Recently our legal department is asking to add a cookie disclaimer thing to our marketing website. I hate those and want to put in the least intrusive version. How do people here deal with this? Thanks!!
The best thing one can do is not use cookies -> no need for a consent banner.
If that's not an option, the next best thing is to have an overlay that is as honest as possible and most importantly provides not only an "Accept all", but also a "Reject all" button.
Don't use dark patterns, basically. That is, use the same color, style and size for each of those buttons.
My experience is that most users are so used to these overlays by now, they just look for the button which gets rid of them most quickly. Marketing will typically push to tinker with the appearance of the buttons to increase the conversion rate in favor of the "Accept all" option.
The question always is whether there's a negative consequence outweighing the "positive" incentive of trying to increase favorable consent decisions by using dark patterns.
I had the pleasure to learn a lot about this while working in the higher levels of some german company with a somewhat questionable track record.
Here's what you can do (only applies to Germany, but might be similar elsewhere):
Complain to the data protection authority of your local state in writing. These complaints will be followed up by the authority and if enough of them accumulate, the company will have a bad time and the aforementioned incentive equation will be bent towards the end that favors user privacy.
Don't write angry emails. Nobody cares and you waste time.
Pretty clearly so. It seems weird to me that so many companies put up a cookie banner in order to avoid breaking the law, and then break the law in order to make it less effective. I suppose the win here is that if the (fairly toothless) regulators notice you can say "oh we thought this was enough" and then tweak it. But in that case why not just have no banner at all, and wait until they notice in the first place?
Just as daft as the extra-US sites that choose to show no content to EU geolocated origins instead of complying with the law. Which is... also illegal under the letter of the law, so why not just ignore the law. Presumably you're probably out of the jurisdiction anyway if you're bothering to do this.
> Just as daft as the extra-US sites that choose to show no content to EU geolocated origins instead of complying with the law. Which is... also illegal under the letter of the law
Since when? The GDPR explicitly only applies if you offer your shit to EU subjects or monitor EU subject behavior while they're in the EU. By actively rejecting those potential customers and not tracking them (because you refuse to provide them the product), does that not suffice to not have to worry about the rest of the terms?
I know there are a few cases regarding linking to news articles and how the company in question can't stop providing that service, but in all such cases I'm aware of the offending company had other ties to the EU whereby the GDPR might have been enforceable.
Actually not true, the regulation (eprivacy directive /pecr in uk) applies to all trackers including cookies, pixels, scripts,etc. if you can do with only “strictly necessary” across those then youre right.
Also consider visitors are used to these prompts, without one they may wonder: does this site follow the law?
Except this is not the question. Why is it so hard for people to understand cookies are absolutely needed even if you just want to calculate retention or number of unique visitors.
I'd like to point out that I answered the question even if not using cookies is not an option.
But to elaborate a bit: At least in Germany (and I believe this applies more or less everywhere) if you install a 1st-party tracking method based on 1st-party cookies, that doesn't fall under the 3rd-party consent requirement and you don't need consent. That means you can track your valuable retention numbers and won't need a consent banner. It's a common misunderstanding that you need that consent for all cookies. You only need it for cookies that aren't required to do your business. And 3rd-party cookies aren't.
It's just that marketing typically don't want to spend any money on this, because these retention numbers turn out to not be enough value to justify the investment. I wonder if they are as valuable as you described at all.
Edit: I should have said 1st-party tracking that doesn't collect personally identifiable information (PII).
This is completely false. You need permission for any data you store on a user device or retrieve from a user device if that is not strictly needed for the execution of the service the user requested. Nowhere in the law is the word "cookie" even used, so your suggestion that "1st party cookie" is different from "3rd party cookie" is wrong. And similarly, this whole thing also applies to all alternative tracking methods, so you cannot avoid it by using localStorage for example.
A 1st party tracking solution is in no way considered needed to deliver the service the user requested. Only things like remembering my shopping basked are necessary to deliver the services of a webshop. And you cannot use that cookie for other purposes (like counting visitors).
