The great Cookie Pop-up debate rumbles on. And on into 2024. A bit like Brexit no one is talking about it, and people are surprised by bad decisions coming down the track. GDPR and privacy for consumers is a good thing. But cookie policies and most of all annoying pop-up rules are poorly defined and leads to confusion among companies and consumers. This article hopes to explain what we think you should do about it. Feel free to jump directly to our cookie pop-up manifesto.
This article has been continually updated since 2020. Last update September ’24.
A problem with GDPR Definitions
In this rather good article: We need to fix GDPR’s biggest failure: broken cookie notices in Wired online, there is a call to arms to the regulators to fix this problem.
And we could not have put this better ourselves either:
The real problem is that the otherwise good EU GDPR rules are weak for cookie consent, and they are [still] not fit for purpose. The popups that crowd your browser on each site, often on every visit, are supposed to offer you the sense of control. But actually most consent popups on most websites offer zero control. Instead they just crowd your browser and annoy your customers. This is getting better in that sites are getting ever bigger popups which do give control.
Most sites have Google Analytics and/or other tracking, which most of the time is anonymous [1], with your last visit time, and other data stored on your computer as a cookie. To most people this data really should not cause any harm. Most sites do not use much beyond this anonymous tracking. If you are on a harmless site, like this one, you should have enough trust signals to know that your data is being taken seriously. If you are on a dodgy one then you are unlikely to get cookie consent popups and you would assume data is being used nefariously [3].
Therefore the spread of the humble cookie consent pop-up we think relies on a lack of understanding from the public, from clients and especially their legal departments.
Cookies are not bad. They are part of how the web works and have been around for decades. Storing information about your visit, or your interactions is not an unreasonable assumption for most websites.
Active vs reporting cookie consent banners
There are two types of Cookie Consent. The first does not allow any sort of storage of any kind unless that consent button is clicked. These are good, if they work properly (ie they really don’t track anything until you consent).
The second is the more pervasive, whereby the Cookie consent button is merely an acknowledgement. In other words your browser is recording anyway but the “OK” button is merely a notification. The latter is preferable to marketers, as they want as much data as possible. The former, zero storage solution is also equally good, although every site will have at least some cookies that need to be called no matter what. The https://www.gov.uk/coronavirus site, for example, stores a cookie for the obtrusive cookie banner. Most WordPress sites store session data from the off, to make pages run faster.
We hate Cookie Consent popups largely because they are non-standard, and this is especially so when it comes to the reporting (this is merely a notification of our cookie use) variety. There are a number of reasons for this mild ire:
- Firstly, that consent button actually requires its own cookie to be stored on your machine – which seems to us a bit silly.
- Secondly, even without cookies the site, the server and other third party aspects (for example that nice TrustPilot widget) are undoubtedly tracking your movements, as are your browser plugins. Every time something is served to a user it must be served from somewhere, and that server likes stats. In other words data is here to stay.
- Thirdly, when previously using Hotjar we have seen anonymised recordings from some of our site visits. And it is clear from these, and watching other people like our own families browse the net, that most users ignore the pop-up consent bars completely. From a designer’s perspective this negates the user experience we have built up and gets in the way of user journeys. From Google’s perspective it destroys your CLS site speed indicators too [4]. Marketeers will automatically switch off those consent banners. Your customers do not. This is especially concerning on mobiles. Hence the rise of very large blocking popups that you have to interact with.
- Fourthly, and this is a minor one, when something changes (like new hosting or in some cases a new publish) those cookie consent cookies will be reset. The same goes if a customer jumps to a different device like their phone. Meaning they get annoyed that they have to click that pop-up again.
What changed in 2023?
In many ways nothing at all – we are still having this debate. But in other ways a lot. The big change was the move away from Universal Analytics to GA4 and away from 3rd party cookies in general. One of the big ideas behind GA4 is to make it more GDPR compliant and to move to 1st person cookies rather than 3rd party. And this, in turn, means we should or could be serving standard GA4 under the legitimate interests category. And updating our policies, and cookie popups, to match.
Google clearly think that moving to first-party cookies is fine and does not require extra consent. BUT according to the ICO documentation anonymous cookies also need to be notified.
What next for 2024?
