Cookie Consent Management

Lots of people have heard of cookies. They’ve probably even used the term in conversation. But what is a cookie, really? A cookie is a small text file that is stored on your hard drive by the websites you visit. A cookie identifies you to the website, so it recognizes you. Cookies help websites run more efficiently and, in general, improve user experience. In exchange for this, website owners or the third-party ad networks they’re a part of can use cookies to create user profiles.

Let’s take a moment to acknowledge that cookies are a complex topic. They’re used in many different ways, and their use is impacted by not just GDPR, but also by the ePrivacy directive and US State Privacy laws such as California, Colorado, Connecticut, Montana, Virginia, and New Jersey, just to name a few! Moreover, there’s guidance on how cookies should be implemented for different countries. We always recommend that companies work with a professional to guide their cookie consent implementation.

It should be noted that not all cookies are the same. Being familiar with the variety of cookies out there and how they can be used will help you figure out what cookies are firing at what time.

They include:

• Strictly Necessary – critical to the function or core operation of the site.
• Performance – used for analytics and monitoring site metrics.
• Functionality – not critical to the core operation of the site but provide some enhanced function.
• Targeting/advertising – used in tracking users to serve targeted ads or personalize content.

Your compliance needs will dictate how you approach cookie consent. For GDPR, your user must give prior consent before any cookies besides those in the “strictly necessary” category are processed. Under CCPA, UCDPA, CTDPA, CPA, CDPA, OCPA, you must provide notice at or before the time of collection. Hence the popularity of banners – it helps meet cookie requirements in an efficient manner.

Specific cookie listing requirements are nuanced and vary by type of regulation, but the short answer is yes, you should list all your cookies. It’s industry best practice to use a cookie banner that lists the cookies and their purposes, and/or to use a cookie notice to provide these details. (Your approach will depend on how extensive your list is, of course).

There are four different types of cookie consent models that you can implement on your cookie banner. Each one has its benefits, but it’s important to consider the drawbacks when weighing your options. Taking a shortcut now might seem appealing – there’s a lot to tackle when you’re working on compliance. However, it works against you in the long run when you’re trying to achieve compliance with GDPR, CCPA, CPA, and other regulatory requirements.

Notice only: The simplest approach to cookie consent. When you use the “Notice Only” approach, your banner informs users that you’re using cookies but doesn’t give them the chance to opt-in or out. Not surprisingly, this approach isn’t GDPR compliant. (Or compliant with other regulations, for that matter.) This option is only feasible when applied to regions without cookie consent requirements.

Opt-out consent: When you take an opt-out approach on your website, you drop all your cookies when your users arrive. However, your cookie banner lets users choose to opt-out if they prefer. Opt-out can be simpler to implement but is not in line with General Data Protection (GDPR) compliance requirements. Opt-out consent is a more common approach for US states.

Implied consent: When you use the “Implied Consent” approach, your website will only automatically activate cookies that are categorized as “strictly necessary.” The banner either asks the user to click through to continue or informs them that any other cookies will be activated if they continue using the site. Once a user interacts beyond that initial notice, cookies are then dropped.

Opt-in consent: Opt-in consent is the compliant-oriented approach to cookie consent. With the opt-in approach, strictly necessary cookies are dropped upon visits, but the banner provides a clear and detailed explanation of the additional cookies. Users must complete a specific action, clicking “Accept” or “Okay,” for the rest of the cookies to drop.
Because this approach requires intentional actions by the user, it’s more likely that a business might lose website visitors. However, you’re less likely to end up facing compliance issues. This is the only approach recommended for meeting compliance with GDPR.

There’s no textbook, one-size-fits-all approach to this question. You should always analyze your business needs along with the benefits and risks of any given approach, including the software you’re using. (A big benefit of cookie banner software is that it can make international compliance requirements easier to achieve.)

When you use cookies to collect information, you must inform the user as clearly and explicitly as possible which cookies are running on your site and what their purposes are. You also must inform the user that they have the right to accept OR refuse consent and explain how they exercise that right. This is known as active valid consent.

In short, cookie consent has to be: 1) Informed; 2) Explicit; 3) Given through an unambiguous opt-in action.

To give your users the opportunity to give active valid consent, you must:

• Display a visible cookie banner or notice upon a user’s first visit.
• Link within the banner to your detailed cookie policy.
• Block all non-exempt cookies and/or scripts from running until after users’ consent is given.
• Collect user consent through an explicit opt-in action.

The most basic and obvious reason to have a cookie banner is that you need one to stay in compliance with privacy regulations. Not complying can carry significant fines, up to up to €20 million or 4% of the annual turnover; whichever is higher.

Being in compliance isn’t just good for legal reasons – it demonstrates your values as an organization, and it boosts your website’s credibility. If your website – and by extension, your company – doesn’t take privacy and transparency seriously, you’ll have an increasingly hard time establishing trust with users.

Dark Patterns are design patterns that try to influence or lead users to making certain decisions. In this context, these could be used to manipulate users to opt in or lead them to believe they’ve opted out when they truly haven’t. To avoid dark patterns, here’s some things you’ll want to steer clear of:

• Misleading option colors – don’t make “Accept” red and “Reject” green!
• Unequal options – if you have an Accept option, you should also have a Reject option in the same shape and similar size.
• Recursive prompts – don’t throw your cookie banner in users’ faces over and over until they accept.
• Tedious opt-outs – make it as easy to opt out as possible. Forcing users to click a dozen times in hopes that they’ll give up and decide against opting out is a dark pattern!
• Emotionally leading text – do not lean on pathos to persuade users to accept cookies. Reject option texts like “I want a boring experience” or “No thanks, I’m a buzzkill” would be considered dark patterns.
• Unchangeable preferences – be sure users are able to change their preferences later and they aren’t trapped into being opted-in forever.

This will depend on the regulation you’re seeking compliance with, of course, but the first check is to validate that cookies are not dropping when they shouldn’t be (on initial visit for opt-in requirements, and after an opt-out in all cases).

The next check is confirming that users are presented with the options they should receive. This includes ensuring:

• the banner appears in regions where it should.
• the banner contains a reject option to easily deny consent.
• EU users have the option to give granular consent (consent for each purpose that cookies are used for).
• Users can change their consent with ease after initially interacting with the banner. This should be detailed in the privacy/cookie notice alongside informing users of their right to opt-out.
• Users from the US can opt-out with a Universal Opt-out Mechanism (UOM)

Lastly, confirm that users are given notice of the types of cookies used and information collected along with any sharing/sale of data to third parties and session replays. This information should be disclosed in both the cookie banner and notice.