Noise or Music?

How to Get Cookie Consent Right

Categories: GDPR & Privacy / Comments: 3

How to Get Cookie Consent Right for GDPR

Getting a website’s privacy and consent process done right is difficult. In fact, my research shows 98% of websites get consent wrong*. Apart from the myriad of privacy decisions required to be compliant for laws such as GDPR, there are still plenty of grey areas as to what the fundamentals mean. That’s how lawyers make their money of course – though the result is that organisations find it difficult to make decisions as to what to actually implement on their website.

For example if no cookies are set, can a website send any data hit without a visitor’s consent?

Strictly speaking my default answer to that is “no”. That is, to be an ethical marketer: No consent = No tracking. In fact, what cookies are used for tracking (or any other technology) is actually irrelevant. However, there can be exceptions if such data hits are deemed necessary to help make a website usable e.g. by enabling basic functions such as blocking robots and page scrapers.

*From my slides presented at Superweek-20 (view the deck), 97.6% of websites get consent wrong! As a shockingly large number I needed to verify that. Comparing against other academic studies there is good agreement.

Other studies:

88% of UK websites are not compliant.

93% are not blocking the visitor’s interaction with the website.

86% offer no options other than a confirmation button that does nothing!

TechCrunch has summarised the details of the academic papers these numbers come from: (Un)informed Consent: Studying GDPR Consent Notices in the Field – Ruhr-University Bochum and the University of Michigan; and Dark Patterns after the GDPR – MIT, UCL and Aarhus University.

1. Getting The Approach Right

As mentioned, if you want to build and maintain trust with your customers (who would want to buy from a non-trustworthy brand?), then no tracking should take place without your visitor’s explicit consent.

A common mistake by website owners is to think of web privacy only in terms of Google Analytics. It’s the obvious visitor tracker of course, but privacy law is tool agnostic. Hence when checking for compliance, you need to look for any data hit from any tracker.

The table below shows how this has gone wrong for a well known e-commerce site who shall remain anonymous. Despite them using a cookie consent banner, if the visitor ignores it i.e. does not explicitly consent, the site nonetheless proceeds to send a lot of data to a lot of places:

Check what data is sent without consent
Table showing the data hits sent WITHOUT visitor consent. Audit data via verified-data.com.

Usually the sending of data regardless of consent is a deliberate decision made by the site owner i.e. they want the data regardless and are willing to take the risk of being caught (the “everyone else is doing it, so why not us?” approach). I strongly advise against that – once you lose the trust of your customers, it is impossible to win it back! However, it can also be a head in the sand approach – though ignorance counts for nothing in law. Hence the importance of knowing exactly what trackers run on your website – and controlling them.

2. Getting The Tools Right

Smart tools exist to allow you to manage visitor consent – known as Consent Management Platforms (CMP). Essentially, they do a simple job of presenting consent options to your visitors – the consent/cookie banner – and remembering their choices, typically by setting their own cookie(s). CMPs also scan your website listing what cookies are being set so that you can embed this information in your privacy statement for transparency.

Although having a CMP display a consent banner across your entire website can be as simple as deploying a JavaScript snippet in your HTML header, you will need to configure it to enforce your policies – for example, configure all your GTM triggers to respect the user’s choice. This is what most websites trying to do the right thing get wrong. That is, despite the good intentions of not tracking a visitor if they have not given consent, data still leaks i.e. tracking still happens.

For example, take a look at the following screenshot:

Data leakage for this site is because the CMP configuration does not match the privacy policy. Audit data via verified-data.com.

The table above shows what data hits are being sent with NO CONSENT – in this case to a single Google Analytics tracker. Although the website has correctly blocked the pageview hit, other event hits are “leaking” data when a visitor clicks either an outbound link or file download.

The five big CMP suppliers are: QuantCast, OneTrust, TrustArc, Cookiebot and Crownpeak. I am a big fan of Cookiebot – essentially it does the basics you need very well, without overcomplicating things, and with very sensible pricing (note I am bias as my company is a Cookiebot partner!)

3. Verifying Your Data

An important part of getting on top of your compliance quagmire is to audit your current situation in order to get the full picture. This includes verifying:

  • No personal data is being collected – every site owner says they don’t, but the reality is usually different. Subscription signup forms, targeted email campaigns, login areas and password reset requests are often culprits as Google Analytics does a great job of vacuuming up all URL variables by default. (I also generally recommend the use of the Google Analytics anonymise IP function as an extra precaution).
  • No tracking takes place before consent is given – either to Google Analytics or any other tracker. This includes the obvious pageview data and any other “event” hits, such as scroll depth, outbound links and file download clicks.
  • Cookies being set are reasonable – that is, are reasonable in number (it simply doesn’t look good to over do these), have a reasonable expiry date (less than 2 years), and are not overly bloated in size (always makes me suspicious).

