Cookie Compliance 101
The short of it is yes. Ever since 2011, privacy concerns over the archives of browsing data that third-party tracking cookies were able to collect from unsuspecting visitors prompted EU and US lawmakers to scramble for a way out. It may have taken them a while, but as of May 25, 2018, the EU has introduced the General Data Protection Regulation (GDPR), which requires websites to ask users for consent before using non-essential cookies to track their data.
What Are Cookies?
Initially, cookies were designed so that websites could store stateful information and improve user experience, like to remember carted items in eCommerce stores, language preference, user input information (username, password, payment card numbers), and browsing activity, so the pages could load more quickly and efficiently. These useful cookies are called first-party cookies.
As you can see, cookies were meant to improve the efficacy and ease of browsing for users. Authentication cookies, for instance, which contain our login information, allow us to visit websites at different times without needing to re-enter login details every time we visit that site.
However, there’s also something called third-party tracking cookies which come from a domain different from the one of the visited website. These cookies follow a user’s browsing activities even after they leave the website, compiling archives of their browsing histories. For what purpose, you may ask. It’s always the most obvious answer – advertising. Third-party tracking cookies follow you around to target ads based on your previous search and purchase history. Keep in mind that there are also tracking cookies directly used by websites you visit – like Facebook.
While advertisers can claim all they want that “targeted ads improve user experience,” they also make you spend more on things you don’t need and definitely make you feel like your privacy has been violated – because frankly, it has. Thankfully the authorities have picked up on this, along with additional concerns over the implications of a company holding in its claws archives of unsuspecting users’ browsing histories, and introduced laws that require websites to ask for informed consent by website visitors before storing any non-essential cookies.
Which brings us to the GDPR cookie compliance.
What Is GDPR Cookie Compliance?
The General Data Protection Regulation (GDPR) requires websites to ask for user consent, i.e. compliance to collect non-essential cookies. The aim of the GDPR is to protect user privacy and allow users to opt out of behavioral advertising (targeted ads). At the same time, it’s meant to hold companies accountable for how they collect, archive, and use visitor data by charging fines for websites that don’t comply.
In other words, GDPR limits visited websites and third-parties to track internet users’ browsing activities without asking for consent first. That’s why there’s that increasing number of popups asking you to decide which cookies you want to accept when visiting websites, so take advantage of this new regulation and give it all a moment of thought before clicking accept all.
Some people do approve of behavioral marketing, i.e. targeted ads. Some people like seeing ads only for things they’re likely to purchase. These people always have the option of allowing websites and third-party domains to track their off-site activity with cookies. Of course, it’s still scary imagining that companies are gathering and storing your data. After all, we can’t really know who ends up buying that data.
The GDPR doesn’t include cookies that remember what items users have placed in shopping carts but does target all cookies that can identify a user based on their device. This includes analytics, advertising, and functional services cookies.
What Does the GDPR Mean for Websites?
The GDPR has shaped the way that websites and third-party domains through those websites can gather visitor cookies. For websites to be GDPR-compliant, they need to either stop collecting cookies targeted by the GDPR, or they need to ask for legal and explicit user consent when gathering that data.
Here are some old cookie practices that companies can no longer get away with using:
- Implied consent. In the past, visiting a certain website counted as the user giving consent which is “implied” by their online presence. This no longer counts for obvious reasons.
- Forced consent. Text that says something like “By using this site you’re allowing all our cookie collecting practices” isn’t actually giving visitors the option to comply – it’s saying get tracked or get out. There’s no real choice – it’s forced consent. Real consent is allowing visitors to remain on a website and choose for themselves whether they want to accept cookies or not.
Instead, websites will need to:
- Allow users to choose which cookies they want to accept. This includes offering a list of non-essential tracking cookies that users can disable upon visiting a website. Websites also need to inform people which cookies are essential and can’t be disabled, stating the exact reasons why.
- Withdrawing consent should always be an option. If a user clicked on “accept all” and then realized they don’t want to accept all cookies, they should be able to withdraw consent as easily. People should always be able to opt out through a cookie menu that will be readily available for them to come back to, at any time.
You might be thinking that since the GDPR was an EU initiative, it wouldn’t apply to you – if you’re based in the US or any country outside EU borders. However, the internet doesn’t exactly ask people for passports in order to access websites. Most online content is globally available to anyone, from anywhere. This means that the moment an EU-based visitor appears on your website (and that won’t take long), the rules – and the fines – apply to your website and hold you accountable. That’s why every website needs to be GDPR-compliant, including yours.
Create Your Own Cookies Policy
Next, you’ll need to adjust the appropriate widgets to activate the functionality of cookie consent forms for when users visit your website.
Use a Plugin
What was that saying, if you can think of something, there’s probably a WordPress plugin for it?
Naturally, there’s a great GDPR Cookie Compliance plugin by the Moove Agency which is completely free and is also compliant with CCPA and PIPEDA, which are additional cookie requirement laws.
The plugin is easy to use, highly customizable, mobile-responsive, and SEO-friendly.
A Few Words Before You Go…
User data is being stored, bought, and sold every day by websites, ISPs, and marketing agencies. Cookie compliance laws such as GDPR are an important step forward in protecting user privacy and emphasizing the importance of user consent when it comes to storing personal information.
In the end, whether someone likes to be the subject of targeted ads or opts to stay out of the marketing game, it should certainly be up to them… even though HTTP cookies are a lot easier to resist than the oatmeal and raisin kind.
View Related Articles
This is where the concept of parked domains saves the day. Even if you aren’t ready to build a website, but have come up with a perfect name for it, you can buy the domain and “park” it for later use. By purchasing a domain you like ahead of time, you’re making sure that no one steals it in the meantime.
There are many DNS record types, and they vary from being absolutely essential, to simply being quite useful. Two of the most commonly used DNS records are A records and CNAME records. Let’s take a closer look at what each of these DNS records is and what their functions are, so as to better understand what the difference between a CNAME and an A record is.
The .me domain is a growing trend for good reason: it seems personal. After all, what’s more personal than me? This domain extension offers a lot of versatility for websites names, personal blogs and resumes, call-to-action websites, and businesses seeking to emphasize…