Cookie consent banners are ubiquitous but many sites are going about them all wrong.
Before the GDPR burst onto the scene in 2018, and sent the website world reeling, cookie consent banners weren’t all that common. However, in this post-GDPR world, almost every website has a banner that appears at the bottom of a user’s screen. However, now that most businesses know about them, it’s astounding how frequently these cookie banners are incorrectly configured. This article will clear up some misconceptions about cookie consent banners. We’ll tell you what’s required and what’s not, and what good and bad examples of cookie banners are.
What is a cookie banner?
For the uninitiated, a cookie banner or a “cookie consent banner” is a notification on a website that tells users that the website uses cookies for various reasons. Cookies can be used for a variety of reasons. Some serve a functional purpose on a website and are required for a website to function correctly. Cookies are also used for analytical purposes so websites can effectively see traffic activity on their website. And some cookies serve marketing purposes, which can be used in many different ways.
So, the cookie banner will typically pop up on the bottom of a user’s screen when they load a website. And this banner tells the user that this site uses cookies. However, the full purpose of the cookie banner goes beyond just a simple notification, and that’s what many websites are getting wrong. And perhaps this stems from a misunderstanding over why these banners exist at all.
Cookie banners’ origins and purpose
Cookie banners existed long before the GDPR. Europe introduced an “ePrivacy Directive” in 2002 which stated that websites needed to inform users that their website used cookies and to obtain their consent to pass them to users’ browsers. And so the banners began to appear. And we have been seeing some version of these banners ever since.
However, when the GDPR came into effect, the cookie consent banner fully entered the public consciousness. Businesses and website owners scrambled to add the banners to their sites. But many of them interpreted the notion of “consent” very liberally. And as such, you would frequently see banners like the one in the screenshot above. So, along comes the GDPR, and very clearly defined what constitutes consent. A banner that tells users that by using the website, they consent to the use of cookies does not fly under the terms of the GDPR. Instead, users must have the ability to reject any non-essential cookies, and consent must be explicit and opt-in. This might not seem like that big of a deal on the surface, but the repercussions of this requirement are massive.
The impact of cookie consent requirements on websites
When you break down the above requirements spelled out in the GDPR, it becomes clear just how impactful this is from the perspective of a website owner. Previously, unless you were to modify your browser settings to reject cookies, then you will receive whatever cookies a website decides to pass through to your browser. Some websites would pass a dozen or more cookies to a user’s browser.
Some might be functional cookies that remembers the pages a visitor has seen within their website so they can easily pick up where they left off when they come back. Or if there’s a login component on the website, cookies would be used for that. Then there’s the analytics side of things. In order to track user activity, even largely anonymized activity, cookies are used for that. And then on the marketing side. When you check out a product on a website, and then see a banner ad for that product somewhere else on the web…cookies.
Login cookies and certain functional cookies are necessary for people to effectively use a website. So a user must automatically accept those cookies. But according to the GDPR, those analytics and marketing cookies are not only optional but they are opt-in. That means that no users will receive those cookies unless they specifically check a box, toggle a switch, etc, that says they want those cookies. And who is going to say, yes, please track me and my browsing behavior? Not many people. And thus began the creative banner designs.
Creative Compliance
Since the GDPR requires that website actively opt-in to receive cookies from a website, websites are finding creative ways to accomplish this. Essentially, websites are setting up cookie consent banners in ways that compel users to accept cookies. But let’s start with a couple examples below that don’t do that:
This example from Microsoft is very straightforward. It clearly explains that they use cookies and for what purpose. And they then provide an ‘Accept’ button, a ‘Reject’ button, and More options. Nobody is really trying to sway you one way or another here. But odds are, most users will probably hit the Reject button.
The Guardian pleads the case for accepting cookies a bit more than Microsoft does. But they still make it very easy to reject cookies outright. The yes and no buttons are given equal visual weight. And the no button is even polite about it. So users won’t feel bad about rejecting cookies.
Now for an example that more actively encourages the user into accepting cookies. The banner below from Teamtalk presents two options – “Agree and proceed” or “Manage Options.” The Agree button is green with an outline around it. Everything is encouraging you to press that button. In a case such as this, a visitor will be far more inclined to click the Agree button than in the previous examples. Users just want to get to the content. They don’t want to configure options. That’s why this is the sort of thing that you’re seeing more and more of these days, particularly for websites that must be GDPR compliant.
