By Iulian Grecu on 20 Aug 2021
This blog article is to be used as an informative piece and we highly recommend you get in touch with a legal person before starting to implement cookie consent in your organization. They will have a better understanding of regulations and how they must be applied to your company. It’s not a one size fits all and you should adhere to the regulations in various sectors and regions.
In this article you will learn:
- What are cookies
- What are the current regulations in place (GDPR, ePrivacy)
- How cookie banners work on websites
- How cookie consent is affecting your marketing activities (with examples for PPC & SEO)
- What can you do to improve your opt-in rate? And how to get close to a 90% opt-in rate
- How to track those that don’t opt in (with privacy-focused tools)
- What cookie consent tools you should use for your website
What are cookies?
Cookies are text files that are stored on your computer (browser) that can later be retrieved by a web server (a website). They allow said websites to keep track of users’ activities and personalize their experiences. Think for example when you add something to your Amazon shopping cart. You close the website but when you return, you are still logged in and the items are still in the cart. This can be done through cookies (one cookie for the session login and another one for the cart contents).
Browsers can also use other types of storage (localStorage or sessionStorage). Both browser storage and cookies must adhere to the rules.
You can learn more about cookie types and subdivisions by visiting this Wikipedia article.
What are the regulations?
Currently, in Europe, there are a few regulations regarding cookies and user tracking. One is called the ePrivacy Directive and the other ones are from GDPR. The ePrivacy states that cookies need consent, but each member state defines consent differently. Therefore, GDPR comes with even stricter rules on what consent should be.
GDPR Article 5 (3) regarding Confidentiality of Communications states the following:
- “storing of information, or the gaining of access to information already stored, in the terminal equipment of a…user is only allowed on condition that the subscriber or the user concerned has given his or her consent”
- “[Except where]…strictly necessary in order…to provide the service”
And we also have the GDPR - Article 7: Conditions for consent which state the following:
- “the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language”
- “The data subject shall have the right to withdraw his or her consent at any time.”
- “It shall be as easy to withdraw as to give consent.”
To summarize all of them, you should state the intent to use cookies in clear and plain language when someone visits the website for the first time through an intelligible and easily accessible form (i.e. cookie banner).
Then, according to GDPR Article 21 - Right to object, (2) stating that “where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time” - meaning you will have to have a solution in place where the users can opt-out of cookies.
We recommend getting in touch with a legal representative with experience in GDPR and ePrivacy before implementing cookies as your industry might have even stricter regulations. Please also have a look at the resources section of this article for further reading.
How cookie banners work on websites
When you land on most European websites right now, the first thing you’ll see will be a cookie consent banner. Usually, they have a button to accept cookies and another one to manage your preferences - from where you can turn on and off different cookie categories.
Technically, no tracking or 3rd party scripts should be fired before people accept cookies because firing those scripts will more than likely create a new cookie.
For example, Google Analytics has a cookie called _ga, Facebook Pixel has another cookie called _fbp etc…
You can however fire cookies that are required to run the website (strictly necessary cookies), but they shouldn’t have anything to do with user tracking and 3rd party data sharing.
Cookies can also be categorized as performance/analytical, functional, targeting/advertising, and most consent tools have them broken down into categories, to make it easier for people to opt-in or opt-out of different categories.
Some cookie consent solutions have the option to automatically sort and block 3rd party scripts, but if you’re doing the implementation via Google Tag Manager, then the way it works is:
-Fire GTM and the Cookie banner when someone visits the site
-Add conditions for every individual tag to fire only when people have accepted cookies (or different categories)
Quick Tip: If you need to check what cookies a website has stored in your browser, you can go to Developer Tools (Ctrl+Shift+I in Google Chrome) then navigate to the Application tab > Cookies, and you should see something like this:
Under Cookies, you have all the domains that have set cookies on the website you’re visiting, and you can filter for specific cookie names. In the example above, I have filtered by “ga” as “_ga” is the default Google Analytics identifier cookie.
How cookie consent is affecting your marketing activities
At Wolfgang, we work with a lot of companies doing Paid Search, Paid Social, SEO, Data Analytics and Conversion Rate optimization - and cookies are affecting all of these activities.
I’m going to give you a few examples of how the marketing visibility will be diminished:
- In PPC campaigns, 100 clicks sent from Google Ads can result in only 50 sessions if the cookie opt-in rate is 50%. This means that you’ll see only 50% of the PPC traffic, which in turn will result in either double the CPA (for lead generation) or half the ROAS (for e-commerce).
- In Social Media campaigns, a similar scenario as PPC, whereby all the clicks you will see in Facebook Ads Manager aren’t going to be the same ones you see in Analytics and all the conversions that have been generated won’t be sent to Facebook because those people haven’t opted-in, so the Pixel purchases or Lead events won’t fire.
Overall, when you look into Google Analytics, traffic will be massively down after installing a cookie consent solution if the opt-in rate is low. This will affect all traffic channels and all revenue - for example, you might see €100K monthly revenue in Analytics, but you know the business has generated €200K in the backend/invoices. Clearly, you are under-reporting your marketing activities and some channels are generating more revenue than reported in GA.
What can you do to improve your opt-in rate?
It’s all about the cookie banner design and its features. It might sound simple but A/B testing a few banner designs might be the best way.
A few things to test:
- Place it on top of the website, then on the bottom of the website and see if the opt-in rate improves.
- Contrary to popular opinions, you don’t have to include a close (X) button on the banner. People will have to opt-in or opt-out, and if they just close the banner, you still haven’t obtained their permission to fire scripts and cookies.
- Some websites don’t allow you to browse unless you make a choice, so you can test that as well.
How to track those that don’t opt-in
Google is innovating in this area and they’ve already released the Consent Mode beta which is available for Google Ads, Floodlight tags and Google Analytics. This feature checks the cookie settings and adjusts how your Google tags behave based on the consent status of your users.
A simple explanation of what happens for users:
Technically, Google will send cookieless pings to its servers and report on user activity without reading or writing any cookies. Full documentation here.
Another thing that you can start to implement today is server side tracking. We are working on releasing this for a number of clients. It works through server to server communication without needing any tracking pixels or cookies.
What cookie consent tools should I use for my website?
We work with OneTrust for most of our clients and they have one of the most complete solutions for cookie consent, privacy and data compliance, and they offer a free option. There are also a few other tools that you can use:
- https://www.onetrust.com/ (Free & Paid version available, no limit on pageviews)
- https://www.cookiepro.com/ (Free & Paid versions, no limits on pageviews)
- https://www.cookiebot.com/ (Free for sites with maximum 100 pages, then Paid)
- https://cookie-script.com/ (Free with a limit on pageviews)
- https://www.iubenda.com/en/cookie-solution (Paid only)
These are just a few tools we’ve come across. Feel free to research more tools that are suitable for your business. For example, if you’re using WordPress or Shopify, you will have a few plugins available that will also be easier to implement.
We recommend getting them installed through Google Tag Manager for more flexibility and control, including integration with Consent Mode from Google.
As we mentioned, we work with OneTrust and our team is certified in getting Cookie solutions implemented for your business. If this is something you’re interested in, please get in touch with your account manager or contact us today.
Further reading and resources:
- Data Protection Commission - Resources & Guidance
- Guidance note: Cookies and other tracking technologies (pdf) published by dataprotection.ie
- 3 key actions for privacy-safe growth (Think with Google blog)
- Privacy-safe growth: Key actions to deliver on privacy expectations and your marketing goals (pdf)