Cookie banners: How to stay GDPR compliant?

Image of Carlo Cilento

Published on May 16, 2023 and edited on Dec 19, 2023 by Carlo Cilento

Cookie banners are everywhere on the Internet, and everyone hates them. They break the navigation flow and often require several clicks through a confusing interface to say “no thank you.” Today we will look at them and explain what they are for and- most importantly- how websites can avoid needing one.

Let’s dive in!

  1. What are cookies?
  2. What are cookie banners?
  3. Why are cookie banners needed?
  4. Does your website need a cookie banner?
  5. How do I make my cookie banner compliant?
    1. Do not manipulate visitors!
    2. Provide clear, transparent information
    3. Honor user preferences
  6. Are cookie banners bad for your website?
  7. Between a rock and a hard place
  8. Time to go cookieless
Logo of MichelinMichelin chose Simple AnalyticsJoin them

What are cookies?

Cookies are pieces of information stored on a user’s browser. Websites use cookies for various purposes, such as analytics, web marketing, ensuring web security, making automatic log-ins possible, remembering your language and UI settings, and tracking items in your online shopping cart.

Not all cookies are the same. Third-party cookies are the most invasive, as they can track you across different websites. On the other hand, first-party cookies cannot do that. Other important distinctions between cookies are essential vs. non-essential and identifying vs. non-identifying.

Cookie banners are pop-ups that ask for your consent to the use of cookies when you first land on a website. If you have Internet access, you know exactly what they look like and how annoying they are.

Cookie banners pop when you first visit a domain and prevent you from browsing it until you make a choice. Some present you with a transparent choice, while others make rejecting cookies as confusing and annoying as possible- for instance, by hiding the option to reject cookies with a low-contrast font or by burying the option in a second layer that requires multiple clicks to access. They typically contain a link to a privacy policy (which is more exactly a privacy notice in the legal jargon).

cookie-banners.png

In the EU, the ePrivacy Directive of the EU requires consent for a specific type of cookie- that is, non-essential cookies. If you use non-essential cookies, you need consent before your website reads and writes them. In practice, you need a cookie banner to process such cookies.

Rules are different in other jurisdictions. Some laws may have similar requirements to the ePrivacy Directive, while others may only require a cookie notice or require no pop-up at all.

If your website uses non-essential cookies, then it needs a cookie banner. Non-essential cookies are not needed for the functionality of a website and are typically used for web analytics and marketing.

In practical terms, you need a cookie banner if you use Google Analytics or any other cookie-based analytics software.

Do not manipulate visitors!

Your cookie banner should be transparent and allow users to reject cookies easily.

You don’t need to take our word for it. Months ago, a European Data Protection Board task force published a report on cookie banners. The task force examined the most common deceptive design strategies from cookie banners and found them to be mostly illegal. Therefore, deceptive cookie banners do not collect valid consent and make the use of cookies unlawful under the ePrivacy Directive.

The Board is the EU institution where all privacy authorities from the Union and the EEA sit, so the report gives us a good idea of how cases will be handled.

In a nutshell, rejecting cookies should be as easy as accepting them. If you really need to use cookies for tracking, put a “reject all” button in the first layer, make it as visible as the “accept button,” and ensure that the option does exactly what it says.

Of course, if you do this, more people will reject your cookies. There is no way around this: Empowering people to make privacy-friendly choices is the very reason for the existence of cookie banners.

Provide clear, transparent information

There is more to cookie banners than allowing for easy cookie rejection. Under the GDPR your cookie banner needs a cookie notice or link to one. This blog can give you an idea about the information you need, but each notice must be tailored to a specific website.

Honor user preferences

This goes without saying, but if your visitor does not want cookies, you should not place them.

This is far more common than you may think: many websites simply ignore cookie prefences entirely- because they don't care, or because they didn't set up their web analytics correctly.

Not honoring cookie preferences is a terrible idea. It is fundamentally unfair and also quite likely to get you in trouble because users can easily check their cookies for each website. If you lied to them and ignored your preferences, they might (understandably) decide to make your life harder and reach out to a privacy authority.

Cookie banners are not great for your website. User experience is key, especially for first-time visitors. Annoying them with a big, flashy pop-up as soon as they land on your website is not exactly a good start.

Cookie banners are not great for web analytics, either. An increasing number of users reject cookies. It’s difficult to get accurate numbers, but according to Eurostat data from 2020 and 2021, almost half of European Internet users between the ages of 16 and 74 sometimes reject advertising cookies (you need to play around with the Eurostat’s website, but the data is there). It is not a stretch to imagine that a substantial portion of them reject cookies often.

These numbers are based on cookie banners found “in the wild,” so to speak. In all likelihood, rejection rates would be much higher if all users were presented with a transparent cookie banner that makes rejection easy, as required under EU privacy law. In fact, a study from a Chilean government agency shows that 95% of people reject cookies when given a clear and transparent choice!

Of course, using cookies can allow a web analytics tool to collect more accurate, fine-grained data. But is losing data from a substantial portion of your audience worth it?

And let’s not forget that widely used browsers such as Safari and Brave have built-in settings that can automatically block certain cookies, and other browsers can do the same with ad-blocker extensions. When users of these technologies visit your websites, some cookies (typically third-party ones) will still be blocked, even if they click “accept” on the banner.

According to 2021 data, about 35% of Europeans limit the use of cookies through their browser or device. This means that as much as one-third of your audience might be invisible to cookie-based analytics. These visitors cannot be convinced, deceived, or worn down through “click fatigue.”

Between a rock and a hard place

Users of cookie-based analytics face a dilemma in the EU.

Nudging visitors via a deceptive banner can net you passable opt-in rates but also violates EU data protection law. This is both wrong and risky- even more so now that the rules are clearer than ever.

On the other hand, people don’t like being tracked and will often say “no thanks” when given a transparent choice. If you allow visitors to reject cookies easily, expect your acceptance rates to drop pretty badly.

And as if this wasn’t enough, a substantial portion of your audience will block your cookies via their browser no matter what you do.

compliance.png

Time to go cookieless

The tighter GDPR enforcement gets, the more the cons of cookie-based analytics will outweigh its pros. If you ask us, web analytics without tracking is the privacy-friendly, respectful, and future-proof way to go.

This is why we built Simple Analytics to provide you with insights without collecting a single bit of personal data. Our software is built to do more with less, all while complying with privacy laws. If this sounds good, feel free to give us a try!

GA4 is complex. Try Simple Analytics

GA4 is like sitting in an airplane cockpit without a pilot license

Start 14-day trial