That is what Verified Data does – an automated tool to audit Google Analytics setups – both for data accuracy and data governance. The technology used is unique because it combines a crawl of a website to determine what data should be collected and compares it with API checks on your Google Analytics account.

The screenshots for this post are all from Verified Data. For transparency, I am the co-founder of the company 🙂

Summary

There are a myriad of considerations and decisions that need to be made by organisations that wish to do the right thing to respect the privacy of their website users. The key is to ensure you actually know what data your website is actually tracking i.e. not just Google Analytics, and then verify your rules are being adhered to. In fact that’s a legal requirement of GDPR law.

The skill is not just to implement consent correctly and be compliant, but to do it in such a way that you retain the vast majority of your data – because if most visitors say “no thanks” to being tracked, then you are in trouble!

Getting consent right while retaining most of your data will be the subject of a future post. Though you can view my Superweek-20 slides on this very subject via SlideShare.

Share Button

Comments (most recent first)

  1. Gideon says:

    Hi Brian

    If a site only uses first party analytics (eg Google Analytics) it does not require a cookie consent banner; it does require transparency on what analytics software is being used on the site eg mention of it on a Privacy page.

    Section 4.3 of https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf is clear on the subject:

    While they are often considered as a “strictly necessary” tool for website operators, they are not strictly necessary to provide a functionality explicitly requested by the user (or subscriber). In fact, the user can access all the functionalities provided by the website when such cookies are disabled. As a consequence, these cookies do not fall under the exemption defined in CRITERION A or B.

    However, the Working Party considers that first party analytics cookies are not likely to create a privacy risk when they are strictly limited to first party aggregated statistical purposes and when they are used by websites that already provide clear information about these cookies in their privacy policy as well as adequate privacy safeguards. Such safeguards are expected to include a user friendly mechanism to opt-out from any data collection and comprehensive anonymization mechanisms that are applied to other collected identifiable
    information such as IP addresses.

    In this regard, should article 5.3 of the Directive 2002/58/EC be re-visited in the future, the European legislator might appropriately add a third exemption criterion to consent for cookies that are strictly limited to first party anonymized and aggregated statistical purposes. First party analytics should be clearly distinguished from third party analytics, which use a common third party cookie to collect navigation information related to users across distinct websites, and which pose a substantially greater risk to privacy.

    • Thanks for the feedback @Giddeon. The article you reference is dated 2012. Is that not superseded by the GDPR?

      That said, I have often argued that benign tracking does not require explicit consent – see here for example: linkedin.com/pulse/why-i-think-sky-falling-web-analytics-brian-clifton-phd-/

      However, the problem is that Google Analytics has long ceased to be benign. These days it is very much about “profiling” individuals.

      And if Demographics and Interest Reports, Remarketing, or DoubleClick Integration is enabled, data hits about your visitors are also sent to 3rd-party advertisers around the web like confetti. Any other entity (apart from the website itself and parties under its direct control e.g. accountants) that receives visitor data, must surely get the visitor’s explicit consent?

      Another thing to consider… The French data protection authority (CNIL) have pointed out, that what Google itself does with your visitor data is opaque. That is, there is no explicit statement saying how Google use your collected data themselves – with the added power that Google can tie most visitors to their Google account.

      That does not mean that Google is doing anything bad with Google Analytics – and I am not suggesting it. However, it is pretty obvious your Google Analytics data is going into their “data machine” in some way. It may all be perfectly legitimate. CNIL are just pointing it is opaque and because of that consent is required – even if GA is the only tracking beacon on your website.

      That in itself is a BIG IF…

      • Gideon says:

        Hi Brian

        Two things point to this document not being superceded by GDPR:

        #1 – no reference is made to a later document and/or it being superceded
        #2 – it fits in the GDPR timeline – https://edps.europa.eu/data-protection/data-protection/legislation/history-general-data-protection-regulation_en

        I have to confess I find the whole subject rather fascinating, even though I perhaps view it more cinically than many.

        We have no privacy on the web – cookies or not… the only thing governments are fighting for is exclusivity in terms of owning our data.

        All governments have it through ISPs. In UK – https://www.legislation.gov.uk/ukpga/2016/25/contents/enacted.

        Here in the UK control of ISPs selling data is weaker than it was pre-Brexit – https://dzone.com/articles/isp-selling-data-why-you-should-actually-care – ‘best-practice’ is little defence when there are large profits to be found by viewing such things fluidly.

        Of course our governments only want to own our privacy to make us safer; Google, Facebook, etc want to profit from it – we pay for the former (in taxes) whilst effectively getting services subsidised by the latter.

        I’ve argued for many years I’d openly share all my data with the UK government – no need to spend ridiculous amounts of money going behind my back for it – give me a tax break and you can have all the logins – let’s have a democracy worthy of the title and better value at the same time.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© Brian Clifton 2021
Best practice privacy statement