Depending on where you're located, cookies should:

1. Be blocked until notifications have launched and consent has been received (GDPR), or
2. Fire at notice or before time of collection (US)

Banner notifications should include detailed information about what data is being collected by the cookies, how it will be used, and whom it will be shared with—in jargon-free language so users can make an informed decision. Using cookie software—and working with a privacy professional to implement it—can help simplify implementation of that requirement.

Step 4: Establish opt-in or opt-out processes

The type of cookie consent you need to obtain varies by law.

Under most US consumer privacy laws, cookies can be set without direct consent from users. Although an assumption of consent is the baseline under the opt-out principle, laws still mandate that customers be given the ability to easily deny cookies as well as refuse the sale of their data to third parties.

GDPR is an opt-in system, in which consent must be "freely given, specific, informed, and unambiguous" through a "clear affirmative action." Since preselected boxes and continued site use do not constitute "clear affirmative action," users must actually click a button agreeing to the deployment of cookies.

Opt-in systems are not required by all laws, but they exceed the standards in opt-out laws and, as a result, they are considered the gold standard in data privacy management. Companies that implement opt-in consent from the start will likely be able to respond quickly and with more agility to the dramatic and rapid changes to consumer privacy laws and best-practices that are common in the current landscape.

Step 5: Link to privacy and cookie policies

It's no secret that cookie banners aren't a particularly popular part of any browsing experience, necessary as they may be. Putting entire privacy and cookie policies into a pop-up banner will turn a banner into a page, making people more likely to ignore it.

Instead, consider including a "Learn More" or "Privacy Policy" button on the cookie banner.

That button should link to not only the company's privacy policy but also a list of all cookies, as well as a more detailed description of the site's cookie settings.

Step 6: Ensure secure storage of consent records

Most experts recommend that companies maintain a record of consent for five years. Those records should be securely stored, but they also need to be easily accessible if a customer files a data subject access request (DSAR) or an individual rights request. They will also be critical to proving compliance in the event of an audit.

Building Your Privacy Cookbook

Dessert is not a meal, and a privacy program needs more than compliant cookie banners to be successful. But learning to bake cookies builds fundamental skills that can transfer to other dishes, and establishing cookie management policies in line with data privacy best-practices will make building out a fully functional privacy program a (ginger)snap.

More Resources on Cookies and Data Compliance

Adapting Marketing Measurement to a Post-Cookie World [Infographic]

Heads Up, B2B Marketers: Data Rights Aren't Just a Consumer Issue

What You Need to Know About GDPR and Data Privacy: Lisa Loftis of SAS Talks to Marketing Smarts [Podcast]