What’s the Deal With All the Cookie Pop Ups?

Technical ElementsWebsites

Cookie pop up notices are everywhere on the web. And they are annoying. What brought on this plague anyways?

If you’re like most users, you just hit “Accept” so that you can move on. Especially if you believe the lines that say that some of the website performance may be affected if you don’t.

personalized cookiebot pop up

What Cookie Pop Up Notices Mean For Users

Macaron cookies
Here comes trouble

Here is a rundown of what you may be nonchalantly agreeing to:

By clicking the button in the cookie pop up notice, you agree to permit your browser to store small files, adorably named “cookies”. Then,  when you visit a particular website it can tailor the content, or yes, the ads, to what you click. A lot of times they are super useful. For instance, when your browser saves your zip code so that you can view the local weather forecast, to track progress while filling out a multistage survey, or to keep the contents of your shopping cart on an e-commerce site as you continue to browse.

Some are a bit less helpful to you, the user. These cookies collect data and report it to the site owner for tracking (think Google Analytics) or a third party interested in customizing ads based on sites you visit and things you click on.

According to European Union privacy laws known as the General Data Protection Regulation (GDPR), sites that put non-essential cookies in your browser, like ads, are supposed to ask for your consent before they track your data. What is less clear is if you need to consent before the tracking can be begin or merely provide you with the ability to opt out retroactively. And a lot of these pop ups asking for your consent don’t even do anything at all.

What Cookies Mean For Website Owners With EU Users

privacy settings ultimate gdpr plugin
Selecting different cookie options with the Ultimate GDPR plugin

According to EU regulations, each cookie used on a website should be explained in detail in a privacy policy. That means the site owner must thoroughly audit the site to understand which cookies are in use. That cookie pop up notice should cover more than just a blanket “agree” or “decline”.

Once you have your list, roll up your sleeves:

  • Categorize the cookies into essential and non-essential
  • Ditch as many cookies as you can
  • Document why you need any cookies that remain and what exactly you track and how (i.e. are IP addresses tracked anonymously?)
  • Set up a request for user consent before placing cookies on their device
  • Review your options for blocking any remaining cookies that require prior consent; how can you least affect a user who blocks cookies?
  • Pour yourself a drink. This is annoying.

According to the latest EU regulations, “implied consent” is no longer valid. This is the premise that a user understands that cookies will track their website data unless they actively opt-out.

Everyone has the right to the protection of personal data concerning him or her – Charter of Fundamental Rights of the European Union, Article 8(1)

This is a significant hurdle for websites running the Facebook pixel for targeted ads, because it means that you cannot load the pixel code until a user has affirmed their consent.

But it doesn’t mean that you can’t use cookies at all anymore. Cookies deemed “essential”, like one that remembers what you placed in your online shopping cart, can stay because they directly affect the ability to use the site. A cookie that recommends other products similar to those in the shopping cart however would be “unessential”.

What Cookies Mean for Users Outside of the EU

The California Consumer Privacy Act (CCPA) passed in 2018 went into action on January 1, 2020. Under these regulations, businesses grossing more than $25M in annual revenue or that derive at least half of their annual revenue from selling personal consumer information of more than 50,000 consumers must meet additional standards. California residents can request a disclosure statement of information collected about them. And if requested, such companies must delete consumers’ data. If a customer clicks the mandatory “do not sell” link on the site, that company cannot sell that user’s information.

But I’m Not in the EU or California!

Then consider this just a warning to prepare. Because while technically none of these regulations apply if you aren’t located in either of these places, your users might be. So this applies to you if you actively target European users. That’s why those cookie pop up notices are truly everywhere.

How Do I Know Which Cookies Are Loading?

Check which cookies are running on a given web page by viewing it in Google Chrome. Then open the Developer Tools (View > Developer > Developer Tools) and click on the Resources tab.

Help! How Do I Keep All This Organized?

You guessed it – there’s a WordPress plugin for that. The one we recommend is Ultimate GDPR. Its settings are very thorough, it’s well documented, it offers several attractive styles and easy customization. We breathed a big sigh of relief when we saw that it could allow a user to decide which types of cookies they did and didn’t want to allow, which seemed like the most challenging part. And at $19, it won’t break the bank. At least not the same way that a heavy lawsuit would.

Another great option that we haven’t tried yet is the Cookiebot, a platform independent cloud service that can be used with any website, not just WordPress sites and automatically scan for cookies. Then, it can hold back all first- and third-party cookies and trackers until a user consents.

In Summary

cookie math
Cookie Plan

Amid growing concern about how our activity is tracked online, privacy regulations are here to stay. And so are cookie pop up notices. While the EU largely stands alone in institutionalizing it, it would not be surprising if other governments follow suit. To ensure compliance, website owners need two kinds of help: Legal counsel – to identify what requirements and liabilities you may have, and a tech team – to identify the cookies you use and to limit their use as needed.

We aren’t lawyers, and none of this information should be considered a substitute for legal advice. But when the time comes to implement your cookie plan, our tech team has you covered.