Cookie Compliance 101

You may have noticed, in recent years, that ever-increasing numbers of websites ask for permissions to use cookies. Which cookies would you kindly allow them to use? All of a sudden you have some power over your privacy. But why did all these websites, all of a sudden, begin asking for user consent? Was it out of the ethical goodness of their hearts? Somehow, you’re squinting your eyes in doubt, thinking, not likely. And you’re right.

But hold on, you have a website too! Does this mean that you’re meant to implement a cookie policy for your website, too?

The short of it is yes. Ever since 2011, privacy concerns over the archives of browsing data that third-party tracking cookies were able to collect from unsuspecting visitors prompted EU and US lawmakers to scramble for a way out. It may have taken them a while, but as of May 25, 2018, the EU has introduced the General Data Protection Regulation (GDPR), which requires websites to ask users for consent before using non-essential cookies to track their data.

The long of it follows, so read on to learn everything you need to know about cookie compliance, the GDPR, and how to implement a cookie policy on your website.

What Are Cookies?

Delicious baked goods, obviously, but also pieces of data that get stored on a user’s internet browser when they visit websites. Website owners use cookies to collect information about their visitors. This second type of cookie is sometimes referred to as an HTTP cookie, web cookie, browser cookie, or Internet cookie, qualifications used to prevent disappointment when users realize that websites aren’t talking about the chocolate-chip kind.

Initially, cookies were designed so that websites could store stateful information and improve user experience, like to remember carted items in eCommerce stores, language preference, user input information (username, password, payment card numbers), and browsing activity, so the pages could load more quickly and efficiently. These useful cookies are called first-party cookies.

As you can see, cookies were meant to improve the efficacy and ease of browsing for users. Authentication cookies, for instance, which contain our login information, allow us to visit websites at different times without needing to re-enter login details every time we visit that site.

However, there’s also something called third-party tracking cookies which come from a domain different from the one of the visited website. These cookies follow a user’s browsing activities even after they leave the website, compiling archives of their browsing histories. For what purpose, you may ask. It’s always the most obvious answer – advertising. Third-party tracking cookies follow you around to target ads based on your previous search and purchase history. Keep in mind that there are also tracking cookies directly used by websites you visit – like Facebook.

While advertisers can claim all they want that “targeted ads improve user experience,” they also make you spend more on things you don’t need and definitely make you feel like your privacy has been violated – because frankly, it has. Thankfully the authorities have picked up on this, along with additional concerns over the implications of a company holding in its claws archives of unsuspecting users’ browsing histories, and introduced laws that require websites to ask for informed consent by website visitors before storing any non-essential cookies.

Which brings us to the GDPR cookie compliance.

What Is GDPR Cookie Compliance?

The General Data Protection Regulation (GDPR) requires websites to ask for user consent, i.e. compliance to collect non-essential cookies. The aim of the GDPR is to protect user privacy and allow users to opt out of behavioral advertising (targeted ads). At the same time, it’s meant to hold companies accountable for how they collect, archive, and use visitor data by charging fines for websites that don’t comply.

In other words, GDPR limits visited websites and third-parties to track internet users’ browsing activities without asking for consent first. That’s why there’s that increasing number of popups asking you to decide which cookies you want to accept when visiting websites, so take advantage of this new regulation and give it all a moment of thought before clicking accept all.

Some people do approve of behavioral marketing, i.e. targeted ads. Some people like seeing ads only for things they’re likely to purchase. These people always have the option of allowing websites and third-party domains to track their off-site activity with cookies. Of course, it’s still scary imagining that companies are gathering and storing your data. After all, we can’t really know who ends up buying that data.

The GDPR doesn’t include cookies that remember what items users have placed in shopping carts but does target all cookies that can identify a user based on their device. This includes analytics, advertising, and functional services cookies.

What Does the GDPR Mean for Websites?

