What does cookie management involve? Why are visitors constantly confronted with cookie banners, and most importantly, why is the world of cookies so confusing? Read on to uncover the answers!

How did cookie management come to be?

When cookies are used on a website, the online service provider stores a piece of information in the user’s browser. This cookie can be something as simple as a user’s preference for using a light or dark theme, so the service remembers the choice on the next visit.

The concept behind cookies is beneficial. When a visitor returns to a website, cookies can be used to retain their previous logins and shopping cart contents, making the user’s experience smoother and more convenient.

Cookies themselves are not inherently bad or problematic. The concern arises with how cookies are used and where the tags that utilize cookies send the collected information.

Larger operators began using cookies to track user activity across different sites on an individual level. In response, the EU introduced legislation concerning electronic communications and data protection, such as the ePrivacy Directive and GDPR, DMA (DIGITAL MARKETERS ACT), to safeguard individuals’ personal data by restricting this activity.

See also: Comparing Data Privacy Laws and Frameworks: An Examination of GDPR, CCPA, TCF 2.0, CPRA, VCDPA, CPA, CTDPA, and UCPA.

The problem isn’t with cookies that enhance the user experience. The issue arises when cookies are used to send data to other sites, such as analytics or advertising platforms, leading to the transfer of information between services.

This prompted the EU to decide that user consent must be obtained before storing any information on a user’s device. If the user does not give consent, storing the information is not permitted. An exception to this rule is cookies that are essential for the technical operation of the site or the transmission of a message. For cookies used for other purposes, such as analytics and marketing, managing cookies and obtaining cookie permissions became necessary.

The law, however, does not provide explicit guidelines on the precise use of cookies, leading to varied interpretations and implementations by different website operators. As a result, practices concerning cookie usage and consent can vary widely. Below in this article, more details about first-party and third-party cookies are provided.

But have these protective measures truly succeeded in safeguarding personal data and enhancing user experience?

The legislation introduced cookie banners, allowing users to control the storage of cookies.

Few users appreciate cookie banners. Requesting cookie consent often disrupts the browsing experience. These banners can also confuse many users, who may not fully understand cookies and their purposes.

To improve an online service, data on its performance is essential. Achieving this without cookies remains a significant challenge.

Super quick overview of the world of internet cookies

What are first-party cookies?

First-party cookies are set by the website that the user is currently visiting. They are typically used to enhance the user’s interaction with the website. These cookies help maintain sessions and remember login details, preferences, and shopping cart items. They allow for the customization of content and advertisements based on browsing history and interests, and they collect analytics to improve the website. Some first-party cookies provide essential functions for the website.

What are third-party cookies?

Third-party cookies are created by domains other than the website the user is visiting. These cookies can access visitors’ browsers through external services embedded in the site. Examples include:

• An embedded YouTube video
• A social media widget
• An ad widget from an ad network

Third-party cookies are used for tracking users across websites, ad retargeting, and displaying targeted ads via ad platforms or social media. They enable brands and vendors to collect significant amounts of personal data, allowing the creation of detailed user profiles. However, they can also be used for malicious purposes, such as tracking users to steal personal information or deliver malware.

While third-party cookies facilitate functionalities like real-time chat services, their absence typically does not affect the core features of the website.

Is the Wild West of cookie management coming to an end?

Cookie banners still vary widely. Some categorize cookies by their purpose (advertising, analytics, personalization, security, etc.) or by the entities setting them, which can number in the dozens.

Media houses’ cookie banners have become notorious for their “legitimate interest” approach and exhaustive lists of data collectors. But what exactly does this mean?

Ad-supported entities have numerous ad spaces, widgets, and trackers on their sites, requiring the tracking of users’ activities through cookies. In these cases, media companies list all the entities, often resulting in extensive lists. Most organizations do not have such extensive cookie operations.

For municipal or average company online services or eCommerce sites, they typically use some analytics tools, a few ad platforms, and perhaps a chat functionality. The most challenging cookies are those used by ad platforms (Meta, LinkedIn, Google Ads), as you also need to explain to the user what information these cookies are storing.

However, there is a growing desire to limit cookie use for large entities. This is leading to the potential extinction of third-party cookies. For example, Chrome is likely to start restricting third-party cookies by the end of next year. The question is, will this solve the problem?

