EU cookie laws have been in place since 2011, although there was very little awareness before 2012 when the first websites in the UK started displaying consent notices outlining cookie consent models. In most countries we have seen what can largely be called a ‘softly-softly’ approach to enforcement, however, activity has picked up since mid-2014. In the UK, the Information Commissioners Office (ICO) has kept it a low-profile issue, but Spain and The Netherlands have seen enforcement action and fines for non-compliance.
In September 2014, the French regulator (CNIL) led a series of ‘cookie sweep days’ to assess the state of play amongst big websites. They also began exercising powers to run remote compliance audits, with follow up enforcement action to follow closely behind where needed.
In the UK, many sites have implemented some kind of ‘cookie banner’ and introduced ‘cookie policies’. A lot of sites went for an approach of doing as little as possible and then waiting to see what happened next.
However, as websites inevitably get redesigned and user experience journeys get reevaluated, many site owners are now looking at their initial solution to the problem, as well as what their competitors have done, and begun to ask themselves ‘could we do it better?’. That’s where cookie consent models come in.
We put this comprehensive page together which lays out clear and practical choices for website owners and designers to make when choosing a cookie banner.
Although a cursory glance seems to suggest that everybody is doing basically the same thing, if you look a little closer, and look at the requirements laid down by different regulators, there are in fact no less than five broad models for cookie law consent.
Cookie consent models can be characterized as:
- Notice Only
- Implied Consent (opt-out)
- Soft Opt-in
- Explicit Consent
- Mixed Consent
In addition to these five cookie consent models, there is also the option of considering Do Not Track (DNT) requests.
What We Mean When We Talk About Cookies
It is important to realize that the ePrivacy Directive from which the cookie laws derive, applies to more than just HTTP cookies. Other technologies that perform similar functions to cookies, such as web beacons, e-tags, Flash cookies, and HTML5 local storage, are also subject to the same legal requirements.
However, cookies are the most common form of local data storage and tracking, which is why this became known as the Cookie Law. Within this document, as in our other advice and publications, when we talk about cookies, we are using the term to encompass these, and any other technologies covered by the same regulations.
The Strictly Necessary Exemption to Cookie Consent
There are many ways that cookies are categorized by websites, usually by reference to their purpose. We believe that the UK International Chamber of Commerce (ICC) cookie categories are the most helpful for consumers and have long supported them. They are: Strictly Necessary, Performance, Functionality and Targeting/Advertising. Most sites now use these or a close variation of them.
Only one of these categories carries any specific significance in the law, which is the Strictly Necessary category.
Cookies that are strictly necessary for the functioning of the site are exempted from the requirements for cookie consent under the law. This means that any such cookies are outside of the cookie consent models discussed below. Strictly necessary cookies need no controls to be applied and can be set as needed without a cookie consent model.
However, it is important to note that the definition of what is a strictly necessary cookie is very narrow – and cannot be applied more broadly to suit the business needs of a site. For more detail of when cookies can and cannot be categorized in this way, the Article 29 Working Party has issued an opinion document which serves as a general guide: Article 29 Working Party Guide.
Although cookie consent is not required for such cookies, it is considered good practice to identify them so that people can distinguish them from other types of cookies.
However, when discussing the different cookie consent models and introducing user controls over cookies, strictly necessary cookies can be excluded from such decisions.
The Granularity of Cookie Controls
In all the cookie consent models we present, except implied consent, visitors are given controls over whether cookies are set or not. This does not have to mean a binary all or nothing choice.
The law itself is silent on the issue of how much control users should be given. In theory, you could choose to give users a choice about each individual cookie. However, from a practical, as well as a user experience perspective, most site owners would find such an approach unworkable.
In our view, the most sensible approach is to apply controls at the broad purpose category level, such as the ICC categories mentioned above.
02Notice Only Consent
This cookie consent model tells the user that cookies are in use, and their choices are to accept the fact or navigate away.
