Our favourite topic, the Cookie Popup rumbles on. And on into 2023. A bit like Brexit no one is talking about it, and people are surprised by bad decisions coming down the track.
GDPR and privacy for consumers is a good thing. But cookie policies and most of all annoying popup rules are poorly defined and leads to confusion among companies and consumers. This article hopes to explain what we think you should do about it. Feel free to jump directly to our cookie popup manifesto.
This article has been continually updated since 2020.
A problem with GDPR Definitions
In this rather good article: We need to fix GDPR’s biggest failure: broken cookie notices in Wired online, there is a call to arms to the regulators to fix this problem.
The spread of these cookie notices is down to European legislation. A combination of GDPR and how it altered the ePrivacy Directive forced pretty much every site on the web to ensure people in Europe clicked ‘allow’.
And we could not have put this better ourselves either:
The legal changes were meant to make understanding web tracking easier for everyone. But [four] years after the arrival of GDPR, cookie consent notices are a blight on the web.>
The real problem is that the otherwise good EU GDPR rules are weak for cookie consent, and they are [still] not fit for purpose. The popups that crowd your browser on each site, often on every visit, are supposed to offer you the sense of control. But actually most consent popups on most websites offer zero control. Instead they just crowd your browser and annoy your customers.
Most sites have Google Analytics and/or other tracking, which most of the time is anonymous*, with your last visit time, and other data stored on your computer as a cookie. To most people this data really should not cause any harm. Most sites do not use much beyond this anonymous tracking. If you are on a harmless site, like this one, you should have enough trust signals to know that your data is being taken seriously. If you are on a dodgy one then you are unlikely to get cookie consent popups.
And the spread of the humble cookie consent popup we think relies on a lack of understanding from the public, from clients and especially their legal departments.
Cookies are not bad. They are part of how the web works and have been around for decades. Storing information about your visit or your interactions is not an unreasonable assumption for most websites.
Active vs reporting cookie consent banners
There are two types of Cookie Consent. The first does not allow any sort of storage of any kind unless that consent button is clicked. The second is the more pervasive, whereby the Cookie consent button is merely an acknowledgement. In other words your browser is recording anyway but the “OK” button is merely a notification. The latter is preferable to marketers, as they want as much data as possible. The former, zero storage solution is also equally good, although every site will have at least some cookies that need to be called no matter what. The https://www.gov.uk/coronavirus site, for example, stores a cookie for the obtrusive cookie banner. Most Wordpress sites store session data from the off, to make pages run faster.
We hate Cookie Consent popups largely because they are non-standard, and this is especially so when it comes to the reporting variety. There are a number of reasons for this mild ire:
Firstly, that consent button actually requires its own cookie to be stored on your machine – which seems to us a bit silly.
Secondly, even without cookies the site, the server and other third party aspects (for example that nice TrustPilot widget) are undoubtedly tracking your movements, as is your browser plugins. Every time something is served to a user it must be served from somewhere, and that server likes stats. In other words data is here to stay.
Thirdly, from Hotjar we have seen anonymised recordings from some of our site visits. And it is clear from these, and watching other people like our own families browse the net, that most users ignore the popup consent bars completely. From a designer’s perspective this negates the user experience we have built up and gets in the way of user journeys. From Google’s perspective it destroys your CLS site speed indicators.
Marketeers will automatically switch off those consent banners. Your customers do not. This is especially concerning on mobiles.
Fourthly, and this is a minor one, when something changes (like new hosting or in some cases a new publish) those cookie consent cookies will be reset. The same goes if a customer jumps to a different device like their phone. Meaning they get annoyed that they have to click that popup again.
What has changed in 2023?
In many ways nothing at all – we are still having this debate. But in other ways a lot. The big change is the move away from Universal Analytics to GA4. See our article on our migration and what GA4 means for agencies. One of the big ideas behind GA4 is to make it more GDPR compliant and to move to 1st person cookies rather than 3rd party. And this, in turn, means we should or could be serving standard GA4 under the legitimate interests category. And updating our policies to match.
So what is the solution?
As we say we have no problem at all with the zero storage until clicked method. So one solution is by law to make this method mandatory – one method for all and standard popups everywhere.
Cookie consent notices can show a bewildering array of options. On some websites the accept all cookies option is highlighted in a larger font or more eye-catching colour. They’re often configured to get people to accept everything without pausing to consider their choices.
Or even to have one Cookie that accepts all Google Analytics per browser, not per site. The same goes for Hotjar or any other provider. This essentially is what your browser security preferences do anyway. Remember it is legally the site that is recording the data but in actual fact the data is being saved by Google etc..