There are a number of other examples of websites that have taken some creative liberties with cookie consent banners. This is all so website visitors will consent to accepting cookies. But let’s not lose sight of the fact that the reason the GDPR exists is to protect consumers’ privacy. So, rather than finding creative ways to skirt the law, perhaps there are ways to accomplish business goals without weakening consumer protections.
It’s more than just a banner
Many businesses don’t have a clear idea of how cookies are transmitted, and some banner providers have taken advantage of this. Some services tout the banners that they provide that you can easily add to your website. And that is true. Adding the banner is generally a very simple process. But the banner by itself does nothing. And they don’t always tell you that. The most difficult part of the cookie consent process (from the perspective of a website manager) is controlling the cookie behavior. By default, if someone goes to your site, the website loads and all of the cookies are passed to the user’s browser. But with the options indicated by the cookie banner, the website must be able to block certain cookies for certain users based on their choices.
Block until accepted
As noted above, the GDPR states that cookies must be opt-in. This means that when a user comes to the website, no cookies (except for essential cookies) will pass to their browser until the users accepts them. This is easier said than done. This is why some sites opt to prevent any usage of the website until a user interacts with the banner. The user doesn’t necessarily have to accept cookies, but they do need to state their preferences before they continue to use the website.
Cookie Categorization
Categorizing cookies is the other big piece that many people don’t consider. We’re used to seeing these banners that offer the ability to accept some types of cookies and reject others. Well, in order to do this, the cookies must be categorized in a way that a website can group them and accept or block them based on a user’s selections. There are services that can automatically categorize cookies. But that works only for known cookies. If the cookie is unknown, then someone must manually assign it to a category.
Storing preferences
Almost all data privacy laws state that users can request the information that a website gathers about them. If a user says that a website is allowed to deposit cookies (or if they’re not), the website must have a record of that selection. Additionally, if the user wants to change their preferences, the website needs to be able to find that data so they can change it.
For all of these reasons, we’d recommend working with a data privacy organization that can effectively set up and manage all of this. Though there are a number of services that provide these cookie consent and data privacy services, two that we’d recommend are OneTrust and TrustArc. Both offer many services, so be sure you’re selecting the one that best suits your needs.
Cookie consent laws in the US
Thus far, we’ve largely been discussing the data privacy and cookie consent laws in Europe. This is because the GDPR has the strictest and most explicit rules about cookies. So what about US data privacy laws? What do they say about about cookies and cookie banners? First, there is no federal data privacy law in the United States. In the absence of a federal law, 20 US states have passed their own data privacy laws. None of the state data privacy laws explicitly tackle cookies.
Instead, the US data privacy laws require businesses to disclose what data they collect from users. And they also state that users/customers have the right to request the information that a business may gather about them. As well as the right to request that the business delete that information. But there is no provision about the usage of cookies and whether users can refuse them. This is good news for US businesses because they can avoid what has become a fairly burdensome process for European businesses.
Though many businesses are opting to employ cookie consent banners anyway. Why? Well, for one, giving your users the option to opt out of accepting cookies instills a certain level of trust in a business. Customers may feel that this business cares about doing the right thing and protecting their customers’ privacy. The other benefit to businesses that utilize cookie consent banners is that many of these banners come with the back end support of companies who manage the data collection process. What I mean by that is that when a user visits the website and interacts with the cookie banner, their selection is logged into a database. So, should a user come back and ask for the data that business has collected on them, they have a straightforward means to obtain that data.
Cookie banner or no cookie banner?
For the reasons stated above, we’d recommend that companies who are not exempt from data privacy laws employ a cookie consent banner on their website. Even companies who are exempt should consider adding a cookie consent banner to their website. And if you’re not subject to the GDPR, your banner can be an opt-out, meaning that users will receive cookies unless they specifically request to opt out.
But let’s go back to the first banner example in this article. Banners that are simply notifications that the website uses cookies are not useful. They don’t comply with any specific laws and they don’t offer any level of control to a user. At best, they are moderately informative. At worst, they are an annoyance that disrupts the user experience. So, either go with no banner or go with a banner that actually does something useful.
