How to Implement Cookie Consent without Turning Your Customers Off

Under the GDPR, the data cookies collect is considered personal if it can identify an individual via their device. If you use cookies that do this, you must gain consent from the user to collect and use that data. But can you do that without turning customers off?

The EU’s General Data Protection Regulation (GDPR) represents the biggest change to people’s data protection rights since 1998. It enforces new standards for data protection which you must comply with to ensure you operate within the law.

One area webmasters now need to treat differently is website cookies. Before GDPR, cookies would often track users without their knowledge, and even when notified of their use, users would have no idea what data was being collected and why.

Users now have the right to know about the cookies tracking them and for what purpose your organisation uses those cookies. Cookies should be split into distinct segments. 1) those that are essential for the operation of the website. 2) those that the owner of the website will use to target you for future marketing. 3) those that will be shared with 3rd parties for wider marketing activity. And here’s the clincher - you must get their consent to use them. If you don’t do this, you can’t use them.

Lawful basis for processing

To process personal information under the GDPR, your company or organisation must be able to identify a lawful basis for doing so. Personal information comes in many forms and the Information Commissioner’s Office (ICO) has published clear guidance on this. Under the GDPR, there are six legal enablers for processing personal data:

1.     Consent of the individual

2.     Contractual necessity

3.     Compliance with legal obligations

4.     Vital interests of the data subjects

5.     Public interest

6.     Legitimate interests

We have bolded the enabler relevant to cookies on websites: consent.

Consent must be provided by the user in a specific way. It must be freely given, specific, informed, and give an “an unambiguous indication of the individual’s wishes.” The GDPR demands transparency, which is key to the approach you should take when implementing cookie tracking notifications on your website.

What constitutes lawful consent?

If you use cookies to track your users and collect personal data, you will need to use a tracking consent pop-up to comply with the GDPR. This should load when the user visits your website for the first time. This is because the user must be informed right away for you to be able to use cookies that track them.

The aim here is to gain lawful consent from the user, and the only way to do so under the GDPR is to get them to opt in or

What’s interesting right now is there are some very dubious notices out there from leading retailers. Here’s one we grabbed from a leading retailer:

Picture2.png

The message itself is fine, but when you click “manage cookies” the user actually gets no choice at all. You are told you can manage cookies “on your device” and there is no opt-out box. This DOES NOT satisfy the GDPR. It is insufficient because under the GDPR, if you say users can manage their cookies you’ve got to enable that. Users must also be able to opt-out after opting in. That’s cookies 101[AC1] .

Oh, and something else - under the GDPR, the notice “By continuing to use our website, you are agreeing to our use of cookies” or derivates of are insufficient for consent because this is implied consent, which IS NOT a lawful basis for processing. So this notice:

Picture3.png

Does not meet the GDPR’s requirements. And this one:

Picture4.png

Which we grabbed from another leading retailer is also unlawful. Alarmingly, most of the retailers we have visited use this notice. Both these notices would be made GDPR compliant with an opt-in box, so a simple solution.

If you’re in any doubt about that, the ICO says this: “Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.” They also say that, “consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand, and user-friendly.” Could the guidance be any clearer?

Implementing cookie consent

There is an obvious point webmasters will raise to displaying a prominent cookie notice on their website: that their customers could be turned off from using the website. Perhaps this is why so many retailers hide their notices with colours that blend in and use the outlawed practice of implied consent. Whatever the case, there’s ways to make your notice lawful and good at keeping customers on your website.

The simplest way to implement cookie consent is this: give users an initial notice and a simple choice to opt-in. It really is that simple. And here’s the most important point – it is not mandatory for the notice to give users a choice to the cookies they object to, so a simple ‘in’ or ‘out’ box is absolutely fine.

Soft opt-in

Achieving compliance is possible with a soft opt-in which gives the user the opportunity to act before cookies are set. A fair notice before the user continues to browse will meet valid consent requirements for standard cookie policies.

So-called ‘soft opt-in’ will be the best route for many websites. An example of a soft opt-in is where you have a notice that says, “Our site uses cookies” but your website doesn’t start collecting any data from those cookies until the user clicks ‘OK’ or navigates to another page. This is compliant with the GDPR because the user can agree to cookies before they are collected and has the choice to leave the page.

This is very different to just using the phrase “By continuing to use our website, you are agreeing to our use of cookies” because clicking ‘OK’ is an affirmative action and because in the example above cookies aren’t collected right away. The notice must, however, display in a prominent position so nothing is implied.

Your website must also give users the option to change their mind or opt-out after getting valid consent. If you get consent through an opt-in box, the user must be able to return to that menu, so they can adjust their preferences. But this can be after the fact with a soft opt-in. That’s what makes it such useful option.

With that in mind, here’s a good written example of a soft-opt in with a box (underlined text is actionable):

This site uses cookies to collect visitor information. We use this data to improve our customer’s shopping experience. You can opt-out at any time. To continue using our site you must agree to our cookie policy.

[opt-in button] “I agree to the use of cookies”.

With this box, you could load it before the visitor can navigate elsewhere so that consent is very clearly attained from them. They must “click” to proceed. Alternatively, you can allow them to navigate without agreeing, but you wouldn’t be able to track them until they opted-in by selecting the opt-in button.

Here’s a good written example a soft opt-in with navigation consent:  

This site uses cookies and third-party services to function properly. You must consent to our cookie policy to use our website. Click ‘Okay’ or navigate to another page to consent to it. You can opt-out and manage your preferences any time.

[box] or [button] “Okay”

With this box, you would load it as soon as the visitor lands on your website, but they would be able to navigate elsewhere right away. The box would stay in place during the visitor’s session, so they remain informed about the use of cookies. The box would only collapse if the user clicked the “Okay” box. This would ensure valid consent whether the user chooses the navigation option or opt-in option.

As you can see, these are soft opt-ins. They are also perfectly legitimate. They do not require the reader to stew through legalese, nor would they turn customers away. Both can be used by you to comply with the GDPR. However, you must include a link to your privacy policy and cookie policy (if separate) in your notice.

The best way to integrate a cookie notice so it doesn’t adversely affect your visitor’s experience is to let the notification ‘roll’. By letting it ‘roll’ you have it load when your user first visits your site and you continue to display the notice until they opt-in. Once they opt-in you no longer have to display the pop-up notice.

The pop-up itself should be noticeable, which might sound counterproductive but the sooner your visitor opts-in the sooner the pop-up gets dismissed. Where you display your cookie policy will depend on your site’s design. You can display it in the header or footer, so long as it can be seen at all times until opt-in is fulfilled.