State Of GDPR In 2021: Cookie Consent For Designers And Developers

As digital practitioners, GDPR has impacted every facet of our professional and personal lives. Whether you’re addicted to Instagram, message your family on WhatsApp, buy products from Etsy or Google information, no one has escaped the rules that were introduced in 2018.

Last week, I gave you an update on everything that’s happened with GDPR since 2018. (TL;DR: A lot has changed.) In this article, we’ll look at cookie consent: specifically, the paradox where marketers are heavily reliant on Google Analytics cookie data but need to comply with regulations.

We’ll take a look at two developments that have impacted cookies, plus a third on the horizon. Then I’ll walk you through the risk-based approach that we’ve taken — for the moment, at least. And come back next time for a deep dive into first-party ad tracking as we start to see moves away from third-party cookies.

In May 2020, the EU updated its GDPR guidance to clarify several points, including two key points for cookie consent:

  • Cookie walls do not offer users a genuine choice, because if you reject cookies you’re blocked from accessing content. It confirms that cookie walls should not be used.
  • Scrolling or swiping through web content does not equate to implied consent. The EU reiterates that consent must be explicit.

What does this mean for our industry?

Well, the EU is tightening up on cookie consent — perhaps the most noticeable (and annoying!) aspect of GDPR. Critics say that cookie notices are a cumbersome block for users, and don’t do anything to protect user privacy. The EU is trying to change this, by promoting simple, meaningful, equitable options for cookie consent.

But that restricts what we can do with cookies, and it hints ahead to when the Privacy and Electronic Communications Regulation (PECR) may come into force. More on that shortly.

Big Development #2: Google and Apple crack down on third-party tracking; get hit by anti-trust complaints

As the big digital players figure out how to comply with GDPR — and how to turn privacy legislation to their advantage — some have already come under fire.

Google is being investigated by the UK’s competition watchdog, the Competition and Markets Authority (CMA), for its ‘Privacy Sandbox’ initiative, following complaints from adtech companies and publishers.

The Internet giant, which is also facing an antitrust investigation in Italy for display advertising, and in the US for its search advertising services, is looking to remove third-party cookies from Chrome. (Firefox and Safari already block these cookies by default.)

The complainants say that this change will further concentrate advertising revenue in Google’s hands. Google’s response? The advertising industry needs to make ‘major changes’ as it shifts to a ‘web without third-party cookies’.

Google’s not alone. In October 2020, four French digital advertising lobbies filed an antitrust suit against Apple’s forthcoming iOS privacy change, a feature it’s called App Tracking Transparency (ATT).

ATT, coming in an early-spring 2021 release of iOS 14, shifts app users from an opt-out to an opt-in ad-tracking model. With ATT, every app must get your permission to share your Identifier for Advertisers (IDFA), which enables third-party ad tracking across multiple sites and channels.

The complainants say that by restricting apps’ ad revenue, developers may have to boost app subscriptions and in-app purchases or switch to Apple’s targeted ad platform — all of which will funnel ad spend away from them and towards Cupertino.

Critics including Facebook have slammed the change, saying it’ll hit small businesses who rely on microtargeted ads. Apple has defended the move and praised the EU’s defence of citizens’ data privacy.

To sum up:

  • Implied consent doesn’t equal consent under GDPR, according to the EU.
  • We should also avoid cookie walls
  • Google and Apple are moving against third-party cookies — which some say exploits their dominant market position.

So what does that mean for us, as designers and developers? First, let’s take a look at why this is important.

Here’s What Designers Should Know About Cookies

  • GDPR is critical for you because you’ll design the points at which cookies are placed, what data is collected, and how it’s processed.
  • A functionality audit means you can map your cookie activity in the data and compliance layers on your service blueprint.
  • It can help to do a cookie audit and gap analysis, i.e. is the existing cookie pattern compliant? What content does it need around it?
  • Follow Privacy by Design best practices. Don’t try to reinvent the wheel — if you’ve created a compliant cookie banner, use your proven design pattern.
  • Work with your compliance and development teams to ensure designs meet GDPR and can be implemented. Only ask for the data you need.
  • If you need to compromise, take a risk-based approach. There’s a walk-through of one that we did further down.
  • Be aware that your content team may need to update your privacy policy as GDPR and your use of cookies evolve.