This is technically the simplest approach, and the most widely adopted. It requires the least amount of effort and change to a site. It can be done well, but it is also very easy to get wrong.
The amount of information provided by sites using this approach can vary a great deal. Some have nothing more than a short statement in a banner, with variations on the above sentence, and a mechanism to remove it from view.
Others will go further by perhaps linking to an internal cookie information page that says a bit more about the cookies in use.
Good Practice Tips
With this approach generally the more information you provide, the better. Avoid generic statements about cookies that have been copied from other sources. Instead, list out the types of cookies your site uses, and explain their purpose. This shows you have at least given some consideration of the privacy implications for users.
Good practice also includes advising people of the ability to delete or prevent cookies in their browser or by other means. However, don’t try to go into all the detail yourself.
Instead, it is better to link to external sources which are more likely to be kept up to date, such as: http://cookiepedia.co.uk/how-to-manage-cookies
Mistakes to Avoid
We have talked to several webmasters with non-functional ‘Accept’ buttons who say that almost none of their visitors click the button. This is then interpreted as an indication that users don’t care about cookies and privacy. However, it is just as easy to suggest that they recognize it as a false choice that they don’t need to make, that they don’t want to accept cookies and would refuse them if the choice was there. A site with this approach can also open itself to accusations of deliberately misleading users into thinking they wouldn’t get cookies if they didn’t click ‘Accept’ – which is much more likely to lead to stronger enforcement action from a regulator.
There is nothing inherently wrong with the disappearing banner. If you are going to set it on a timer, like a fixed number of seconds, make sure they cannot fail to notice it on the first arrival, and that there is enough time for slower/inexperienced users, to read and interact if need be.
A slightly better form of the disappearing banner is to leave it in place until the user takes another affirmative action, such as navigate to a second page.
The forced click or acceptance, i.e. not allowing the use of the site without clicking on a cookie notice, is probably the biggest mistake for the information only cookie consent model. It is rarely seen – but there are examples. Some sites have even offered a refuse option which re-directs the user elsewhere, like to a search engine page. This solution is high risk because people may just leave the site and is also highly deceptive. If visitors click through to get to the content, they have not given any valid consent, and if they leave, they will assume that they have not had any cookies from the site – which is not the case in the information only model.
This cookie consent model, especially if the information is kept to a minimum and hidden very quickly, is the least likely to be considered compliant or fair by any regulator. However, it can be useful as a quick fix or stop-gap while an alternative is being decided on or developed. In the short term, many visitors may find it acceptable, but if more of your competitors go further, you can risk losing trust, and therefore visitors.
It can give the impression that you don’t trust your visitors to make choices that benefit you, that you don’t care about the law, or you don’t understand your legal obligations, it can also make a site look unprofessional.
Giving people a banner with neither choice nor adequate levels of information can also be viewed by visitors as showing you have something to hide that they might object to, even if you don’t.
The reality is that you are unlikely to get into immediate trouble with a regulator, but if your site is investigated, you are more likely to be required to change it to meet the legal requirements. It is a good idea therefore, even if you choose to go with this approach until you get a complaint, to have an alternative ready to roll out quickly.
We are using and have set cookies, but you can switch them off if you want.
Good Practice Tips
When offering opt-out controls, there is a balance to be struck between usability and the effort required to opt-out.
Creating options for different levels of opt-out is good. Best practice suggests grouping or categorizing cookies by purpose and giving control at that level – perhaps over 3-5 different categories. This gives real choice to users, without it being too difficult to choose, or too many clicks to make.
It is also a good idea to explain the consequences of opting out, especially if it may negatively impact the user experience.
If people do opt-out, it is also perfectly acceptable to incentivize them to opt back in again later. You may find you have to block certain functionality when users opt-out of some types of cookies. When you do this, make it clear that this is the result of their choice – and you can then enable them to opt back in if they want to use the blocked functionality.
If you want to there is nothing to stop you preventing access to premium/valuable content or services after users have opted-out, even if these do not rely on cookies to work, but at the same time don’t try to trick users into opting back in.