The GDPR has shaped the way that websites and third-party domains through those websites can gather visitor cookies. For websites to be GDPR-compliant, they need to either stop collecting cookies targeted by the GDPR, or they need to ask for legal and explicit user consent when gathering that data.

Namely, websites that want to collect user data need to have consent banners, privacy notices, or popup windows asking for user permission to use cookies. These methods are also meant to give visitors the option to turn off any tracking cookies that aren’t essential to the basic user experience. While in the past, websites would rely on implied consent or practically force visitors to accept cookies (“By using this site you’re allowing all our cookies…”), the GDPR no longer deems this sort of approach legal, because when you smuggle it or force it, it’s not real consent.

Here are some old cookie practices that companies can no longer get away with using:

• Implied consent. In the past, visiting a certain website counted as the user giving consent which is “implied” by their online presence. This no longer counts for obvious reasons.
• Forced consent. Text that says something like “By using this site you’re allowing all our cookie collecting practices” isn’t actually giving visitors the option to comply – it’s saying get tracked or get out. There’s no real choice – it’s forced consent. Real consent is allowing visitors to remain on a website and choose for themselves whether they want to accept cookies or not.

Instead, websites will need to:

• Allow users to choose which cookies they want to accept. This includes offering a list of non-essential tracking cookies that users can disable upon visiting a website. Websites also need to inform people which cookies are essential and can’t be disabled, stating the exact reasons why.
• Withdrawing consent should always be an option. If a user clicked on “accept all” and then realized they don’t want to accept all cookies, they should be able to withdraw consent as easily. People should always be able to opt out through a cookie menu that will be readily available for them to come back to, at any time.

Do I Need a Cookie Policy on My Website?

You might be thinking that since the GDPR was an EU initiative, it wouldn’t apply to you – if you’re based in the US or any country outside EU borders. However, the internet doesn’t exactly ask people for passports in order to access websites. Most online content is globally available to anyone, from anywhere. This means that the moment an EU-based visitor appears on your website (and that won’t take long), the rules – and the fines – apply to your website and hold you accountable. That’s why every website needs to be GDPR-compliant, including yours.

So, yes, you do need a cookie policy on your website.

Don’t worry though – it’s not like you have to hire a professional and get a legal advisor to set up your cookie policy. And no, you don’t need to pay thousands of euros to get it done right, either.

Instead, you can either create your own privacy policy or – the easiest option available – you can just use a WordPress plugin.

Create Your Own Cookies Policy

If you want to create your own cookie policy, you can take a look at some of Automattic’s legal documents, which they’ve made available on GitHub. These documents include a privacy policy, a cookie policy, and a privacy notice for visitors.

Next, download their legal documents (or at least the ones you need – a cookie policy and a privacy policy are a must) and adapt them for your website. You can change words, names, and add your logo. Of course, it’s good sportsmanship to give Automattic credit for helping out.

Next, you’ll need to adjust the appropriate widgets to activate the functionality of cookie consent forms for when users visit your website.

Use a Plugin

What was that saying, if you can think of something, there’s probably a WordPress plugin for it? 

Naturally, there’s a great GDPR Cookie Compliance plugin by the Moove Agency which is completely free and is also compliant with CCPA and PIPEDA, which are additional cookie requirement laws.

The plugin is easy to use, highly customizable, mobile-responsive, and SEO-friendly. 

A Few Words Before You Go…

User data is being stored, bought, and sold every day by websites, ISPs, and marketing agencies. Cookie compliance laws such as GDPR are an important step forward in protecting user privacy and emphasizing the importance of user consent when it comes to storing personal information.

If you have a website, you do need to have a cookie policy in place. But setting it up is no hassle, and it’s all for the greater good. Not to mention that internet users are getting accustomed to this new “privilege” of being asked for cookie consent, and seeing a popup box with cookie compliance options would increase their trust and fondness for your website and your brand.

In the end, whether someone likes to be the subject of targeted ads or opts to stay out of the marketing game, it should certainly be up to them… even though HTTP cookies are a lot easier to resist than the oatmeal and raisin kind.