Here’s What Developers Should Know About Cookies

  • Make sure you’re involved upfront about cookie consent and tracking, so what’s decided can be implemented.
  • If you’re doing a product or website redesign, a cookie audit using Chrome Dev Tools can show you what tracking cookies are being used. Tools like Ghostery or Cookiebot give you more detail.
  • You should implement the standard cookie opt in/out as per GDPR guidance. (Note that while GDPR is standard, the enforcement of it varies across EU countries. There’s more on this further down.) You may stand to lose Google Analytics data. You might also come under pressure to implement things that could be considered as dark patterns. There’s more on this later, with a walk-through of what we did and a look at the risk.

So that’s where we are today. Oh, and there’s one more thing to be aware of: a piece of further legislation that might be coming our way. I like to call it Schrodinger’s Law.

Schrodinger’s Law: The ePrivacy Regulation

You may have heard of GDPR’s twin sister, the ePrivacy Regulation, who’s lurking on the legislative horizon. If you haven’t, here’s an introduction.

As I said above, cookie consent — the notice that pops up when you visit a website — is regulated by the GDPR. However, cookies themselves fall under a different piece of legislation, the ePrivacy Directive of 2002, commonly known as the Cookie Law. Like GDPR, it aims to protect customer privacy.

The ePrivacy Directive is due to be replaced by more stringent legislation, the ePrivacy Regulation. (If you’re interested in the difference between EU directives and regulations, EU directives set out the goals for legislation but delegate the implementation of those goals to member states’ legislatures. EU regulations mandate both the goals and the implementation at an EU-wide level.)

The draft ePrivacy Regulation goes beyond cookies and ad tracking. It applies to all electronic communications, including messaging apps, spam mail, IoT data transfer and more.

The draft ePrivacy Regulation was first presented by the EU in 2017. However, it has to be agreed by both the European Parliament and the Council of the European Union. (The Council consists of government representatives of each EU member state.)

This is where it gets messy. Since 2017, the European Parliament and the Council haven’t been able to agree on the scope and detail of the ePrivacy Regulation.

That’s because some countries — widely thought to include the Nordic states of Finland and Denmark — want to strengthen the current ePrivacy Directive. They want users, for example, to be able to set acceptance and rejection of tracking cookies in their browsers, not on every site they visit.

But other countries, notably Austria and believed also to include those with sizeable digital marketing and advertising sectors, say this is bad for business. It’s thought the 27 EU member states are split down the middle on this issue — and they’re all being heavily lobbied by the tech industry.

So the draft regulation has been ricocheting back and forth between the European Commission and its Working Party on Telecommunications and Information Society as they try to agree its scope. In November 2020, the Working Party rejected the redrafted legislation once again.

What happens next? There are two possibilities. Either a compromise will be reached, in which case the legislation will be agreed. Because it takes time for legislation to be implemented, the soonest the ePrivacy Regulation could become law is 2025.

Alternatively, the legislation cannot be agreed and is withdrawn by the European Commission. But the EU has staked so much on it. It will be extremely reluctant to take that step.

That’s why I call it Schrodinger’s Law. It’s hard for us to know how to plan for any cookie-related developments because we simply don’t know what’s happening.

So what should I do about cookies right now?

Different EU countries are currently implementing the ePrivacy Directive differently. Over in the UK, the ICO (the UK’s data protection authority) is taking a tough stance. It’s requiring strict consent for analytics cookies, for example, and has spoken out against cookie walls.

Until — and if — we get consistency from a new ePrivacy Regulation, if you’re based in an EU country, start by following the advice from your national Data Protection Authority. Then watch this space for developments around the ePrivacy Regulation.

