A cookie – a small and round baked good. Delicious.

However, this is not the cookie that we are after today though. Today is about a small text file created by a website that is stored in the user’s computer either temporarily for that session or permanently on the hard disk. This permanent cookie is known as a persistent cookie.

Cookies provide a method for websites to recognise their visitors and keep track of their visitors’ preferences. Almost every website uses cookies and has done for years, but there is a cookie law that requires websites to ask their visitors for permission to use these cookies. But did you know that only as little as 11% of website visitors actually accept these cookies?

 

The Role of GDPR in Cookies

When we think about cookies, our natural inclination often tends to relate it back to GDPR. However, the two are not linked as such, but when we think about using cookies, we must consider GDPR compliance. So, GDPR is the policy that a business would ensure to remain compliant with when undergoing that act of cookies on their website.

The reason being is that GDPR is the usage policy of personal data; and if a cookie can identify an individual (which is the case in almost every situation), it will be classed as personal data.

When using cookies, you must decide what grounds you would process the data on when it comes to marketing. There are two factors of consideration at this stage – legitimate interest, and consent.

Legitimate interest gives websites consent to process under legal or contractual exceptions.

 

PECR: Privacy, Electronics, Communications Regulation

GDPR has a place in the primary piece of legislation, however, cookies are still not mentioned directly.

PECR is a regulation that refers to cookies and other related technologies such as beacons, tags, and device fingerprinting email pixels. PECR is about electronic marketing, serving specific rules in this field.

It applies when a company stores or gains access to the user’s device information. You must have consent and provide information that a level of consent is required. GDPR states that businesses must be specific and unambiguous by providing clear information, passing a transparent message across the website visitor. This gives people who may not know much about cookies, a much better insight.

 

First Party vs. Third Party Cookies

First party cookies are data that is stored on your website without travelling to any third-party. For example, here at Spotler we use first party cookies for IP lookups, through our very own platform called GatorLeads.

When tracking website visitors, GatorLeads has a higher average IP match rate compared to most of its competitors, including the tracking of an individual contact. We also enable the tracking of key decision makers of target companies, amplifying the warmth and welcome that companies can offer to their clients. This is bound to gear up those hot leads for any sales and marketing department! And worry you not – our first-party cookie tracking for IP lookups is done by abiding all GDPR rules.

On the other hand, are third-party cookies. These are cookies that do not stay directly on your site but go over to a different provider that is not owned by you. An example of third-party cookies are Facebook and LinkedIn tracking beacons, as these are third-party service providers whom companies hand over their data to.

 

Examples of Cookie Consent

There are several websites out there that have interpreted the cookie law in different ways with varying options of how that cookie would work or give consent. Let us go through some common examples of how websites use cookies.

 

1. Notice Only Consent

This is the type of consent where you have no option but to give that consent. The only way that you can opt out of giving consent is by simply exiting the website, giving off an “if you don’t like it, don’t use it” kind of tone. These messages are displayed on pop-up banners that limit website access until consent has been accepted, so visitors are unable to access the website till all consent is given.

A notice only consent does not inform the website visitor about the usage of their personal data, but rather displays a ‘read more’ sign which entails endless sentences of information about this.

The reason this fails to comply by GDPR is because it lacks freedom of choice, as GDPR wants readers to receive a transparent understanding of why and how the website will use cookies. Although there is a link in the message offering to read more about the cookies, it is a long and complex read, rather than being clear and concise which is what GDPR encourages.

Additionally, GDPR asks to offer an open choice for the website visitor to either accept or decline the consent request, rather than their two options being accepting or exiting.

Therefore, this type of consent is deemed to manipulate the compliance of GDPR, as it does not abide by its encouragement of clarity and options.

 

2. Notice Only – Implied Consent

This option is more open-minded than the previous one, as it includes an implicit option to reject the cookies. This option also has a short message informing readers that the website uses cookies, but they can be switched off if the reader would prefer this, followed by a read more sign. Such consents use banners too, but of a different kind as they do not work as pop-ups, and they certainly do not cover the landing page. These banners reside at the bottom or the top of the page, still giving access to the entire website.

Here, the website visitor is given three options – accept, decline, or customise. The customise option opens a form where all cookies are disabled, and the visitor has the option to enable them if they wish to, rather than defaulting to enabled cookies where the visitor would be given the option to manually disable them if they prefer this. This means that if the visitor were to ignore the banner and continue browsing the website, no cookies would be used.

The reason this option is still not considered the most GDPR complaint is because GDPR requires engagement with the banner before engagement with the website, whether the visitor wants to accept or decline those cookies.

 

3. Explicit Consent

This option is the most GDPR compliant from explicit consent, as it requires engagement with the banner before the site is accessed as well as giving sufficient but concise information at the first glance. In this option, cookies are disabled by default, where you either enable the cookies, or go to the cookies settings to update your preferences.

This option presents a nice concise message explaining where and how the cookies will be used and why the permission is being asked for; rather than only stating that the website uses cookies, followed by an accept or decline button. Therefore, this option is found as the most GDPR compliant as it gives the option and the information.

 

Enforcement

The ICO should encourage businesses to uncover how intrusive and harmful the cookies may be towards a user.

From a marketing point of view, the level of intrusiveness or harm that cookies could cause is reasonably low. It would be quite difficult for users to be able to prove considerable amounts of intrusiveness or harm caused by cookies towards an individual. The reason being is that marketing purposes only use cookies to analyse buyer behaviour or patterns in browsing. These cookies do not process sensitive personal information that could put one under danger that would raise eyebrows of the ICO.

In terms of priority, the ICO is more inclined to prioritise third-party cookies usage for analytics rather than first party, because it is third-party cookies that transfer data, leaving first-party with much lower privacy risks.

 

The Perfect Cookie Consent

Trying to abide by the GDPR regulations, it is a great idea to constitute a fun and meaningful message for your website visitors about the cookies you use explaining why you use them, and how you will use them, followed then by the accept and decline buttons (and a customise one if you prefer!). A message being fun and meaningful will encourage visitors to read what is before them, feeling more inclined to hit accept due to being able to relate to the message.

So, if you want to ensure you’re keeping on top of that GDPR compliance checklist, be sure to get your visitors to engage with your fancy little cookie pop-up banner of a nice and clear read, before allowing them to browse with your website. Add on the accept and decline buttons too, and you are already ahead of that cookie game. Easy.