This is what is false. You can use first party tracking using cookies, local storage, indexdb, whatever you like without consent as long as it is not tied to any PII and it is essential for _operating_ your service. Diagnostics, page views, flows through the app, even with a unique identifier for that session is fine and 100% acceptable for both GDPR and CCPA unless its shared with third-parties or tied directly to PII.
The easiest thing to do here, is to simply not associate those sessions with a particular user. Even if your user accounts are tied to specific PII for essential purposes of your app. As long as the tracking data is not connected to that identifier, does not log any PII data on it own, and is not shared with third parties you do not need consent.
One quick edit: Be careful with collecting errors, its easy for backtraces to include application specific data including any PII you might have which will tie that session back to a specific user and becomes a violation.
The language in the UK version of the law is "strictly necessary for the provision of an information society service requested by the subscriber or user", which the ICO interprets as meaning "it must be essential to fulfil their request". I don't think tracking page views counts, because it's technically possible to serve a page without using a cookie to track that it was viewed.
You're forgetting about the ePrivacy directive (or "cookielaw"). That has nothing to do with whether the information is identifying or not, you need permission for everything that isn't strictly necessary to deliver the service the user requested.
Analytics is not strictly necessary to deliver the service.
Thank you. I have done so many implementations of GDPR. The cookie consent pop-ups everywhere are only needed because of how aggressive these third parties collect information (and that they _are_ third parties).
Just don't collect PII beyond was is absolutely essential for your application, and don't share it with third parties. Bam you don't have to get consent. Knowing what classifies as PII is still a hard problem because its full of so many conditionals. Email is not PII unless you have some part of their name for example and it counts if your company receives an email from that person that includes their name in the From field.
All the cookie banners out there are designed to make people weary of them into just accepting the previous practices. It's malicious compliance.
If you're doing 1st-party tracking, and you are collecting personal data for that purpose (which is almost by definition going to be true), and the user hasn't explicitly asked for that tracking to take place (for instance by creating an account and logging in, or by putting items in a shopping basket and expecting them to be retained) then yes you will need to ask for consent to do that tracking.
The test isn't whether collecting that data is required to do your business - it is whether collecting that data is required to do what the user is asking you to do. So if (for example) you are tracking your users to see where they click in your web site in order to improve your web site, then that is only required for your business - your user has no interest in that, didn't ask for it, and therefore must be asked for consent for you to do it.
I was referring to the grey area of legitimate interest in the law and how I was briefed to interpret it ca. 2021. Things may have moved on and I am not a lawyer. You might be right and what the lawyers told me back then isn't true or was true and is no longer considered true.
What I was basically saying is that 1st-party cookies are considered more likely to reflect a legitimate interest than 3rd-party cookies. And I think that is what the interpretation of the law was (or maybe still is).
You can do 1st-party tracking without collecting personally identifiable information if it's just about retention without a user ID, which I was referring to. And I in fact think that there is a case to be made that this could be part of the legitimate interests of improving the user experience on a web property of a given business, hence not requiring consent.
I'll certainly agree that this is an area where different opinions abound, and also you are much less likely to be prosecuted for this, so it's likely that advice would be that it's probably alright and you'll get away with it. But a strict interpretation of the law says that you can't use information gathered for a purpose for which the user didn't consent (or deliberately ask for, etc), even if you have it lying around because you collected it for a separate reason that is valid.
Regarding arguing that improving the user experience is a legitimate interest - I'm not aware of that having been argued and decided in court, but my opinion is that it is a hopeful misinterpretation of the law, and a slippery slope towards quite egregious data collection.
Yes, you can collect web site metrics without identifying information, for instance how many times are the different links on a particular page clicked on, but if you're linking one page request to another by the identity of the browser that is requesting them, then that is crossing the line.
> [...] but if you're linking one page request to another by the identity of the browser that is requesting them, then that is crossing the line.
Just out of curiosity: That would be crossing a line, because it might be potentially possible to reconstruct an identity from the linked navigation pattern?
If so, I guess I would consider that beyond the realm of what any normal internet lawyer would include in their advice.
A cookie used solely for counting anonymous visits without storing individual identifiers generally wouldn't be considered personally identifiable information under GDPR.