If you’re based outside the EU, make sure you’re giving EU citizens the options required under the GDPR and the ePrivacy Directive.

However, when it comes down to the detail, there are times when I recommend taking a risk-based approach. That’s what we’ve done at Cyber-Duck — and here’s why.

Here’s our original cookie notice. You see these everywhere. They’re pretty meaningless — users just hit accept and continue on their way.

Screengrab of cookie consent banner. It says ‘Learn how we use cookies to manage your experience and change your settings.’
It didn’t matter if the user had accepted cookies or not — Google Tag Manager (GTM) fired when they landed as cookies were enabled by default, meaning we would get our analytics data. (Image source: Cyber-Duck) (Large preview)

But we wanted to be compliant, so we replaced it with this notice. You’ll see that tracking cookies are turned off by default — in line with ICO guidance. We knew there was a risk we would lose analytics data as GTM would no longer fire on first load.

Let’s see what happened.

Screengrab of new cookie consent notice showing marketing and analytics cookies turned off by default
Our new cookie banner followed ICO guidelines, but… (Image source: Cyber-Duck) (Large preview)

Problem solved? Actually, no. It just created another problem. The impact was far more significant than we expected:

Google Analytics screengrab showing tracked traffic fall when the new cookie consent was implemented
The new cookie consent caused our tracked traffic to collapse.
 (Image credits: Cyber-Duck) (Large preview)

Look at the collapse in the blue line when we implemented the new cookie notice. We released the new cookie consent on 17 December and went straight from plenty of tracked traffic to almost zero. (The orange line shows the previous year’s traffic, for comparison.)

In both the before-and-after scenarios, the default option was by far the most popular. Most users just naturally click on “accept” or “confirm”. That’s tricky, because we now know so little about the people visiting our site that we can’t give them the best information tailored to their needs.

We needed a solution. Analytics and marketing data ultimately drive business decisions. I’m sure we all know how important data is. In this case, it was like putting money in a bank account and not knowing how much we’d spent or saved!

Some of the solutions that were posed include design alternatives (would removing the toggle, or having two buttons with a visual nudge towards the “accept” help?) Or would we enable analytics cookies by default?

For now, we’ve implemented a compromise position. Marketing and analytics cookies are on by default, with one clear switch to toggle them off:

Screengrab showing iterated cookie notice with marketing and analytics cookies switched on by default
Then we iterated again. (Image credits: Cyber-Duck) (Large preview)

And here’s what that’s done to our stats:

Google Analytics screengrab showing tracked traffic partially recover from 15 January
This iteration brought back a chunk of attributable traffic.
 (Image credits: Cyber-Duck) (Large preview)

The new cookie banner was relaunched on 15 January. You can see our website traffic starts to pick back up again. However, we’re not getting the full data we were getting before as Google Tag Manager doesn’t fire unless a user chooses cookies.

The good news is, we are getting some data back again! But the story doesn’t end here. After we had turned cookie tracking back on by default, the attribution model got messed up. It wasn’t attributing to the correct channel in Google Analytics.

Here’s what we mean:

Scenario 1: (Correct Attribution)

  1. User lands on our website via a paid ad (PPC) or from the search result (organic)
  2. User accepts cookies straight away.
  3. The channel source is attributed correctly, e.g. to PPC.

Scenario 2: (Incorrect Attribution)

  1. User lands on our website via a paid ad (PPC) or from the search result (organic)
  2. User visits a few other pages on our website without responding to the cookie banner prompt (banner appears on every page until it gets a response)
  3. User finally accepts cookie banner after browsing a few pages.
  4. Attribution comes through as direct — although they originally came from a search engine.

How does that work? When a user browses other pages on the site, nothing is tracked until they respond to the cookie prompt. Tracking only kicks in at that point. So to Google, it looks as though the user has just landed on that page — and they are attributed to Direct traffic.

Back to the drawing board.

Note: I’m sure by now you’re starting to see a pattern here. This entire experience is new for us and there’s not a lot of documentation around, so it’s been a real learning curve.

