Let’s talk about opt-in cookie banners

 In the wake of GDPR, cookie banners have invaded our websites and apps. They’re a designer’s worst nightmare, but today we’re going to take a good look at what a cookie banner really is, whether or not you need one, and what position we’ll be taking on them for our clients.

Okay, first thing’s first. Here at Clicky, we pride ourselves on being digital marketing and web experts. We are not specialists in GDPR, nor are we solicitors. This is just a general chat around our position on cookie banners, and we’d still always advise you to seek legal counsel on this matter. There! All clear?

Back to basics. What is a cookie?

At its most simple, a cookie is a small text file which is added to a user’s browser when they visit a website. Some cookies are necessary for websites to function, and others are used for standard tracking and analytical purposes. These are often called first-party cookies (more on this later). Generally speaking, these ones are deemed as innocent by most webmasters. 

There are also cookies which are used for marketing purposes. These track your online activity to help advertisers deliver more relevant ads, or limit how many times you might see an ad. It’s these cookies, often called third-party cookies, that are used for advertising purposes, that are often frowned upon. 

In particular, it is the cookies that contain personally identifiable information (PII) or cookies that track user behaviour online, that we need consent for.

Also, be aware, this blog is gonna get technical, so be prepared! This is also a great blog which details exactly what cookies are.

What’s a cookie banner?

If you’re asking this question, we’re a little concerned about where you’ve been for the last three years. In the likelihood that you have somehow time-travelled to this exact date, we’ll answer it anyway, just so we’re all clear!

Put simply, websites collect data on their visitors – sometimes without even meaning to. Nowadays, you have to make sure that if your website is collecting data on a user, you have their consent – this is where cookie banners come in. Cookie banners are the “bars” or “pop-ups” that you often see appear when you first visit a website providing you with information.  

Why do people need cookie banners?

We’re pretty confident now that if your website is collecting data on EU citizens or those covered by the Data Protection Act 2018, then you’re going to need a cookie banner. 

Now, if you’re anything like us, you’ll immediately begin to question that statement, and in particular, the term “data.” What constitutes collecting data on EU visitors? We’ll get into this, but unfortunately, we think the bad news is that almost certainly some of the data you’re capturing about your users will mean you’ll need one of these ugly banners. Even where consent isn’t required website users need to be informed of cookie use.

Cookie banners aren’t new though, are they?

Ah, great point! Whilst there has been an increased surge in the number of cookie banners in the wake of GDPR, it’s worth noting that cookie banners have been around for a long time, and were really first brought in following the ePrivacy Directive of 2002, which has since been affectionately termed “the cookie law.” 

According to the cookie law, all websites had to give a cookie notice to visitors, informing them that the website sets cookies on the user’s browser. 

There’s a grey area here though, and this is why you may have had a discussion internally a few years ago about whether or not you needed an opt-in banner, or if you could get away with just sticking the notice towards the bottom of your website (hey, we’re not judging you). But this has changed! We don’t think it’s okay to have a banner which simply notifies your users about your cookies.

So how does GDPR fit into this?

GDPR is where things began to change. No longer is it enough to simply inform your users that your website was using cookies to collect data. Instead, websites now have to give users the choice to consent, or not consent, to this use. 

GDPR, or “The General Data Protection Regulation” to honour it’s Christian name, came into effect in May 2018, and is one of the big reasons why you now need to get consent from your visitors, as opposed to just informing them. 

GDPR is the discussion point here, because it states that websites have to be transparent about their data collection practices, and websites are one way users can track a customers data.

We think the above is basically legalese for saying that cookies can be used to identify a user, and as such, qualify as personal data, and in turn, are covered by GDPR.

It’s important to understand that GDPR doesn’t replace or remove the ePrivacy Directive; instead, they work together, like a “bad cop, bad cop” duo, the combination of which ultimately means the eventual acceptance of the cookie banner as a requirement. 

Additionally, the “cookie law” we mentioned earlier (the ePrivacy Directive), is actually in the process of becoming a regulation. In fact, by the time you read this, it may already be one. 

