Cookie Monsters: Has GDPR solved a problem, or created new ones?  

Written by our founder Lou Swaine

Fair-warning: this is a personal, genuine gripe following recent GDPR changes…! We do not in any way advise clients on GDPR, or sell GDPR courses. We have sought advice with the recent legislation and also this article.

Europe is now protected by the world’s strongest data protection rules and regulations. The General Data Protection Regulation (GDPR) that came into force on 25th May 2018 was designed to modernise laws that are in place to protect the personal information of individuals. It has had a significant effect on how businesses and public sector organisations are allowed to handle the information of their customers.

Cookies are small files that are automatically dropped on your computer as you browse the web. In and of themselves they are harmless bits of text that are locally stored and can easily be viewed and deleted. But cookies can give a great deal of insight into your activity and preferences, and can be used to identify you without your explicit consent.” -  Cookiebot

Cookies are actually only mentioned once in the latest GDPR regulations:
(30): “Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers […]. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”

This means that if cookies on your site can identify an individual, it is considered a collection of personal data which could put your organisation in breach of GDPR and prove problematic for those who don’t take these changes seriously.

One of the biggest problems with cookies is transparency. Quite often cookies do not originate from the site you’re visiting but from third parties that track data for marketing purposes. In order to make it clearer to visitors what data is being tracked and how it’s being used GDPR has a set of rules that your website must now adhere to:

Inform:

Visitors must be informed of why, how and where their personal data is being used, if it is being collected.

True choice:

Users must still have access to the website and it’s functions even if all but the strictly necessary cookies have been rejected. Consider this the next time you desperately try to close that invasive cookie banner, or realise there is no choice presented to reject cookies.

Positive action:

No more pre-ticked boxes. Positive affirmation must be given that cannot be misinterpreted.

Before:

All of this information must be given before the use of any personal data.

Withdrawable:

It must be easy for any user to withdraw consent at any given time.

 

I get it. The internet has become a little like the Wild West as marketeers try to improve, enhance and re-target customers. GDPR was necessary. However, whilst it’s vital to recognise the importance of these rules — consider the experience you are providing your audience.

Here’s the rub — you only need cookie opt in/out cookie banners if there are specific intrusive cookies on your site. Google Analytics and general marketing cookies do not typically identify individuals and do not need to be opted in to. Therefore, the majority of websites do NOT require opt in/out cookie banners as a requirement for entering the site, instead they can simply update their ‘Privacy Notice’ stating which information is collected and for what purpose (naturally such Notice should be easily found in the website footer, or other logical place).

Unfortunately (likely erring on the side of safety and aligning with the masses) many organisations are blindly implementing intrusive pop-up banners without taking into account the impact they have on a user’s experience.

From the individual’s perspective, these changes initially seem like a good idea, they give us as site visitors more protection. However, I've personally found the excessive number of boxes required to tick, or untick, to be time consuming and increasingly frustrating. In addition, the number of ways organisation’s choose to ask for consent has increased meaning we as visitors are faced with a new system to work out each time we visit a website. When there are email subscription pop ups thrown into the mix, and different, inconsistent behaviour across devices it’s enough to make you leave a site all together.

Due to the fact that we tend to visit websites for a reason, and we still want to get what we came for, we find ourselves ticking boxes and giving consent without reading what we’re actually giving consent to. We’re now more frustrated and really in no better position than we were before GDPR came into play.

The implementation of GDPR seems to have been forgotten about web use from a user experience point of view. Odd, given the recent rise of customer-focused business strategies. And, although there don’t currently appear to be any viable solutions available — it’s certain one needs to be found. Perhaps something universal, across all websites, so users know exactly where and how they can give or retract their consent at a time convenient to them no matter the site they're on.

In 2017 the topic was discussed and it was hoped that something helpful would be put into place come May 2018 but little seems to have changed since this article was released. The idea was to implement a way for customers to set general preferences for cookies rather than giving consent to cookies on every website they visit. This of course comes with its barriers and usability issues as well.

If we continue to be faced with a mass of boxes to tick and newsletters to sign up to, increased levels of frustration are going to cause high bounce rates. For many organisations, this could be hugely detrimental. Conversely, any innovative companies that do come up with a solution are likely to see hugely positive return.

Save us from the Cookie Monsters… suggestions welcome!