Now, how could we solve this attribution issue and stop users from navigating around the site until they’ve selected their cookie preference?

A cookie wall is one option we considered, but that would potentially push us further away from being compliant, according to the ICO. (Though you might like to try browsing their site incognito and see if they stick to their own guidance…)

Screengrab showing compromise cookie consent notice with tracking switched on by default
In the end, we had to settle on a compromise.
 (Image credits: Cyber-Duck) (Large preview)

But that’s what we’ve chosen to go with. The journey ends here for now, as we’re still gathering data. In the future, we want to explore other tools and the potential impact of moving away from Google Analytics.

So what’s everyone else doing?

Well, McDonald’s UK offers straightforward on/off buttons:

Screengrab of McDonald’s cookie consent offering three options: reject all, accept cookies and cookie settings
McDonald’s UK gives straightforward cookie choices. (Image credits: McDonald’s UK) (Large preview)

Coca Cola’s British site nudges you to accept by making the ‘reject’ option harder to find:

Screengrab of Coca-Cola’s cookie consent notice with ‘accept all cookies’ highlighted
Coca-Cola’s UK site nudges you to accept cookies.
 (Image credits: Coca Cola UK) (Large preview)

Whereas Sanrio just has an option to agree to ad tracking:

Screengrab of Sanrio’s cookie consent showing ‘Ok’ confirmation button
Sanrio just gives the option to agree to cookies.
 (Image credit: Sanrio.com) (Large preview)

Hello Kitty, hello cookies.

Die Zeit offers free access if you accept tracking cookies — but for an untracked, ad-free experience you’ll have to pay:

Screengrab of Zeit’s cookie consent
Die Zeit offers free access with cookies — but for an untracked experience, you have to subscribe.
 (Image credit: Die Zeit) (Large preview)

And here’s one of my favourite dark patterns. This restaurant site only has the ‘Necessary’ cookies selected. But it nudges you to the ‘Allow all cookies’ big red button — and when you click that, the analytical and ad cookie boxes are automatically checked and set. Give it a go here!

Screengrab of Pinchos cookie consent
Pinchos’ cookie consent is a good example of a dark pattern.
 (Imagae credit: Pinchos.se) (Large preview)

Even the EU isn’t consistent on its own sites.

The European Parliament’s cookie consent offers two clear options:

Screengrab of the European Parliament’s cookie consent
The European Parliament’s cookie notice gives two clear options
. (Image credit: European Parliament) (Large preview)

The CJEU’s site isn’t so clear:

Screengrab of the CJEU’s cookie consent
The CJEU’s cookie consent offers three choices: necessary cookies, accept all and more information.
 (Image credit: EU Court of Justice) (Large preview)

While Europol’s site comes with two pre-checked boxes:

Screengrab of Europol’s cookie consent showing mandatory and tracking cookies checked
Europol’s cookie consent has analytics cookies automatically checked.
 (Image credit: Europol) (Large preview)

And if you look at the sites for the German presidency of the Council of the European Union (July–December 2020), at first it seems as if there’s no cookies at all:

Screengrab of Germany’s EU2020 site showing no cookies and no cookie consent notice
Cookies? What cookies?
 (Image credit: eu2020.de) (Large preview)

When you land on the site, there are no cookie banners or prompts. A closer look, with cookie extension tools, shows that no cookies are being placed either.

So are they capturing any analytics data? The answer is yes.

Screengrab of Matomo code from eu2020.de
The eu2020.de site tracks users using Piwik, now Matomo. No cookies here!
 (Large preview)

We found this little snippet in their code, which shows they are using ‘Piwik’. Piwik is now known as Matomo, one of a clutch of new tools that help with cookie compliance along with Fathom (server-side tracking) and HelloConsent (cookie management).

So alternatives and solutions are emerging. We’ll take a closer look at that next time — with new alternatives to third-party cookies that will help you take control of your data and get the insight you need to deliver optimum experiences to your customers. Stay tuned!

Further Reading

Smashing Editorial
(vf, il)