At least that's what I was told. Having said that, this is obviously a complicated and nuanced topic with a lot of grey areas. I guess it's a good idea to talk to a lawyer in any case.
> even if you just want to calculate retention or unique visitors.
Why is it so hard to for people to understand that I just want you to serve me the page and bugger off? It's like justifying embedding GPS tracking in pamphlets that people hand out on the street.
There’s 90% chance that no, it’s not your business. There’s also a lot of chances that your website is about a product. In which case, it doesn’t make sense to know how many people come and read. People only need the information to know "will I buy that or not?" or, even more frequently "I’ve bought that but I don’t understand something".
Tracking is counterproductive in most scenarios. (but very few understand that)
Europe's parliament website[1] uses cookie banner, even though its job is literally to just show information. If they want to track visitors any non trivial site would.
Which demonstrates exactly my point: web dev are now incapable of not tracking users even if it’s actually harming their business.
I had an experience with a national meteo application including facebook trackers. I complained and they replied that they were totally unaware of that fact. The tracking was added by default by the contractor as part of his standard template. (note: they removed the tracking after my complain).
But it is also about people in charge, who are completely addicts to statistics about the number of visitors and all information. People like to track others. They actually want that.
The sad part is that nobody in IT really complain nor tell them that it is creepy. We install blockers on our own computers and get over it, writing code that track those without blockers without batting an eye.
> The sad part is that nobody in IT really complain nor tell them that it is creepy.
Which may be because if you do, you will typically be called the "technical person" who "doesn't understand anything about 'normal' users" and you should be more focused on your actual technical tasks.
You don't need cookies for it, but it very much makes a difference how many people come and read. Optimising the visitor-to-buyer pipeline is an important job for retail. To even begin doing that, you need to know what percentage of visitors bought something.
Your opinion is comprehensible from a user's standpoint.
Once you have worked a while in business or marketing, you will see that it's not that easy unfortunately.
There's a lot of pressure to provide certain numbers or at least to collect them "just to be sure". Typically this requirement comes without any willingness to invest money, because "you can just install Google Analytics for free".
I don't want to justify this at all, because I believe in the long run these numbers aren't worth what people claim they are worth at all. I just wanted to explain that not everyone is "bad" or "anti-social" for complying with "leadership" decisions and installing a CMP and Google Analytics.
> Once you have worked a while in business or marketing, you will see that it's not that easy unfortunately
Nobody is forcing anybody to do this, this is a personal and business decision to make more money at the expense of users' well-being. When you're surrounded by lots of people that think a certain way, you start to see it as acceptable and even good.
Though I know lots of people that disagree, I personally don't think it's justifiable. If someone finds it justifiable, they should take responsibility for it.
My experience is that the source of all this is the fear of having a substantial disadvantage against the competition and having to defend your decision of sustaining such a perceived disadvantage against the CEO/board. Understandable from my point of view, even though I don't like the outcome. This then usually trickles down the hierarchy in companies and, yes, someone will somehow implement it to earn their living. I'd define the implication of losing your livelihood as a consequence of not doing what you are told as force, but that is open to opinion I guess.
An anecdote that might be worth mentioning in this context:
I was once told by some CEO that they didn't hire a really qualified person, because that person had enough money to not be dependent on the job. This is, in my experience, an appropriate reflection of the role of money in controlling people's decisions. It's essential that you are dependent so that you can be forced to comply or risk losing your livelihood.
You won't get precise numbers anyway - if you're large enough, adblock will kill even your first-party analytics. On the other hand, people with multiple devices will be undercounted. At that point, you may as well start counting access per IP and adjust for the known cgnat endpoints.
If you want to track me to calculate retention, you need my concent. Easy as that. You can't promise me you're only using my user ID for that single purpose. We've been taught through experience that if someone has data, it will be used.
Cookie permissions and EU advertising options should absolutely be built into the browser, it makes no sense for the user to have permissions on each site individually like this with a different system on each one.
Then the user can centrally review what permissions they gave, revoke them etc.
So no sites should have these kind of approval banners.
It'd be especially great for a hip and cool corporation with a burgeoning browser to automatically set that header all the time, helping ensure nobody actually listens to it.