The industry is looking to the ICO to see what is next. Watch this space!
As of September 2024 there has been pretty much radio silence, but there is a new EU directive imminent.
But while we all wait the browser technology itself has been changing to remove many 3rd party cookies entirely. See for example, from January: https://gizmodo.com/google-just-disabled-cookies-for-30-million-chrome-user-1851137998 . This maps to what should be one half of the solution which means we do not need cookie popups…
So what is the solution?
As we say we have no problem at all with the zero storage until clicked method – it is the right thing for certain categories of business. One solution is by law to make this method mandatory – one method for all and standard popups everywhere. But this solution says that a major bank is equivalent to a one-man band, one page plumber site. This is also most legal department’s view of things for bigger companies.
Or even to have one Cookie that accepts all Google Analytics per browser, not per site. The same goes for Hotjar or any other provider. This essentially is what your browser security preferences do anyway. Remember it is legally the site that is recording the data but in actual fact the data is being saved by Google etc..
But the vast majority of sites out there are the notification only. And we are guilty of this too for many of our sites.
Or, to not use a cookie consent pop-up at all.
And this, rightly or wrongly is what we have done here. Check the footer of this page to see our cookie notice. If those cookie consent popups give no aspect of control, just get in the way, use more cookies and most of all don’t help anyone, then let us instead just place a nice notice at the bottom of every page with clear links to privacy policy documents and terms of use. The privacy of a user should remain at the browser level as it has been for many years. The user sets the permissions they are comfortable with at a macro level. Then for specific sites they still have control in the settings of their browser.
In other words if popups just give no control, nor sense of control, then do something different.
The myth of privacy
We had a long time client who were surprised that their, recently turned on, paid LinkedIn campaign was not tracking, when their own compliance department insisted on no tracking until an accept cookies button was clicked. These leads and the campaign therefore were missing attributions, and the campaign failed. We are, I am sure, not alone. They were of course warned this was going to happen. Stats have gone through the floor as well as page speed (As the popup changes half the pixels on the page the CLS score is low).
The irony remains that the great British public leave their digital footprint all over the place but some companies are not willing to have even basic traffic attribution.
WordPress as part of the problem?
We create and manage a lot of WordPress sites big and small. As you might imagine there are many different solutions in terms of plugins, themes and extensions. Clearly every WordPress site looks and feels very different. But we think WordPress is in an ideal position to standardise the way that cookies should work. by bringing a solution into the core this might be a good first step, just as they did with a default privacy statement.
There are other big players looking to solutions in an ad-hoc way. Cloudflare have also been looking into this problem and have Zaraz for loading in tracking codes. So far it’s not as fully featured as Google Tag Manager for serving scripts but it does have a consent module which does seem to work. Tag Manager itself does have consent modules but doesn’t have a unified cookie popup solution. Perhaps they should.
Image copyright from the most wonderful Slava Shestopalov
What does GDPR Law say about cookie Consent?
Let us dive in to the specific wording of the act
The rules on cookies are in regulation 6.
The basic rule is that you must:
- tell people the cookies are there;
- explain what the cookies are doing and why; and
- get the person’s consent to store a cookie on their device.
Regulation 6
(1) Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment—
(a)is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
[(b)has given his or her consent.]
(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.
[(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.]
(4) Paragraph (1) shall not apply to the technical storage of, or access to, information—
(a)for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
(b)where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.
Note the square brackets are changes to the original
It’s all about definitions. Nowhere in Section 6 does it say you need a popup window. Nowhere does it say HOW the user has given his or her consent. A browser based solution is just as valid as a popup.
While we are in messy legal jargon according to GDPR laws the company defines what is strictly nessessary. So one might decide that Google Analytics is 100% nessasary to their operation, others will not.
it does not mention anything about first or third party cookies either – this lives in a discussion on the ICO website.
Our recommendation
or perhaps a
Cookie consent pop-up manifesto
- Keep It Simple Stupid (KISS) - If your user does not want to be tracked they can use their browser to disable cookies and tracking (per site or for all).
- Turn on (track) all site specific cookies - otherwise known as functional or strictly necessary on by default and as soon as the user hits the page.
- Keep all first person cookies, including GA4, in this functional group.
