Privacy regulations such as the GDPR say that you need to seek permission from your website visitors before tracking them.
Most GDPR consent banner implementations are deliberately engineered to be difficult to use and are full of dark patterns that are illegal according to the law.
I wanted to find out how many visitors would engage with a GDPR banner if it were implemented properly and how many would grant consent to their information being collected and shared.
There was no study done on this from what I could find out so I did my experiment. Let’s look at my findings.
TL;DR: 90%+ of your visitors will not give the GDPR consent
If you implement a proper GDPR consent banner, a vast majority of visitors will most probably decline to give you consent. 91% to be exact out of 19,000 visitors in my study.
What’s a proper and legal implementation of a GDPR banner?
- It’s a banner that doesn’t take much space
- It allows people to browse your site even when ignoring the banner
- It’s a banner that allows visitors to say “no” just as easy as they can say “yes”
How I implemented my study
I used Metomic for my GDPR consent banner. It is a fully compliant GDPR consent banner that allows you to explain why you’re seeking permission to collect data.
It also gives your visitors transparency over how their information is being tracked and used. It doesn’t take much space and no dark patterns are involved.
Here’s how the banner looked like on mobile and desktop:
I tested on two different websites with two different audiences
I installed Metomic on two different websites during June. There were a few differences between the two sites:
- Site 1 was a site about a tech topic with the majority of visitors coming from Google organic search (60%) and browsing from laptop or desktop devices (60%).
- Site 2 was on a lifestyle topic with the majority of visitors coming from organic social media (70%) and browsing with mobile devices (70%).
48% of visitors engaged with the banner and 9% of total visitors granted consent
I assumed that having a GDPR compliant consent banner carries a very high risk of visitor refusal as most people don’t care enough to engage with your banner and those who do mostly do it to get rid of it.
And if you give them an easy way to ignore your banner or to say no to be tracked, most of them will simply do that.
With almost 19,000 unique visitors between those two websites, 48% engaged with the banner.
19% of those who engaged with the banner gave their consent which means that 9% of total visitors gave their consent to be tracked.
Here are the total stats:
|Unique visitors||Opt ins||Opt outs|
More mobile visitors engage with the banner and a higher percentage of them decline to give consent
A higher percentage of visitors engaged with the banner on a mobile device (59% versus 40%) with a lower percentage of them giving consent (16% versus 22%).
An obvious explanation is that the banner is more prominent and takes a larger percentage of a mobile screen than a desktop screen so the visitor interacts with the banner to remove it from their mobile screen.
And here are the percentages:
|% of total visitors who interacted||% of those who interacted that gave consent||% of total visitors that gave consent|
Only 1 out of 774 decided to drill down and make a more granular choice in their consent
In addition to this, on the tech site, there was only one consent being asked for and that was for statistics (Google Analytics).
On the lifestyle site, three permissions were being asked for. Web statistics (Google Analytics), personalized advertising (Doubleclick) and social media sharing (Pinterest).
Only 1 person out of the 774 who opted into being tracked drilled down and made a more granular choice. That visitor said no to stats but said yes to advertising and social media.
So what can I do with such low consent rates?
You could still run personalized advertising and do behavioral profiling on those visitors that give you consent.
But writing is on the wall. If your business model requires user consent, chances are that your business will suffer if and when GDPR gets enforced. The implication of users not giving the required consent is that the ad-tech industry might collapse.
For everyone else, you should explore and consider switching to a different and more ethical monetization method while you still have time.
You could do contextual, non-personalized advertising which doesn’t need any personal data and simply shows advertising according to the content of the page. Google made its first billions with this method.
Plausible Analytics, a Google Analytics alternative that I’m working on, is engineered not to track and identify visitors in the first place so there’s no need to request their permission to track them.
What’s going to happen with the personalized advertising business model?
Most website visitors don’t want to grant their consent for data tracking while most websites don’t want to give visitors a fair and clear way to opt out.
It seems likely that this will lead us towards cookies and other tracking permissions being a browser or operating system-wide setting rather than a site setting in the near future.
This would likely spell the end of the wild west era of the personalized advertising business model of the web.
Most web users will simply select “no to tracking” once in their browser and the browser will block all the trackers for them as they surf the web.
Advertising funded businesses are aware that the minority of visitors want to give consent.
They are simply riding the ad train and milking the cash cow for as long as they can get away with before GDPR gets enforced and they either shut down, adapt to a more sustainable business model or explore even more privacy invasive practices.
And the alternative to the advertising-funded web? Charge for services. And have your premium subscribers fund the free plans.