Yesterday there was a lively discussion on Hacker News and different Subreddits around cookie consent walls not being valid according to the GDPR. Ironically, when visiting the article discussed, I was faced with one of the worst and most user-hostile implementations of the cookie law.
The web is broken. Behavioral tracking without consent, abuse of personal data, annoying walls, prompts and popups and a lot of disrespect to the web user in general.
More technically savvy people use browser extensions and better browsers to avoid most of the noise and have a clean and distraction-free web experience. The “average” internet user on Chrome without extensions is browsing a very broken web and is regularly being taken advantage of.
Here’s how you as a website owner and web developer can help fix this broken web so we don’t require hacks and extensions to make it usable and everyone can have a great experience.
Table of contents
- Limit the amount of tracking to the absolutely necessary
- Ask for consent for preferences when it is relevant
- How to deal with third-parties and targeted advertising
- The best way to implement the consent prompt
- Cookie consent could become a built-in feature of browsers
Limit the amount of tracking to the absolutely necessary for your site or business to function
On top of this, you’re not required to show the cookie prompt nor get consent for the necessary tracking such as session cookies that for instance hold the items in the shopping cart.
There are even ways to do simple site statistics without using cookies and without collecting personal data.
If you do any of this, your site is clear. No need for popups and prompts at all. Your website visitors will have a clean and beautiful experience without distractions.
Ask for consent for preferences cookies when it is relevant to do so
How about if you want to create a bit more advanced website experience? Like the ability to remember the personalized settings of a visitor from a visit to visit? Features such as the automatic login for those with an account? And language preference or location preference?
Clearly explain what these things do and ask for consent. For instance, on your login form, you can have the “Remember me” checkbox. The visitor must give consent for this so make the box unticked by default.
Even in this case, there’s no need for popups or prompts as soon as someone visits your site. You can explain the purpose and ask for consent when it is relevant such as on the login form itself.
How to deal with third-parties and targeted advertising
But what about if you want to do something more complicated involving third-parties? Such as use targeted advertising and follow a visitor around the web, share usage data and other personal data of a visitor with third-parties for advertising purposes?
Try to become less reliant on this because this type of third-party tracking is becoming less effective. Safari is blocking it, browsers such as Brave and Firefox are blocking it, ad-blocking extensions are blocking it and even Chrome will block it soon too.
If you still want to share the data of your visitors with third-parties for advertising purposes, then be very clear about it. See the following section for instructions on how.
The best way to implement the consent prompts
Here’s how you should implement the consent prompt such as the one for your visitor to give you consent to share their personal data with third-parties for advertising purposes:
- Never block any visitor from seeing your website or your content. Those cookie walls that you see on some sites are illegal according to the GDPR and are made by sites that don’t have the best interest of a visitor in mind.
- Place the prompt at an easy to see location such as on the bottom left or the bottom right of the screen. It should not take much of the screen and should not distract the visitor from your site.
- Don’t store any cookies or send any data to any third-parties before the visitor makes a decision and gives you consent to do so.
- Write in simple language that your visitor understands. Use the same language that you use for the copy on the rest of your site. Explain what you are doing in terms of tracking and third-party connections and what the purpose is. Don’t hide it behind jargon or lawyer lingo. Make it as clear as you make the rest of your site for anyone to understand.
- Ask the visitor to decide whether to give you consent to do this or not. Provide simple “yes” and “no” buttons. There should be no differences in the design, colors or size of buttons at all. No dark patterns. There are companies such as Metomic that make this simple to implement. Here’s an example:
- The only way for a user to give consent is to actively choose to click on the “yes”. Otherwise, it’s a “no” and the visitor is free to continue browsing your site by either clicking on “no” or by completely ignoring that prompt at the bottom of the screen.
Following the above steps is simple and clear for any website owner or a business owner. It also doesn’t impact the design of a site or the user experience unlike many of the current implementations.
Whoever claims that GDPR is the enemy of the web or enemy of business, is either badly misinformed or doesn’t have your or the web’s best interests in mind.
Cookie consent could become a built-in feature of browsers
Because of the way many sites currently implement the consent forms, it seems likely that the law will be moved to the browser level rather than the site level in the future. The new proposal for an ePrivacy Regulation says this:
“The new rule will be more user-friendly as browser settings will provide for an easy way to accept or refuse tracking cookies and other identifiers”
Browsers will be responsible for making the process I described above clear for the user. When you launch a browser for the first time it will simply ask you the questions on behalf of all the websites you’re going to visit in the future:
- Can websites you visit store preference cookies such as those where you select a language to use on their website, your location for features such as weather forecast and the ability to log in to your account automatically? Choose yes or no.
- Can websites you visit share your usage, behavioral data and personal data with third-party companies for purposes such as to be able to target you with commercial messages as you browse the web and visit other websites? Choose yes or no.
Simple. Easy to understand. The user makes the decision and has never again to think of these things again. No more cookies walls, popups that distract, prompts that annoy and inferior experiences.
Whatever the user wants the user will get. There’s complete respect for their wishes and decisions. And full compliance with the privacy regulations.
Entrepreneurs can still run their sites, customize the web experience as much as they want and grow their businesses whichever way works best for them. And they will be compliant with the rules and will respect the choices their visitors have made.