This move is likely to disproportionately impact smaller players who haven’t yet effectively established first-party cookies. Larger companies, on the other hand, have the resources to structure their websites in a way that makes adapting to this change less disruptive.

What makes a cookie banner good and lawful?

It’s clear and comprehensive

A good and lawful cookie banner should display different cookie categories (essential, analytics, preferences, marketing, etc.), the number of cookies, and a list of the cookies. CMP tools like Cookiebot, Cookie Information, and OneTrust automatically list these. When clicking on details from the cookie banner, you should be able to see all the cookies.

Each cookie should have its purpose, duration, and provider/data processor indicated. Each entity is responsible for listing and naming the cookies. If a cookie is not identified, it is very difficult to explain what it is used for. An example of this is the “unclassified” group, which is often a miscellaneous collection of different cookies. Clearly and transparently explain why these features are on the site.

It’s user-friendly

The equality of the acceptance banner buttons is essential. Declining cookies should be as easy as accepting them; if cookies can be accepted with one click, declining should also be possible with one click. Avoid leading the user in the design of the decline and accept buttons, and adhere to a visually ethical and consistent approach. For example, the accept button should not be green, and the decline button should not be red. This is not yet a requirement. The decline option should not be hidden.

The cookie banner must not have pre-checked boxes or “on” toggles for non-essential cookies. Non-essential cookies must not be enabled by default on the service or site; the user must explicitly accept them (opt-in). According to Traficom, changing consent should be as easy as giving it initially. Although this can be challenging to implement precisely, it is one reason why cookie icons often float on the edges of web pages.

User’s cookie preferences

A good and lawful cookie banner must respect the user’s level of cookie consent. If a user has not accepted marketing-related cookies, then cookies set by scripts from Facebook or LinkedIn should not be placed in their browser.

Using a ready-made cookie banner from providers like OneTrust, Cookiebot, or Cookie Information can help automate the blocking of cookies. Alternatively, you can categorize the scripts set in the site’s code yourself. The execution of these scripts can also be managed through Google Tag Manager.

It is essential to ensure that user consent preferences are properly enforced and maintained throughout their browsing experience.

Key steps to proper cookie management

Adopt a ready-made cookie banner solution

If you haven’t yet implemented a cookie banner solution, now is the perfect time to do so. Utilizing a pre-built cookie banner will simplify the process of recording cookie consents and enable you to provide proof of consent as required by Traficom. This means that if a user or any other party inquires about consent details, the user can access their unique consent ID and share it with the website owner, who can then use this ID to retrieve the consent information from their database.

Ensure compatibility with Consent Mode V2

With the introduction of Google Cookie Consent Mode V2 in March 2024, it’s essential for those running Google ads to enable this updated consent mode. If you are using one of the major cookie banner providers, your solution likely already supports this new mode. If not, it’s advisable to consult Google’s compliance listing to verify that your banner meets the requirements of the new consent mode.

Monitor the acceptance rate of the cookie banner

It’s important to track how many visitors accept the cookie banner. Usually, the acceptance rate is between 50-80% depending on the industry. If the rate is higher, your cookie banner might not meet Traficom’s guidelines and should be adjusted, which could lower the acceptance rate.

Today’s website visitors are more cautious and less likely to give permission easily. The more transparent and clear you are about your use of cookies, the more likely users are to agree to them. Keep your explanations simple and honest to build trust and improve acceptance rates.

Consider adding a cookie-less analytics solution

Given the low acceptance rate of cookies, it’s worth exploring cookie-less analytics solutions like Plausible or Matomo. These tools allow websites to track the number of visitors without relying on cookies.

While cookie-less analytics can provide basic visitor data, they may not offer the detailed insights often needed for advertising and conversion tracking. Cookies are essential for comprehensive tracking and reporting in these areas.

There are plenty of tools available for analytics, and it’s important to remember that server-side analytics solutions can also provide cookie-less data. Server-side analytics can accurately capture traffic volumes without relying on cookies.

For instance, Google Cloud Platform offers robust logging tools that allow you to create metrics using cloud platform capabilities. By monitoring logs and metrics in a cloud service environment, you can gather basic information without external or cookie-dependent tracking.

If you’d like to learn more, you can contact me. 🙂