In this rather good article: We need to fix GDPR’s biggest failure: broken cookie notices in Wired online, there is a call to arms to the regulators to fix this problem.
The spread of these cookie notices is down to European legislation. A combination of GDPR and how it altered the ePrivacy Directive forced pretty much every site on the web to ensure people in Europe clicked ‘allow’.
And we could not have put this better ourselves either:
The legal changes were meant to make understanding web tracking easier for everyone. But two years after the arrival of GDPR, cookie consent notices are a blight on the web.
The real problem is that the otherwise good EU GDPR rules are weak for cookie consent, and they are not fit for purpose. The popups that crowd your browser on each site, often on every visit, are supposed to offer you the sense of control. But actually most consent popups on most websites offer zero control. Instead they just crowd your browser.
Let me explain. Most sites have Google Analytics and/or other tracking, which most of the time is anonymous*, with your last visit time, and other data stored on your computer as a cookie. To most people this data really should not cause any harm.
There are two types of Cookie Consent. The first does not allow any sort of storage of any kind unless that consent button is clicked. The second is the more pervasive, whereby the Cookie consent button is merely an acknowledgement. In other words your browser is recording anyway but the “OK” button is merely a notification. The second way is what marketers like, as they want as much data as possible. And we have no problem with the former, zero storage solution. But this pervasive way is what riles us here at Practically towers.
There are a number of reasons for this mild ire:
- Firstly, that consent button actually requires its own cookie to be stored on your machine – which seems to us a bit silly.
- Secondly, even without cookies the site, the server and other third party aspects (for example that nice TrustPilot widget) are undoubtedly tracking your movements anyway. Every time something is served to a user it must be served from somewhere, and that server likes stats. In other words data is here to stay.
- Thirdly, from Hotjar we can see anonymised recordings from some of our site visits. And it is clear from these, and watching other people like our own families browse the net, that most users ignore the popup consent bars completely. From a designer’s perspective this negates the user experience we have built up and gets in the way of user journeys. The thing is that marketers will automatically switch off those consent banners. Your customers do not. This is especially concerning on mobiles.
- Fourthly, and this is a minor one, when something changes (like new hosting or in some cases a new publish) those cookie consent cookies will be reset. The same goes if a customer jumps to a different device like their phone.
* So we said that Google Analytics is anonymous, which is what Google itself says. This is true on some level in that names, email addresses and phone numbers are not stored. But don’t think for one second that your browser doesn’t give uniquely identifying data away anyway. See the amiunique.org project if you haven’t already.
So what is the solution?
As we say we have no problem at all with the zero storage until clicked method. So one solution is by law to make this method mandatory. That this is not so, shows the weakness.
But the vast majority of sites out there are the notification only. And we are guilty of this too for many of our sites.
Another solution is to make those damn popups standard.
Cookie consent notices can show a bewildering array of options. On some websites the accept all cookies option is highlighted in a larger font or more eye-catching colour. They’re often configured to get people to accept everything without pausing to consider their choices.
Or even to have one Cookie that accepts all Google Analytics per browser, not per site. The same goes for Hotjar or any other provider. This essentially is what your browser security preferences do anyway. Remember it is legally the site that is recording the data but in actual fact the data is being saved by Google.
Or, to not use a cookie consent popup at all.
In other words if popups just give no control, nor sense of control, then do something different.
2021 August Update
Sounds like the industry is alinging with a light touch of action, according to The UK’s new Information Commissioner, who is charged with a post-Brexit “shake up” of data rules, including getting rid of cookie pop-ups.
It should come as little suprise that nothing regulatory has changed, so we stand by the above article.
What has changed is big tech’s answer to the same problem, with Google and its browser Chome’s answer to the 3rd party cookie problem. This is better outlined in this Wired article, but we shall paraphrase…
You know how if you are looking for trainers, then you continue to get adverts for trainers on every site? That’s Google’s Adword algorithms doing their thing, and it is in your power to turn off those behavioural cookies by setting your preferences, site by site or on block. Google wants to upturn the ad industry by measuring data at the browser level, not by storing cookies, thus adding you into grouping of others who browse the same things as you.
It should be said Google is not brave enough to try their trial in the EU where GDPR rules are more strict (Until it comes to popups). And there are some merits to this way of thinking. For one, no more popups as you set your privacy preferences at the browser level. But it should be noted that trials haven’t gone well, with notable media channels boycotting the trial. Also, like the cookie popup problem above, most of the criticism remains that settings start by recording behaviour and you have to specifically opt out. To our minds this is the same argument in a different medium.
Rightly or wrongly, the power goes back to the browser providers, and we should all jump ship to Firefox or Brave.
What does privacy actually mean?
This leads to discussions on privacy and what it means to you. This is a fair summing up of the state of play of personal privacy.
But I would like to quote in full the last paragraph of the wonderful book “User Friendly” by Cliff Kuang & Robert Fabricant, from 2019. For me this says the GDPR rules are good but there remains significant design problems:
2016: GENERAL DATA PROTECTION REGULATION, Eurpoean Union
EU Decision makers opened up a new frontier in user-friendly design by enacting a set of laws intended to give users control over their personal data. Left unsaid was a larger design problem that seems poised to grow in importance: allowing usrs to understand where all their data has gone, and what benefits they’re actually getting in exchange.
For the creative industries the proximity of other creative industries has meant that London is absolutely the place to be for any agency or artist…
Here is a non exhaustive list of what the team have been up to since the end of last summer. And my oh my we have been busy.
It doesn’t happen often that some of our work appears on mass media, so please excuse our blatant plugging.