How to Get Cookie Consent Right
Getting a website’s privacy and consent process done right is difficult. In fact, my research shows 98% of websites get consent wrong*. Apart from the myriad of privacy decisions required to be compliant for laws such as GDPR, there are still plenty of grey areas as to what the fundamentals mean. That’s how lawyers make their money of course – though the result is that organisations find it difficult to make decisions as to what to actually implement on their website.
For example if no cookies are set, can a website send any data hit without a visitor’s consent?
Strictly speaking my default answer to that is “no”. That is, to be an ethical marketer: No consent = No tracking. In fact, what cookies are used for tracking (or any other technology) is actually irrelevant. However, there can be exceptions if such data hits are deemed necessary to help make a website usable e.g. by enabling basic functions such as blocking robots and page scrapers.
*From my slides presented at Superweek-20 (view the deck), 97.6% of websites get consent wrong! As a shockingly large number I needed to verify that. Comparing against other academic studies there is good agreement.
88% of UK websites are not compliant.
93% are not blocking the visitor’s interaction with the website.
86% offer no options other than a confirmation button that does nothing!
TechCrunch has summarised the details of the academic papers these numbers come from: (Un)informed Consent: Studying GDPR Consent Notices in the Field – Ruhr-University Bochum and the University of Michigan; and Dark Patterns after the GDPR – MIT, UCL and Aarhus University.
1. Getting The Approach Right
As mentioned, if you want to build and maintain trust with your customers (who would want to buy from a non-trustworthy brand?), then no tracking should take place without your visitor’s explicit consent.
A common mistake by website owners is to think of web privacy only in terms of Google Analytics. It’s the obvious visitor tracker of course, but privacy law is tool agnostic. Hence when checking for compliance, you need to look for any data hit from any tracker.
The table below shows how this has gone wrong for a well known e-commerce site who shall remain anonymous. Despite them using a cookie consent banner, if the visitor ignores it i.e. does not explicitly consent, the site nonetheless proceeds to send a lot of data to a lot of places:
Usually the sending of data regardless of consent is a deliberate decision made by the site owner i.e. they want the data regardless and are willing to take the risk of being caught (the “everyone else is doing it, so why not us?” approach). I strongly advise against that – once you lose the trust of your customers, it is impossible to win it back! However, it can also be a head in the sand approach – though ignorance counts for nothing in law. Hence the importance of knowing exactly what trackers run on your website – and controlling them.
2. Getting The Tools Right
Smart tools exist to allow you to manage visitor consent – known as Consent Management Platforms (CMP). Essentially, they do a simple job of presenting consent options to your visitors – the consent/cookie banner – and remembering their choices, typically by setting their own cookie(s). CMPs also scan your website listing what cookies are being set so that you can embed this information in your privacy statement for transparency.
For example, take a look at the following screenshot:
The table above shows what data hits are being sent with NO CONSENT – in this case to a single Google Analytics tracker. Although the website has correctly blocked the pageview hit, other event hits are “leaking” data when a visitor clicks either an outbound link or file download.
The five big CMP suppliers are: QuantCast, OneTrust, TrustArc, Cookiebot and Crownpeak. I am a big fan of Cookiebot – essentially it does the basics you need very well, without overcomplicating things, and with very sensible pricing (note I am bias as my company is a Cookiebot partner!)
3. Verifying Your Data
An important part of getting on top of your compliance quagmire is to audit your current situation in order to get the full picture. This includes verifying:
- No personal data is being collected – every site owner says they don’t, but the reality is usually different. Subscription signup forms, targeted email campaigns, login areas and password reset requests are often culprits as Google Analytics does a great job of vacuuming up all URL variables by default. (I also generally recommend the use of the Google Analytics anonymise IP function as an extra precaution).
- No tracking takes place before consent is given – either to Google Analytics or any other tracker. This includes the obvious pageview data and any other “event” hits, such as scroll depth, outbound links and file download clicks.
- Cookies being set are reasonable – that is, are reasonable in number (it simply doesn’t look good to over do these), have a reasonable expiry date (less than 2 years), and are not overly bloated in size (always makes me suspicious).
That is what Verified Data does – an automated tool to audit Google Analytics setups – both for data accuracy and data governance. The technology used is unique because it combines a crawl of a website to determine what data should be collected and compares it with API checks on your Google Analytics account.
The screenshots for this post are all from Verified Data. For transparency, I am the co-founder of the company 🙂
There are a myriad of considerations and decisions that need to be made by organisations that wish to do the right thing to respect the privacy of their website users. The key is to ensure you actually know what data your website is actually tracking i.e. not just Google Analytics, and then verify your rules are being adhered to. In fact that’s a legal requirement of GDPR law.
The skill is not just to implement consent correctly and be compliant, but to do it in such a way that you retain the vast majority of your data – because if most visitors say “no thanks” to being tracked, then you are in trouble!