Getting cookie consent right under GDPR.
While it seems that GDPR has been a really long time coming, we are finally in May 2018, the month that sees the long awaited changes to data protection laws come into force. One growing aspect of compliance that is starting to prove tricky, if not extremely hard to understand; is that of how to deal with Cookie compliance under the GDPR.
So what does the law actually state has to happen when it comes to Cookie usage and how is this going to impact your website. And furthermore, what will you have to do to ensure compliance?
The main issues that surround how Cookies are going to be affected by the GDPR is that they initially come under their own separate section of data protection law called the PECR. The Privacy and Electronic Communications Regulations have been around for a good 15 years now with the most recent revisions being made in 2016. This is the same law that affects email, texts and other electronic communications specifically; but will also be governed by the GDPR when these electronic methods of communication will affect personal data.
According to CookieLaw, some of the top issues that GDPR will raise for Cookie consent are as follows:
As you can see, there are a number of different issues presented here that could mean wholesale changes to the way that websites across the world look, act and function due to the GDPR.
So with this in mind, are we going to see a world where splash pages are reintroduced where users will have to select each separate cookie that they want to accept or reject (which will most likely lead to a largely wide scale rejection) before being able to visit the website. And with wide scale rejection of all cookies apart from the most necessary for the site to function, this will massively affect all analytics and online advertising using tracking cookies such as Facebook’s pixel and Google’s remarketing.
Could this have further knock on effects toward analytics and even paid advertising? Remarketing, targeting and analytics Cookies are deemed as “non-essential” therefore you must gain consent in order to use them due to the legal basis for processing needed. If businesses are starting to realise that their remarketing efforts are fruitless due to the majority of people not consenting to have these Cookies placed in their browser then it isn’t too far fetched to suggest that remarketing may start to die out. As it stands, we at Project Simply have experienced approximately a 50% opt-in rate on our new GDPR compliant forms; and this is so that the user can continue to receive more relevant, interesting content from us. A Cookie; arguably; doesn’t really hold much benefit to the end user so it is quite reasonable to assume that not many people are going to opt-in.
And what to do with Analytics? If people aren’t opting in to using Cookies then it is fair to say that webmasters will never again have full transparency of the users on their website. Sure, it has never been 100% accurate using Analytics services but with the GDPR implementation, it is going to be even more likely that you won’t ever see a full picture again. Providing that all websites are compliant with the GDPR and don’t store relevant Cookies without asking someone first… but that’s a different blog post.
While all of this may seem quite complex and full on at first glance, we think that in practice, GDPR cookie consent isn’t going to require or warrant wholesale changes to your website’s infrastructure. Nor will it mean a pop-up, blocking entry to the site until someone has selected their cookie preferences.
What you need to do is, as aforementioned, follow the soft opt-in route. For this you will need to provide a banner or pop-up on your site that allows users to opt-in, on a granular level (e.g. separate opt-ins for non-essential Cookies like analytics and targeting Cookies) and then you can only apply those Cookies to that user if they opt-in. If they ignore the banner and don’t make a selection on it, you are able to provide a notice on the banner explaining that if they continue to browse the site on multiple occasions, you will presume that they consent to using Cookies. You could then potentially automatically assign consent to the user if they were to visit the site on more than one occasion, if they don’t eventually choose their preferences anyway. This is just our take on it, though – we strongly suggest that advice from the ICO is gained in every separate instance.
All of this seem a little overwhelming or just not know where to start at all? In the weeks running up to the “go live” date of the GDPR, we are offering a Personalised User Engagement, Web and GDPR Audit.
Our personalised User Engagement, Web and GDPR Audit will assess your current position, where changes are needed and gives practical implementation steps on what to do and when to help you be compliant. We will then put this into a tidy Launchpad for you to kick on with.
As always, this doesn’t constitute legal advice and it is advised that you seek guidance from the ICO about all issues to do with GDPR and data protection.