Here’s what you need to know about cookie consent — without having to read the GDPR
Navigating the world of cookie consent is super hard. We’ve come across common misconceptions in regards to cookie consent — here are the top 5.
By having a cookie banner, you are GDPR compliant
We hear this a lot. However, cookie banners do not guarantee compliance — no one solution does. A banner must block non-essential cookies until users give active and informed consent.
✅ You need active consent from your users regarding any cookies that are not essential for your site to run. The EU Court of Justice recently ruled that a pre-checked box does not count as active consent. You must provide a way for the user to actively opt-in — instead of leaving them to dig around to find a way of opting out.
This banner has a lot of pre-checked providers here, and it took a while to even find this list to uncheck them.
✅ You need informed consent. You must allow users to understand what they are consenting to before they hit the accept/decline button. It’s important to strike a balance; simply saying ‘we want to set this cookie for user insights’ is not informative enough. However, stuffing your banner full of all possible cookie information does not help inform your users — this is just an overload of text and information that is irrelevant, and not clear:
Preview of some of the cookies Forbes drops — ah yes, AAX Media… so helpful.
This is why at Company, we’ve grouped cookies by type and third-party — a user can then read specific privacy policies for each cookie type, and opt in and out as they wish. This creates a clear, but explicit, user journey.
The Company cookie widget on Farmdrop — they have a bunch of segmented site features that require consent, as well as ‘essential’ which is there for transparency.
My small business only uses essential cookies so I don’t need a banner
You don’t need active consent for essential cookies. But whether it’s a banner or widget, you need to inform your users that these cookies are getting set. Transparency is key.
For example, you may set cookies to keep your users logged in. You don’t need consent for these because they are essential for your site — having to log in every time you visit a new page makes the site seem broken.
☝️ Key question: do you only drop essential cookies? Very few sites only have essential cookies. For example this site uses a few third-parties to provide content such as live chat and a gif (provided by Giphy). Giphy alone drops 12 tracking cookies — these are non-essential, as they’re for advertising.
TrackerTracker results from our example website which uses only seven third-party providers to help the site function, yet drops over 30 non-essential cookies.
We’ve built a public tool, TrackerTracker, which reveals what cookies are dropped as a site loads. If you’re unsure of what your site might be dropping, run it through TrackerTracker — you may be surprised by what you find. As we’ve learned, social sharing buttons, maps, and embedded videos all drop cookies that require consent.
Getting consent for dropping cookies is a one-off thing
Your users are humans and will change their minds. There must be a clear and easy way for them to manage their cookie consent whenever they want, not just upon their first visit to your site.
Make sure to track and store user preferences securely. One day someone might be okay with the cookies dropped by Google Analytics, the next day they might not.
Make it easy for users to change their minds with whatever cookie solution your using, and make it clear in a cookie policy or other easily accessible text, on how to clear cookies from their browser — you can’t delete cookies for them.
User data is only accessed by my business and my third-parties.
You cannot assume that only you and your providers have access to your user’s data. Third-parties can have their own third-party providers — and you can’t control this since you don’t dictate what third-parties your providers use.
This is our cookie widget on the Company homepage — we use Intercom, but they too may have their own third-parties.
For example, at Company we use Intercom to power our live chat. Intercom drops its own third-party cookie (e.g. Google Analytics). That’s why our cookie widget provides a link straight to Intercom’s privacy policy. With this method users are informed of what your third-parties do with user data.
Cookie banners are ugly
This is a fair assumption to make, because a lot of the time cookie banners don’t fit with the look and feel of a website, and they are completely intrusive. But it doesn’t have to be this way.
There are cookie solutions that put design first. Company’s cookie widget does not block content, and is loud enough to warrant attention from the user without being intrusive. It also matches the colour palette of your site, looking and acting native to the site.
Here’s our cookie widget on Pexxi
Georgia Iacovou
Content Writer