- Choose whether to load 3rd party cookies later on or from the start. i.e. This is the user choice as defined by you as the site owner. These are harmless so advise leaving them all on.
- Keep an always available preference centre so that users can choose what to track, or direct users to their browser settings
- Let users know the score: Have a small a cookie banner as possible with links to your policies, or a better still a note in the footer.
This latter is very important. GDPR is all about privacy but leaves, for now, the tracking decisions up to the business. What is frowned on is not letting uses know your intentions and policies.
2024 Google Update
According to The rather excellent Search Engine Journal “Google has announced it will no longer phase out third-party cookies in Chrome.”
Similar to what they have said in 2022 instead the browser and user is in control. "Instead of deprecating these cookies, Google will introduce a new experience in Chrome that allows users to make informed choices about their privacy settings."
This, we say, is a good thing. See our manifesto above – point 1 Keep It Simple Stupid.
2022 Update
And now, as of Jan 2020 we hear that Google have dropped their plans within Chrome – but don’t panic they have a possibly more insidious one. Once again Wired has an update. And once again the answer is to have privacy set at Browser level, and to use Brave, Safari or Firefox if you are worried about privacy. Even if you use Chrome then just check your privacy settings.
2021 August Update
Sounds like the industry is aligning with a light touch of action, according to The UK’s new Information Commissioner, who is charged with a post-Brexit “shake up” of data rules, including getting rid of cookie pop-ups.
Read on…
https://www.bbc.co.uk/news/technology-58340333
2021 Update on the Google View: FLOC
It should come as little surprise that nothing regulatory has changed, so we stand by the above article.
What has changed is big tech’s answer to the same problem, with Google and its browser Chome’s answer to the 3rd party cookie problem. This is better outlined in this Wired article, but we shall paraphrase…
You know how if you are looking for trainers, then you continue to get adverts for trainers on every site? That’s Google’s Adword algorithms doing their thing, and it is in your power to turn off those behavioural cookies by setting your preferences, site by site or on block. Google wants to upturn the ad industry by measuring data at the browser level, not by storing cookies, thus adding you into grouping of others who browse the same things as you.
It should be said Google is not brave enough to try their trial in the EU where GDPR rules are more strict (Until it comes to popups). And there are some merits to this way of thinking. For one, no more popups as you set your privacy preferences at the browser level. But it should be noted that trials haven’t gone well, with notable media channels boycotting the trial. Also, like the cookie pop-up problem above, most of the criticism remains that settings start by recording behaviour and you have to specifically opt out. To our minds this is the same argument in a different medium.
Rightly or wrongly, the power goes back to the browser providers, and we should all jump ship to Firefox or Brave.
An aside: What does privacy actually mean?
This leads to discussions on privacy and what it means to you. This is a fair summing up of the state of play of personal privacy.
But I would like to quote in full the last paragraph of the wonderful book “User Friendly” by Cliff Kuang & Robert Fabricant, from 2019. For me this says the GDPR rules are good but there remains significant design problems:
2016: GENERAL DATA PROTECTION REGULATION, European Union
EU Decision makers opened up a new frontier in user-friendly design by enacting a set of laws intended to give users control over their personal data. Left unsaid was a larger design problem that seems poised to grow in importance: allowing users to understand where all their data has gone, and what benefits they’re actually getting in exchange.
Footnotes
[1] Google Analytics is anonymous, which is what Google itself says. This is true on some level in that names, email addresses and phone numbers are not stored. But don’t think for one second that your browser doesn’t give uniquely identifying data away anyway. See the amiunique.org project if you haven’t already.
[2] Google is not Facebook and LinkedIn tracking which are still third party, but usually as long as you have at least analytics for tracking then you can attribute leads and judge campaigns.
[3] In other words, when you most need protection a cookie pop-up wont help you
[4] CLS – Google Site Speed indicators punish jumping around of elements when the page loads, which us web developers do our best to negate. But then a huge pop-up changes lots of pixels…
ICO Page on Cookies: https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guide-to-pecr/cookies-and-similar-technologies/#anonymousdata
UK Law Section 6: https://www.legislation.gov.uk/uksi/2003/2426/regulation/6?timeline=false