Huh, I think I agree. Not only are the banners slow, obnoxious, have a tendency to being manipulative and are different for every website, a web developer can easily ignore the user's choice and track them anyway. Apple made a big leap with the “ask app not to track” and I think browsers should have this as well. If only to get rid of those infernal banners.
I've been in Europe for almost 2 months now and started seeing the GDPR banners a lot more often. I've yet to feel like I'm missing anything by either clicking reject all, or by avoiding the site if I can't reject all non-required cookies in a few clicks.
I think the closest we are going to get to that is the Consent-o-matic plugin, where you set your permissions centrally and it automatically fills in the forms for every web site it can.
And that leads through to another tip to make your consent request less obnoxious - make sure that plugins like Consent-o-matic do actually work correctly and invisibly with your site.
I don't like them as any other tech person, but lets give a credit where the credit is due. Ads and SEO ruined it way more thoroughly than cookie prompts.
This would make for a great blog post: top 10 things that ruined the internet. I nominate generative AI for the version of this post two years from now.
I would ask them what is the absolute minimum required by law and to provide citations and the penalties for not applying it correctly.
The last time I checked (a few years ago) most websites were doing a serious overkill with the banners, where the law didn't require it. Also, for certain companies the possible penalty for not having a banner was so low that it didn't make sense to have such banners at all.
You can see in this thread that 20 different HNers who are passionate about the subject and done implementation before have 20 different opinions on what the law actually does. So how can we expect random businesses to all be on the same page? And this is not years after GDPR started.
Apple.com does not ask consent to track you for marketing purposes.
GitHub used to not have cookies for tracking purposes either but it looks like some people couldn’t live without tracking users so it’s back after 2 years on some subdomains: https://github.blog/2020-12-17-no-cookie-for-you/
If you have a one-click "no to all" for people like me, and a one-click "yes to all" for people who just want to get on with their lives, and both buttons are the same shape/size/color and easily clickable, then you're already waaaaay ahead of the curve.
Make sure that it does work with extensions like I don't care about cookies. That one is usually easy but make sure it works with the uBlock script too.
Do not have that the banner force any site reloads.
Analytics for example can be loaded into a page wihtout reloading.
If that is done the ad blocker users will never notice the banner.
There should be a big "X"-shaped button for simply dismissing the banner, deferring the answer to a later time. After all, if someone is visiting your website for the first time, they likely don't know your site well enough to know whether they want to accept or reject.
Least intrusive: Make it take up so little space that you don’t even need to close it, make the accept button green and the deny button red, and let there be no consequence if neither is clicked. Don’t make anyone aware of the ambiguity that not clicking it is neither consent or denial.
Pointing out this stuff forces you into the path of requiring that people click on it before being able to navigate the website, which is extremely intrusive, and makes all the marketing people insist that you apply dark patterns.
From user's POV: if you do have to ask for cookies, please make the "reject all" button object to all "legitimate interests", so I don't have to manually expand each "purpose" to object. I won't use the site unless I object to all. If it's too big of a hassle at that moment , I'll just leave and not come back
the frustration part sets in when I start reading the page, and then a whole-page popup interruts that experience and makes me disable cookies. Second frsutration is when I have to go dg for the "no". At this point, I reevaluate whether I really want to read this page or not, and if it's not essential, I close the entire page at this point mouthing a silent "fy".
SO, as others have already said, definitely a "reject all" and be done with it right in the beginning, without the need for any forther clicks. Better yet if the banner is just a sliver on the side that doesn't interrupt my reading experience (clearly, as long as I didn't click "yes" on cookies, it can't set any; so it would be default-no, allows me to read, and if I want to click in the corner for something else, I can. Even better if it has an "X" to close that unintrusive side window, and of course the X gets treated as "reject all".
The GDPR law is quite clear - it is MANDATORY to have an equal way to reject consent as to grant it. So basically you must have equally designed button "accept" and "reject" on the same banner frame.
See, the problem is solved even before it appeared - if your company will comply with the law then the banner would not be obnoxious by design.
Make sure that if someone visits your web site with Javascript turned off, and that means that the cookies won't be used anyway, then they can still read the content without a non-functional cookie banner covering all the content up.
