   

Placement

In the section Info-bar position, decide if you want the banner to show and the top or bottom of your website.

How are third-party cookies blocked?

The only reliable way to effectively ensure that third-party content isn't setting cookies is to block the loading of external script on the website. Technically, this means that we scan your website for any scripts with an "src" attribute pointing to an external domain and block those scripts from loading until the visitor has consented to loading third-party cookies (only applies if you are using Consent type 3). That way, visitors can be absolutely sure that no third-party content loads - and potentially sets cookies - prior to their consent.

Whitelisting scripts and domains

As mentioned above, all third-party scripts on the website are blocked from loading until the visitor consents to loading them (only applies if you are using Consent type 3).

If you would like to load certain scripts without first receiving consent from visitors, you can do so by whitelisting either individual scripts or domains. Be aware that, once whitelisted, these domain/scripts load immediately when then website opens. In other words, they load in the same manner as your website's necessary cookies. 

If you decide to whitelist scripts/domains, you are liable for any legal consequences it may entail. Note that the scripts/domains you whitelist may be setting cookies on your website.

How to whitelist individual scripts

You can whitelist a script by adding a data attribute to the script tag (in the HTML module, Global HTML, or wherever you have pasted the script in question).

A script tag usually looks like something like this:

<script src="//example.com/script.js">

That script gets blocked because it references an external domain.

However, if you add a data-noblock attribute to the script, we won't block it and it will load when the website opens.

<script data-noblock src="//example.com/script.js">

How to whitelist domains

Instead of whitelisting individual scripts, you can also whitelist domains. A whitelisted domain will allow all scripts referencing that domain to load on the website.

To whitelist a domain, type in the domain name in the section Whitelisted domains without "https://www." in front. Make sure to add only one domain per line.

Cookie notification content

We have already written all the texts on the cookie notification banner for you and translated them into all supported languages.

The cookie notification banner contains a "More details" link which you can decide where to point to, for example your website's privacy policy page. In the Editor, choose the link destination from either an internal page, an external page, or an overlay.

If you select Overlay, you will see two additional input boxes where you can add a headline and body text that appears in an overlay when visitors click the "More details" link.

Example of cookie policy placed in an overlay:

Multiple languages

If you offer your website in multiple languages, you can add a text on the overlay in each of your languages. Switch through your languages by clicking on the language selector in the interface.

Enable visitors to withdraw consent

Many privacy laws stipulate that the visitor must have the option to take back (withdraw) a previously given consent to cookie. This can easily be set up in the Editor.

Scroll down and tick the box Enable cookie opt-out option.

After publishing your website, visitors will now see a small tab in the bottom-left corner of the website that appears when they are scrolling down any page and are approaching the bottom of the page. Upon clicking the tab, they are presented with a banner where they can click a Withdraw cookie consent button.

When a visitor clicks the button, the consent to loading third-party cookies is taken back and those cookies will no longer load. Strictly necessary cookies still remain. 

The next time the visitor visits your website, the cookie notification banner will show and they can re-select their cookie preferences.

Retrieving documentation of visitor consent

Some privacy laws require digital service providers to keep a record of any type of data that was submitted on a website and when it was submitted. This also includes consent to cookies. 

In other words, every time someone accepts cookies on your website, proof of that consent must be stored so that it can be retrieved in the unlikely event that the visitor requests documentation that he or she did in fact consent. The visitor has the right to request this according to certain legal frameworks such as the GDPR's right to transparency. 

Consent information is stored on our servers and we'll be able to retrieve it on request. In order to match a consent with a specific visitor, we add a 32-digit universally unique identifier (UUID) to each consent provided.

If a visitor requests proof that they consented or withdrew a consent to cookies, you can ask them to locate this UUID and send it to you. You can then pass it on to us so we can look it up in the consent database and provide proof of consent.

Where do visitors find the UUID?

After having accepted or acknowledged cookies, visitors will see a small tab in the bottom-left corner of the website that appears when they are scrolling down any page and are approaching the bottom of the page. Upon clicking the tab, they are presented with a banner where they can see their unique UUID.

Customizing the cookie notification elements

Both the cookie notification banner and the consent withdrawal tab are pre-designed and cannot be styled differently. The texts on the cookie notification banner and consent withdrawal tab are also pre-defined and cannot be changed. They have been translated into all supported languages.