In this rather good article: We need to fix GDPR’s biggest failure: broken cookie notices in Wired online, there is a call to arms to the regulators to fix this problem.
The spread of these cookie notices is down to European legislation. A combination of GDPR and how it altered the ePrivacy Directive forced pretty much every site on the web to ensure people in Europe clicked ‘allow’.
And we could not have put this better ourselves either:
The legal changes were meant to make understanding web tracking easier for everyone. But two years after the arrival of GDPR, cookie consent notices are a blight on the web.
The real problem is that the otherwise good EU GDPR rules are weak for cookie consent, and they are not fit for purpose. The popups that crowd your browser on each site, often on every visit, are supposed to offer you the sense of control. But actually most consent popups on most websites offer zero control. Instead they just crowd your browser.
Let me explain. Most sites have Google Analytics and/or other tracking, which most of the time is anonymous*, with your last visit time, and other data stored on your computer as a cookie. To most people this data really should not cause any harm.
There are two types of Cookie Consent. The first does not allow any sort of storage of any kind unless that consent button is clicked. The second is the more pervasive, whereby the Cookie consent button is merely an acknowledgement. In other words your browser is recording anyway but the “OK” button is merely a notification. The second way is what marketers like, as they want as much data as possible. And we have no problem with the former, zero storage solution. But this pervasive way is what riles us here at Practically towers.
There are a number of reasons for this mild ire:
- Firstly, that consent button actually requires its own cookie to be stored on your machine – which seems to us a bit silly.
- Secondly, even without cookies the site, the server and other third party aspects (for example that nice TrustPilot widget) are undoubtedly tracking your movements anyway. Every time something is served to a user it must be served from somewhere, and that server likes stats. In other words data is here to stay.
- Thirdly, from Hotjar we can see anonymised recordings from some of our site visits. And it is clear from these, and watching other people like our own families browse the net, that most users ignore the popup consent bars completely. From a designer’s perspective this negates the user experience we have built up and gets in the way of user journeys. The thing is that marketers will automatically switch off those consent banners. Your customers do not. This is especially concerning on mobiles.
- Fourthly, and this is a minor one, when something changes (like new hosting or in some cases a new publish) those cookie consent cookies will be reset. The same goes if a customer jumps to a different device like their phone.
* So we said that Google Analytics is anonymous, which is what Google itself says. This is true on some level in that names, email addresses and phone numbers are not stored. But don’t think for one second that your browser doesn’t give uniquely identifying data away anyway. See the amiunique.org project if you haven’t already.
So what is the solution?
As we say we have no problem at all with the zero storage until clicked method. So one solution is by law to make this method mandatory. That this is not so, shows the weakness.
But the vast majority of sites out there are the notification only. And we are guilty of this too for many of our sites.
Another solution is to make those damn popups standard.
Cookie consent notices can show a bewildering array of options. On some websites the accept all cookies option is highlighted in a larger font or more eye-catching colour. They’re often configured to get people to accept everything without pausing to consider their choices.
Or even to have one Cookie that accepts all Google Analytics per browser, not per site. The same goes for Hotjar or any other provider. This essentially is what your browser security preferences do anyway. Remember it is legally the site that is recording the data but in actual fact the data is being saved by Google.
Or, to not use a cookie consent popup at all.
In other words if popups just give no control, nor sense of control, then do something different.
This post is a version of a recent lecture. The question is “What skills and knowledge might future designers be expected to know”.
For the creative industries the proximity of other creative industries has meant that London is absolutely the place to be for any agency or artist…
Covid lockdown has given us a unique and unexpected experiment; what happens when online ad spend stops across the board in a sector?