Make it as tiny as legaldepartmentally possible, it doesn't need to take the full width of the page, nor does it need to have any colored background. Also doesn't need several sentences or text
I think the effort would be best spent avoiding cookies and trackers in the first place.
What do you plan on using cookies for? There might be some ways of doing similar things without cookies or trackers (server-side analytics for example) that are more respective of users and also eliminiate the need for any banners at all.
I know my company's website has a pointless cookie modal - the necessary cookies are just for session affinity on a gateway (which I don't believe you'd need a modal for anyway), and the unecessary cookies are from one analytics integration that's been used just once since it was set up, and another that is used for the most basic reports that you could get from just the access logs.
> What do you plan on using cookies for? There might be some ways of doing similar things without cookies or trackers (server-side analytics for example) that are more respective of users and also eliminiate the need for any banners at all.
For EU things you must make sure what you're doing with this aligns with consent from the user / other justifications. Whether it's server side or cookies doesn't matter for GDPR, it's the collection & use of the data.
To OP, try not to collect data at all, and if you need to then make the consent banner not block the use of the website. Also don't animate it in, just have it there.
You log the IP address, referrer, user agent and the requested page URL but you don't set a unique cookie to identify the user.
This still gets you plenty of actionable analytics information: where geographically people are located (via GeoIP), what pages are most popular, what platforms (including desktop vs mobile) people are using.
I've been using https://plausible.io for analytics on a bunch of my sites for a couple of years now and I honestly don't miss the extra level of detail I got from cookie-based analytics I've used in the past.
Let’s say I want to know the conversion rate of my payment page. I need to know how many unique visitors viewed a page, and how many of them went on to complete a payment. I’m pretty sure this is not possible without a unique identifier. And if you are using (ip address, user agent) as a proxy for such an identifier, is that any better or legal than using a cookie in the first place?
Personally ... I think the best option (if you have to have cookies (and there are plenty of reasons you may want/need them)) is to have screen-wide, contrasting-color, short-top-to-bottom bar with a single OK or Accept button for dismissal
Do not give people options about cookies - either they accept (and dismiss the notice), or they leave
When I am presented with cookie options, I start to wonder why there are "unnecessary" cookies present: why are you letting me accept "necessary" cookies or "all" cookies? Why would you have ones that are not needed? Seems hyper sketch ... and I'll go elsewhere (or reject all)
> When I am presented with cookie options, I start to wonder why there are "unnecessary" cookies present: why are you letting me accept "necessary" cookies or "all" cookies? Why would you have ones that are not needed? Seems hyper sketch ... and I'll go elsewhere (or reject all)
Because some are required for the functioning of the site. They can justify dealing with those without you approving it.
Some are there for advertising, that's not required for you to use the site but they'd definitely like to. So they need you to actively consent.
If you're adding a cookie banner for legal reasons, that means you're covering against GDPR, which says that you're -not- allowed to refuse service based on someone not wanting cookies that are not necessary for providing the service (e.g. all the analytics/tracking crap).
You're obligated to give them a way to opt out while continuing to use your service, and it should be as easy to decline as it is to accept[0]. The funny part, of course, is that countless services have put up banners that don't make it easy at all to reject, which means they're still not compliant, they just make the legal team feel warm and fuzzy.
That's why you see necessary vs all, because it's "can we track you or not". If you're just doing absolutely required cookies (e.g. session cookie), you don't even need a banner.
Some of Germany's largest online newspapers, like Bild (https://www.bild.de/) demand either that you subscribe to their online paper or consent to all cookies. As far as I see there is no way to reject the cookies.
Unrelated to where you are based. Also there is no restriction on cookies as such, just on spying. So defaulting to spying seems much less sane now, agreed.
If that's not an option, the next best thing is to have an overlay that is as honest as possible and most importantly provides not only an "Accept all", but also a "Reject all" button.
Don't use dark patterns, basically. That is, use the same color, style and size for each of those buttons.
My experience is that most users are so used to these overlays by now, they just look for the button which gets rid of them most quickly. Marketing will typically push to tinker with the appearance of the buttons to increase the conversion rate in favor of the "Accept all" option.