How to Get Cookie Consent Right (98% don’t!)

Getting a website’s privacy and consent process done right is difficult. In fact, my research shows 98% of websites get consent wrong*. Apart from the myriad of privacy decisions required to be compliant for laws such as GDPR, there are still plenty of grey areas as to what the fundamentals mean. That’s how lawyers make their money of course – though the result is that organisations find it difficult to make decisions as to what to actually implement on their website.

For example if no cookies are set, can a website send any data hit without a visitor’s consent?

Strictly speaking my default answer to that is “no”. That is, to be an ethical marketer: No consent = No tracking. In fact, what cookies are used for tracking (or any other technology) is actually irrelevant. However, there can be exceptions if such data hits are deemed necessary to help make a website usable e.g. by enabling basic functions such as blocking robots and page scrapers.

*From my slides presented at Superweek, 97.6% of websites get consent wrong! As a shockingly large number I needed to verify that. Comparing against other academic studies there is good agreement.

Other studies:

See also the whitepaper: Best Practice Consent Guide – How to Achieve a 70% Opt-In Rate – with legal endorsement from LegalWorks.se

1. Getting The Approach Right

As mentioned, if you want to build and maintain trust with your customers (who would want to buy from a non-trustworthy brand?), then no tracking should take place without your visitor’s explicit consent.

A common mistake by website owners is to think of web privacy only in terms of Google Analytics. It’s the obvious visitor tracker of course, but privacy law is tool agnostic. Hence when checking for compliance, you need to look for any data hit from any tracker.

The table below shows how this has gone wrong for a well known e-commerce site who shall remain anonymous. Despite them using a cookie consent banner, if the visitor ignores it i.e. does not explicitly consent, the site nonetheless proceeds to send a lot of data to a lot of places:

Check what data is sent without consent
Table showing the data hits sent WITHOUT visitor consent. Audit data via verified-data.com.

Usually the sending of data regardless of consent is a deliberate decision made by the site owner i.e. they want the data regardless and are willing to take the risk of being caught (the “everyone else is doing it, so why not us?” approach). I strongly advise against that – once you lose the trust of your customers, it is impossible to win it back! However, it can also be a head in the sand approach – though ignorance counts for nothing in law. Hence the importance of knowing exactly what trackers run on your website – and controlling them.

2. Getting The Tools Right

Smart tools exist to allow you to manage visitor consent – known as Consent Management Platforms (CMP). Essentially, they do a simple job of presenting consent options to your visitors – the consent/cookie banner – and remembering their choices, typically by setting their own cookie(s). CMPs also scan your website listing what cookies are being set so that you can embed this information in your privacy statement for transparency.

Although having a CMP display a consent banner across your entire website can be as simple as deploying a JavaScript snippet in your HTML header, you will need to configure it to enforce your policies – for example, configure all your GTM triggers to respect the user’s choice. This is what most websites trying to do the right thing get wrong. That is, despite the good intentions of not tracking a visitor if they have not given consent, data still leaks i.e. tracking still happens.

For example, take a look at the following screenshot:

Data leakage for this site is because the CMP configuration does not match the privacy policy. Audit data via verified-data.com.

The table above shows what data hits are being sent with NO CONSENT – in this case to a single Google Analytics tracker. Although the website has correctly blocked the pageview hit, other event hits are “leaking” data when a visitor clicks either an outbound link or file download.

The five big CMP suppliers are: QuantCast, OneTrust, TrustArc, Cookiebot and Crownpeak. I am a big fan of Cookiebot – essentially it does the basics you need very well, without overcomplicating things, and with very sensible pricing (note I am bias as my company is a Cookiebot partner!)

3. Verifying Your Data

An important part of getting on top of your compliance quagmire is to audit your current situation in order to get the full picture. This includes verifying:

  • No personal data is being collected – every site owner says they don’t, but the reality is usually different. Subscription signup forms, targeted email campaigns, login areas and password reset requests are often culprits as Google Analytics does a great job of vacuuming up all URL variables by default. (I also generally recommend the use of the Google Analytics anonymise IP function as an extra precaution).
  • No tracking takes place before consent is given – either to Google Analytics or any other tracker. This includes the obvious pageview data and any other “event” hits, such as scroll depth, outbound links and file download clicks.
  • Cookies being set are reasonable – that is, are reasonable in number (it simply doesn’t look good to over do these), have a reasonable expiry date (less than 2 years), and are not overly bloated in size (always makes me suspicious).

That is what Verified Data does – an automated tool to audit Google Analytics setups – both for data accuracy and data governance. The technology used is unique because it combines a crawl of a website to determine what data should be collected and compares it with API checks on your Google Analytics account.

The screenshots for this post are all from Verified Data. For transparency, I am the co-founder of the company 🙂

Summary

There are a myriad of considerations and decisions that need to be made by organisations that wish to do the right thing to respect the privacy of their website users. The key is to ensure you actually know what data your website is actually tracking i.e. not just Google Analytics, and then verify your rules are being adhered to. In fact that’s a legal requirement of GDPR law.

The skill is not just to implement consent correctly and be compliant, but to do it in such a way that you retain the vast majority of your data – because if most visitors say “no thanks” to being tracked, then you are in trouble!

Getting consent right while retaining most of your data will be the subject of my next post – and whitepaper: Best Practice Consent Guide – How to Achieve a 70% Opt-In Rate

 

Looking for a keynote speaker, or wish to hire Brian…?

If you are an organisation wishing to hire me and my team, please view the Contact page. I am based in Sweden and advise organisations in Europe as well as North America.

You May Also Like…

Sayonara Universal Analytics

Sayonara Universal Analytics

My first Google Analytics data point was 15th May 2005 for UA-20024. If you are of a certain age, that may sound off...

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Share This