Cookie Consent Guide for Sites and Apps

If you operate a website or app, you probably use cookies or other storage technologies to offer people a better user experience, understand what kinds of visitors use your service and show them more relevant ads. In many instances, you are required to obtain consent from people before using these technologies.

We created this page to help digital publishers like you find resources and tools that may help you meet consent requirements.

For information about how Facebook uses cookies and other storage technologies, click here.

Note: We recommend that you conduct your own research about consent requirements and talk to a lawyer about what's best for your organization. Keep in mind that laws and guidance relating to the use of cookies and online collection of information vary by region and continue to evolve.

What this guide covers

European data protection regulators have published guidance for online publishers about obtaining consent before using cookies or other storage technologies to collect information about the people who visit their sites or use their apps. Outside of the EU, other laws and rules may require you to provide notice and obtain consent to collect and use data from your site or app.

The EU guidance outlines four main requirements for consent:

  1. Specific and based on appropriate information
  2. Given before using cookies or other storage technology to collect information
  3. Unambiguous
  4. Freely given

Examples of publishers who might need consent:

  • A retail website that uses cookies to collect information about the products people view on the site in order to target ads to people based on their activity on the site
  • A blog that uses an analytics provider who uses cookies to capture aggregate demographic info about its readers
  • A news media website that uses a third-party ad server to display ads, when the third party uses cookies to collect information about who views those ads
  • A Facebook advertiser who installs the Facebook or Atlas pixel on its website in order to measure ad conversions or retarget advertisements on Facebook

Note: Some uses of cookies are exempt from consent requirements. Read European regulator’s guidance on exemptions here.

There are many different ways for publishers to obtain consent. Common approaches:

  • Displaying a prominent message when a page loads for the first time (this is usually called a “cookie banner”) and informing users what action to take to consent
  • Obtain consent from users during a registration flow (where users have to create an account and accept terms before using the website or app)

There are many vendors and industry tools that can help you build cookie functionality. You can find some of these through an internet search for cookie consent tools (and similar topics). Also check out the European Commission’s Cookie Consent Kit.

These types of tools all work in different ways. The best choice for your website or app depends on many things, including the particulars of your offering, the reason you’re using cookies or similar storage technologies, and the laws that apply to you.

Once you select a solution that's right for you, we recommend seeking help from an experienced developer and legal counsel. It's important to make sure the controls you provide work correctly.

What Information To Provide

Websites and apps should display a clear and concise statement up-front, with a link to their privacy or cookie notices for more detail. IAB Europe, a trade organization for digital business and advertising, provides this sample text that might be appropriate for you, depending on your practices:

“We use technologies, such as cookies, to customise content and advertising, to provide social media features and to analyse traffic to the site. We also share information about your use of our site with our trusted social media, advertising and analytics partners. [See details – link to your privacy policy.]”

In your notice, you’ll need to figure out whether to include more information such as:

  • Additional information about the specific third-party technologies you use (if any), including Facebook
  • The purposes for which you and/or third-parties collect information (for example, advertising purposes)
  • Any opt-out controls you or those third-parties provide

Decide what action a user must take to consent. These are a few popular ways that websites and apps do this:

  • Navigating beyond a banner or notice
  • Dismissing a banner or notice
  • Clicking on an “I agree” button

You’ll need to communicate to users that by taking this sort of action, they are consenting. The EU regulator’s cookie guidance contains useful advice on how to do this.

Offering Choice

There are many ways to provide choice to users. Here are some options:

  • Provide your own opt-out that disables advertising-related uses of data collected from cookies
  • If you use third-party plugins or pixels, link to the third parties' privacy policies or consent mechanisms
  • Point users to browser or device controls that may block cookies or limit ad tracking
  • Use an industry resource that provides cookie choices, like the tools provided by the DAA, DAAC & EDAA

Not all of these or other options will suit your needs. Again, what works for you depends on the specifics of your website/app, what countries it is accessible from, and how you use cookies or other storage technology.

Other Resources

IAB Europe Guidance:

EU Regulatory Resources:

Country-Specific Regulatory Guidance:

Facebook Privacy Links:

Note: Facebook can’t guarantee that these resources are up-to-date or completely accurate.