But the vast majority of sites out there are the notification only. And we are guilty of this too for many of our sites.
Or, to not use a cookie consent popup at all.
In other words if popups just give no control, nor sense of control, then do something different.
The myth of privacy
We had a long time client who were surprised that their, recently turned on, paid LinkedIn campaign was not tracking, when their own compliance department insisted on no tracking until an accept cookies button was clicked. These leads and the campaign therefore were missing attributions, and the campaign failed. We are, I am sure, not alone.
The irony remains that the great British public leave their digital footprint all over the place but some companies are not willing to have even basic traffic attribution.
Our recommendation, or perhaps cookie popup manifesto:
- Keep It Simple Stupid (KISS) – If your user does not want to be tracked they can use their browser to disable cookies and tracking (per site or for all).
- Turn on (track) all site specific cookies – otherwise known as functional or strictly necessary on by default and as soon as the user hits the page.
- Keep all first person cookies, including GA4, in this functional group.
- Choose whether to load 3rd party cookies later on or from the start. i.e. This is the user choice as defined by you as the site owner. These are harmless so advise leaving them all on.
- Keep an always available preference centre so that users can choose what to track, or direct users to their browser settings
- Let users know the score: Have a small a cookie banner as possible with links to your policies, or a better still a note in the footer.
This latter is very important. GDPR is all about privacy but leaves, for now, the tracking decisions up to the business. What is frowned on is not letting uses know your intentions and policies.
* Google Analytics is anonymous, which is what Google itself says. This is true on some level in that names, email addresses and phone numbers are not stored. But don’t think for one second that your browser doesn’t give uniquely identifying data away anyway. See the amiunique.org project if you haven’t already.
** Google is not Facebook and LinkedIn tracking which are still third party, but usually as long as you have at least analytics for tracking then you can attribute leads and judge campaigns.
2021 August Update
Sounds like the industry is alinging with a light touch of action, according to The UK’s new Information Commissioner, who is charged with a post-Brexit “shake up” of data rules, including getting rid of cookie pop-ups.
2021 Update on the Google View: FLOC
It should come as little suprise that nothing regulatory has changed, so we stand by the above article.
What has changed is big tech’s answer to the same problem, with Google and its browser Chome’s answer to the 3rd party cookie problem. This is better outlined in this Wired article, but we shall paraphrase…
You know how if you are looking for trainers, then you continue to get adverts for trainers on every site? That’s Google’s Adword algorithms doing their thing, and it is in your power to turn off those behavioural cookies by setting your preferences, site by site or on block. Google wants to upturn the ad industry by measuring data at the browser level, not by storing cookies, thus adding you into grouping of others who browse the same things as you.
It should be said Google is not brave enough to try their trial in the EU where GDPR rules are more strict (Until it comes to popups). And there are some merits to this way of thinking. For one, no more popups as you set your privacy preferences at the browser level. But it should be noted that trials haven’t gone well, with notable media channels boycotting the trial. Also, like the cookie popup problem above, most of the criticism remains that settings start by recording behaviour and you have to specifically opt out. To our minds this is the same argument in a different medium.
Rightly or wrongly, the power goes back to the browser providers, and we should all jump ship to Firefox or Brave.
And now, as of Jan 2020 we hear that Google have dropped their plans within Chrome – but don’t panic they have a possibly more insidious one. Once again Wired has an update. And once again the answer is to have privacy set at Browser level, and to use Brave, Safari or Firefox if you are worried about privacy. Even if you use Chrome then just check your privacy settings.
An side: What does privacy actually mean?
This leads to discussions on privacy and what it means to you. This is a fair summing up of the state of play of personal privacy.
But I would like to quote in full the last paragraph of the wonderful book “User Friendly” by Cliff Kuang & Robert Fabricant, from 2019. For me this says the GDPR rules are good but there remains significant design problems:
2016: GENERAL DATA PROTECTION REGULATION, European Union
EU Decision makers opened up a new frontier in user-friendly design by enacting a set of laws intended to give users control over their personal data. Left unsaid was a larger design problem that seems poised to grow in importance: allowing users to understand where all their data has gone, and what benefits they’re actually getting in exchange.
There are a surprising amount of small to medium web design firms operating in this Cotswold town. This is not an exhaustive list but one created from our network and experience.
As part of our Practically Academy Sam shared a whole series of diagrams that help in the strategy work that he does, and beyond.