Cookie Consent Resource

The purpose of this guide is to share general context and resources to help our partners meet cookie consent requirements. Laws and guidance relating to the use of cookies and online collection of information vary by region and continue to evolve.

Facebook cannot provide legal guidance on compliance with regulations and policies. We recommend that you conduct your own assessment about consent requirements and talk to your Legal representative about what's best for your organization.

About Cookies

Cookies are a form of technology usually consisting of small pieces of text that can be used to store on or access a user’s computer, mobile device, or other electronic devices. Cookies may be used for a number of purposes, such as remembering the choices or preferences of a user on a website, supporting user login, or analyzing traffic to a website. Other technologies, including data stored on web browsers or devices, identifiers associated with a device, and other software, may also be used for similar purposes. We refer to all of these technologies as cookies. To learn more about how and where we use cookies across our Facebook products, read our Cookie Policy.

Evolving Regulation

Regulatory expectations on requirements for collecting and sharing personal data have continued to evolve and guidance from Data Protection Authorities have further clarified expectations around how cookies and online collection of personal data is obtained. This can be seen through European laws, such as General Data Protection Regulation (GDPR) and Europe’s ePrivacy Directive.

The ePrivacy Directive contains specific requirements governing the use of cookies and similar technologies (briefly summarized below). We strongly recommend that you familiarize yourself with these requirements and seek any specific legal guidance where necessary.

Requirements

You must obtain user consent before setting/reading cookies or other trackers for any purposes that are not strictly-necessary or otherwise exempt;
You must provide the user with clear and comprehensive information about the use of cookies.

The EU legislation is often supported by national regulatory guidance issued by Data Protection Authorities. These guidelines provide useful information as to how you can ensure you comply with the law. Some of the common expectations are highlighted in the next sections to follow, with a few examples of recent guidance that have been published at a national level.

This list is not exhaustive. We recommend that you contact your local Data Protection Authority and/or Legal adviser for further details of any specific guidelines that may apply to you.

The standard for securing valid consent under the EU legislation is high.

For consent to be valid, it must be:

Freely given — The user has a genuine choice.
Specific and informed — You must explain who is using the cookies, the purposes for which cookies are being used, and that the individual has the right to easily withdraw consent at any time.
Unambiguous and affirmative — The consent moment involves a clear and positive action, such as physically clicking on an opt-in box to indicate consent.

You should consider carefully how you secure consent from a user to ensure that you meet the necessary requirements under EU law and to avoid the risk of consent being deemed invalid.

Cookie Banner with an “I agree” Button

You need to decide what affirmative action a user must take to consent, such as clicking I agree in a banner or splash screen that includes specific information as described below.

Consent should be requested prior to setting/using cookies that are not strictly necessary.

You must communicate to users that by taking the relevant action, they are consenting. EU regulators’ cookie guidance contains useful advice on how to do this.

Information to Include

Websites and apps should display a clear, concise, and comprehensive statement upfront, with a link to their privacy or cookie notices for more detail. The link should be easily readable text and undisrupted by other features on the page.

In your notice, you’ll need to decide how to include more information, such as:

Accurate and specific information about the purposes for which you use cookies and similar technology, and their duration, in plain user-friendly language
Any additional information about the specific third-party technologies you use (if any), including Facebook, and the purpose of these technologies
Information that explains how the user may reject non-necessary cookies, or to understand more information about the use of cookies
Any granular controls for non-essential cookies you or third-parties provide.

There may be tradeoffs between being concise and specific: you may consider two layers of information. Consider an explanation within the cookie consent banner itself, linking to a fulsome explanation in a Learn More section or cookie policy. This is a commonly used practice to provide sufficiently clear information to users.

Offering Options to Disable Cookies

It is generally expected that it must be as easy to withdraw consent as to give in the first place.

Provide your own control that disables the setting or reading of cookies that are not strictly necessary, including advertising-related cookies.
For third-party plugins or pixels, provide access to the third parties' choice mechanisms, where available.
Use an industry resource in your region that provides cookie choices, such as the tools provided by the Digital Advertising Alliance (DAA), The Digital Advertising Alliance of Canada (DAAC), and European Interactive Digital Advertising Alliance (EDAA).
Consider the requirement that consent is demonstrable and review how you document and store consent received from users.

The controls described above are not always considered sufficient by regulators; therefore, we recommend that you consult with your Legal team. Further, not all of these or other options will suit your needs. Your solution depends on the specifics of your website/app and how you use cookies or other storage technology.

Help with Consent Functionality

There are a number of vendors and industry tools that can help with consent functionality. For example, consider working with a Consent Management Platform (CMP) provider, such as OneTrust or TrustArc.

This list of CMPs have registered with the IAB Transparency and Consent Framework.

This list is not exhaustive of all CMPs available, nor does adopting any of these CMP’s guarantee compliance.

Once you select a solution that's right for you, we recommend seeking help from an experienced developer and Legal counsel. It's important to make sure the controls you provide work correctly.

Learn More — Other Resources

Examples of guidance on cookies and similar technology:

We have also published resources to help businesses educate people about the data they collect: