These days, browsing the internet feels a lot like wading through quicksand. Almost all web applications first ask users for consent on an unmanageable amount of usage scenarios.
The reason behind this: honorable intention of global politics – and the European Union in particular – to return data sovereignty to users after decades of unnoticed data collection by countless service providers.
In 2018, the European Union enacted a new legislation to protect its citizens’ personal data, potentially affecting every consumer brand worldwide: the General Data Protection Regulation (GDPR). Unlike its predecessor, Directive 95/46/EG, which had to be transposed into national law by EU member states, the GDPR has been directly applicable in all EU member states since May 25, 2018.
Why does the GDPR implicate cookie policies?
The GDPR was created to enshrine Article 8 of the European Charter of Human Rights,which aims to regulate personal data stored or used by a business. The GDPR is applicable on all matters of personal data and not limited to the internet and electronic communication.
Although cookies are only mentioned once in the GDPR, cookie consent is a cornerstone of websites compliance with EU users, as they are among the most common methods of collecting and sharing data online.
Cookies are text files that contain small amounts of information. They are downloaded to a user’s device while visiting a website/app. Cookies are then sent back to the data endpoint of the original website/app or to another website that recognizes that cookie on each subsequent visit.
Cookies are useful because they allow a website or app to easily recognize a user’s device. They do lots of different jobs, like letting users navigate between pages efficiently, remembering their preferences, and generally improving the user experience. Cookies also help with advertisement personalization.
A brief history of cookie consent
The approach of protecting online privacy by educating consumers on data collection and offering an opt-out is nothing new. It started as an EU directive in 2002 that was adopted by all EU countries in 2011. With a changing digital landscape and emerging data driven technologies, the Directive on Privacy and Electronic Communications (Directive 2002/58/EC) was in strong need of an update.
The first draft of the new E-Privacy Regulation was presented in January 2017 by the European Commission with the expectation that it would pass quickly and would apply as direct law from May 25, 2018 – together with the GDPR. However, more than three years after the original proposal was published, EU Member States have not yet been able to agree to the E-Privacy Regulation.
Despite the E-Privacy Regulation still being incomplete, we saw the Court of Justice of the European Union ruling in the Planet49 case on October 1st 2019, followed by the Guidelines of the European Data Protection Board (EDPB) in May 2020. Meanwhile, more and more countries have adapted their data protection rules according to the E-Privacy Regulation.
All businesses serving websites and apps are now required to implement cookie consent functionalities on their websites/apps. Disregarding the regulation means facing painful fines and penalties from data protection authorities!
What you need for valid cookie consent:
The EDPB Guidelines state that the website/app cookie banner cannot have any pre-ticked checkboxes and that continued scrolling or browsing cannot be considered as valid consent to data processing.
So-called “cookie walls” (forced consent) are also considered non-compliant! It is not permitted to suppress services if users don’t give consent for unrelated marketing services. Some publishers have tried to obtain user consent for their marketing services before it was explicitly prohibited.
A clear and affirmative consent statement is needed for both website and apps to enable cookies and to process personal data.
Describing the extent and purpose of the data processing in easy-to-understand language to the visitor, before gathering any personal data.
Users must be able to find the types of data collected on the website at any time. It must also be just as easy to find, change or withdraw the previously given consent in the preference center.
Consent must be renewed annually. However, some national data protection policies recommend a more frequent renewal. Local data protection policies need to be checked for compliance.
Cookies that are strictly necessary for website or app functionality are exempted from cookie consent requirements.
Consent forms must be kept securely as legal documentation.
The definition of personal data
The GDPR defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Unless anonymized, online identifiers such as IP addresses now fall under this category.
Pseudonymized personal data is also subject to the GDPR if there is a possibility to decipher it, e.g. by reverse engineering.
What to avoid
Bad impact on SEO traffic?
Placements in SERPs (Search Engine Result Pages) depend indirectly on factors that are influenced by cookie consent. Among others, these are:
Website abandonment rate, indicating the percentage of visitors who leave a page without actually using it (or seem to do so).
Duration of use and page views per visit.
Lack of tracking by search engines if the associated cookies are not accepted.
The math is quite simple here: poorer rankings = less traffic = fewer new customers = less revenue. Here you can see clearly how legal requirements and court rulings have a direct impact on conversion.
More data protection – less traffic?
Declining search engine rankings will cause a drop in visitors. But that’s not the only cause. Cookie banners increase the abandonment rate. This also applies to visitors who access your applications via social networks, partner sites, or direct entries.
Many companies then place significantly more ads to compensate for the losses. It is becoming increasingly apparent that small companies need to spend more on data protection than larger companies. This is the flip side of improved consumer rights.
Online marketing in blind flight!
Studies have shown that in some cases, only a small fraction of users agree to all cookies if the associated banner has been implemented 100% according to the consent rules.
Marketing teams know less and less about:
Where incoming traffic derives from (Google, Facebook, Twitter, other websites, direct hits…).
Which parts of the web application are used, and how
How users navigate through offers, when they revisit the application, or whether they abandon on certain pages
Who becomes a customer, how, why and when, etc.
With a legal and clever consent management implementation, the worst drop can possibly be avoided!
Want to learn how to best implement Cookie Consent Management? Check out my blog post: Cookie Consent Done Right.
This article was first published by MAPP. Permission to use has been granted by the publisher.