Broadly speaking, it’s these two laws that have changed the landscape. The “cookie law” states that users must have given prior, informed consent to the use of cookies, and the GDPR requires that a record is kept of this consent. It has also changed the way consent is acquired i.e. affirmative action requirement. You know where this is headed, right? 

Go back, what does “data” cover?

This was the core discussion point for businesses all over the land, as we all innocently held our hands up and professed that our little website barely collects any data, so surely we’re safe from the unwieldy cookie banner? Alas, it’s probably not working.

The honest answer is that probably all cookies on your website track users in one form or another. There are some exemptions which we’ll look at shortly, but we’re pretty confident that most sites will need a cookie banner moving forward, as you’ve probably seen.

We get it though, the average person working in digital marketing won’t be able to utilise data stored in a cookie to identify an individual, but that doesn’t really matter. The point is that it is possible to use data stored in cookies to profile individuals.

I really don’t want a cookie banner – what if I only collect first party cookies?

This is where the topic becomes a whole lot more complicated! We’ll try and keep this brief, as you can read more on first vs. third party cookies, and how it impacts the web, here. Broadly speaking, there is a misconception (in our opinion), that third-party cookies are the naughty ones that infringe upon a user’s privacy rights, and first party cookies are merely the wholesome, angelic cousin that has really done nothing wrong.

The problem is, the GDPR doesn’t really care too much about first party or third party cookies. As you’ve seen, it barely mentions cookies.

The cookie law on the other hand, does not specifically require you name individual third-party cookies on your website, but you do need to state their category and purpose. So, we understand this as meaning that you don’t need to list every cookie on your website, but you do need to broadly talk about cookies, and how you use them. Here’s what the ICO said on the matter:

It could be an option to provide long lists of all cookies implemented, but for most users a broader explanation of the way cookies operate and of the categories of cookies used will be helpful. A description of the types of things analytical cookies are used for on the site will be more likely to satisfy the requirements than simply listing all the cookies you use with basic references to their function.

Are there any exemptions to the requirement?

There are, and this is where the waters get muddied even further. A few types of cookies appear to be exempt from the requirement, although you’re still required to inform users about your use of cookies. The commonly understood exemptions are:

  • Technical cookies necessary for the service you provide (ie. load balancing).
  • Statistical cookies managed directly by you (not third parties), providing that the data is not used for profiling.
  • Anonymised statistical third-party cookies such as Google Analytics.

We appreciate that things do get tricky here, but hey – we’re only repeating what we know – in fact, there’s a great write-up of the exemptions here. As we understand it, it is possible to use cookies on your website without consent, but only if all of the cookies used can legitimately be claimed to be essential. You can bet your bottom dollar that your Google Ads DoubleClick and Facebook Advertising cookies are unlikely to be considered as such.

Fine. I accept it. What do I have to do?

It’s been a good fight, but we think we’re in agreement – cookie banners are here to stay, and here at Clicky, we think they’re necessary. Here’s what the Working Party document on the cookie law says on the matter:

It’s that last bit which is really important. Specific information, fine, prior consent, fine, but “expressed by a user’s active behaviour” is the interesting part for us. Put simply, we think we’re in a position now where most websites now need cookie banners that explicitly offer the user the option to approve the use of cookies, or decline them. Additionally, the cookie banner also needs to record this decision too. 

Sad times, right?

It’s definitely easy to see it that way, and we know our wonderful Creative team aren’t too pleased about this. However, “necessity is the mother of invention,” as they say, and we’re confident that the digital landscape won’t be populated by these ugly, cumbersome cookie banners for too much longer. 

We see this as just another shift in the evolving landscape within which we’ve operated for almost thirteen years. We’re optimistic that it’ll only be a matter of time before the disruptors and innovators find new ways to adhere to the GDPR and ePrivacy Directive, whilst also continuing to offer users a beautiful, engaging web. 

Why not speak to our Web team about getting a cookie banner installed on your website, if you don’t already have one? 

Written by David Berry

Head of Performance & Analytics