Four tips for a GDPR-proof cookie notification
The big GDPR deadline on the 25th of May is expired for over a month now. Reports about large fines or checks remain silent so far. However, a lot of organizations have been massively conforming to the GDPR legislation. Dozens of emails send to users result in great annoyance, and more sites have implemented a cookie notification.
However, I am surprised by the fact that more than half of all consent e-mails and cookie notifications do not comply with the guidelines of the GDPR legislation. Furthermore, organizations have a ‘cautious’ attitude towards the cookie notification, which results in losing many consents. Very sad and absolutely not necessary! Therefore, I listed a few tips below about how to get consent through your cookie notification:
1. Remove mandatory interaction with the cookie notification
The first tip fits with the point that I made about missing consents. It is not by definition wrong to allow you visitors to interact with your website without agreeing to the cookies. Yet, this means that by default all cookies on your site (at least the non-functional cookies) should be turned off.
Many companies wish to place the cookie notification at the very bottom of the website, to make sure it does not stand out. It is better to place the notification over your menu as a pop-up, overlay or at the top of your site, so that the visitors are forced to do something with the report. In most cases, visitors will accept it, and the visitor who does make the effort to click through to the institutions is grateful that they get this opportunity.
2. Be transparent about which (categories) cookies are active on your website
Cookie notifications often use categories, which can sometimes be accepted or rejected by category. These categories usually range from ‘functional cookies’ to ‘advertising cookies’. Functional cookies are often harmless, and actually necessary for the site to function properly, you can make these mandatory without having major consequences for your compliancy.
All parent categories must actually be inactive by default. Only when someone actively clicks and gives his permission to a certain category of cookies, they can be activated. In practice, we notice that his happens very occasionally. Most websites opt for a cookie wall: they often provide information about (category) cookies, but visitors can either accept everything or leave the website. The use of a cookie wall is not yet prohibited in the GDPR legislation. There is a lot of discussion about whether companies can do this. Jurisprudence will point out whether this will continue to be permitted in the future.
When an organization chooses to set all categories of cookies to active by default, my advice would be to be transparent about this and at least give visitors the option to turn them off. This way, you give your visitors a choice, but you also give the responsibility to the visitors to read further than just the first cookie report on your site.
- An overview of all categories of cookies that you use.
- An overview with all the names, explanations, and storage periods of the cookies.
You can show this via a table form which shows the names, functional explanations, storage periods, and preferably also the source site (possibly third-party sources).
- Instructions about how to delete cookies.
A short explanation about how the visitor can delete the cookies. The best thing would be if you give the user the opportunity to easily delete cookies via the website. However, this is often quite difficult in practice. Deleting cookies via your browser, on the other hand, is a lot simpler, and therefore very chic to give your visitors instructions about this process.
4. Tags and trackers are not adjusted to the cookie notification
Having a visual cookie notification on your site is one thing, but a technically functioning notification is a challenge. In principle, no cookies may be loaded into the site before a user has given permission. This requires some manual actions regarding your tags, scripts and trackers.
For example, you use TagManager to use Google Optimize in your site, and the configuration is set in a way that this tag is fired on a page load of the home page. Then this cookie is already placed when someone browses your homepage, regardless of whether the visitor has done something with the cookie notification. That is why it is important to adjust all trackers that they are only loaded once the visitor has accepted. This can be done, for example, in TagManager by setting a trigger on an event (clicking the accept button). However of course, there are other options besides TagManager to implement cookies. Many organizations use multiple methods to do this. Always look critically at how cookies are loaded into your site!
TRIMM is partner of CookiePro (OneTrust) and CookieBot. Depending on the number of domains, number of sub-pages and number of language variants of your site, we can help you with the most suitable and affordable option for your organization. In any case, we always ensure that a cookie notification is visually attractive and easy to use for the visitor, but most important: it needs to function well.
If you have any questions or problems regarding GDPR in your organization, or do you have a general question? Check out my blogs about the emergence of the GDPR, our roadmap to comply with the GDPR, or why GDPR does not only concern multinationals. You can also ask me a question directly.