It is also a good idea to make sure that the controls to opt-out or in again are always readily accessible to the user, such as a page element or link that is on every page and is clearly identified.
We also believe that implied consent can be done without the need for banners or pop-ups that automatically appear when users first arrive on a site, although this may not be consistently true in all jurisdictions.
As users become familiar with the concept of being able to control and opt-out of cookies, those with an interest in doing so will automatically seek out access to information and control mechanisms. If links or buttons are easily identifiable, always available, and offer real choice, there is less of a need to interrupt the user experience which many visitors find bothersome.
However, if you do want to introduce a banner message, an approach that works well with implied consent is the banner that automatically disappears after a period of time. It works to tell users you are complying whilst not requiring action to get rid of the message. If there is another always available link to the opt-out controls, this can be an additional assurance that you have given clear notice to visitors.
Mistakes to Avoid
Probably the biggest mistake we see is confusion between the Information Only and Implied Consent models. As noted above a lot of sites try to use the language of implied consent in an information only notice, but implied consent notices can also be easily confused with explicit consent.
An opt-out mechanism will inevitably require you to make some technical changes to your site if users choose to stop cookies being set. It is vital therefore that you put those changes in place and test them. If you are using a pre-built script or service, make sure you read the documentation, and where necessary involve your web developer. This includes making sure you understand the requirements for using such a script before you purchase or license it. Giving your visitors the appearance of choice when their choices don’t do anything can easily be seen as being deliberately misleading, which is clearly something to avoid.
Try to avoid forcing users off-site or requiring them to install third-party tools to exercise their opt-out. Some opt-out mechanisms do this – for example requiring installation of browser plug-ins for Google Analytics. It can seem like an easy option, but it has some significant drawbacks.
It is not only annoying for users, but it puts control into the hands of a third party rather than you. It also means that you may not be able to incentivize users to opt back in again later – which could be critical for some businesses. If relying on the installation of third-party software – some users may not be able to do this (for example users at work may have had this disabled by their IT department) – and therefore cannot exercise their rights properly. Plus of course, if you direct people off-site, there is a significant risk they won’t come back again.
You don’t need to worry about deleting cookies already set if users opt-out. Technically this is more challenging to do, especially with third-party cookies. Opting out means stopping reading existing cookies, however, if you use the right mechanisms to stop setting of new cookies, this will also prevent reading if existing cookies, which is consistent with the implied consent model.
Implied consent is potentially the least user-interruptive model for compliance… if done in the right way. It can give real choice without getting in the way of the user journey for those that are genuinely not interested in exercising their choice.
Not only is it considerably lower risk from a regulators’ point of view than the information only approach, but it also shows respect for visitors who want to exercise control.
Research suggests that web users are employing more privacy defensive technologies than ever before. Though this makes life easier in the short term for site owners, it has bigger long-term consequences in terms of loss of control over your own websites. It is much better to try to prevent that by using a little more effort to give users choices that you can remain ultimately in control of.
Soft opt-in can look a lot like Information Only, but the crucial difference is that cookies are blocked on the first arrival to the site (the landing page). Any further user interaction, such as clicking on a link to a second page, is then taken as consent, and cookies are then set normally on the second page.
There is an exception in that if the first user action is to follow a link to more information about cookies to be set, this cannot be viewed as consent, so the cookie information page should not set cookies until a second action is taken.
It can be technically quite challenging to get this model right; however, it is mandated by some regulators, notably the CNIL in France, as the minimum compliance level.
Good Practice Tips
Getting the content and format of the message correct is critical to this model. It needs to be clear to users that they have a chance to not accept cookies before they continue, so this does mean an initial notice must be prominent on the landing page, and it must stay in place until the user takes further action. The content of the message should also spell out the choices clearly.
A layered approach to messaging works well with this model, especially if you can present sufficient information for the user to make a choice, without navigating to a new page, which will simplify the technical implementation.
It is also a good idea to test thoroughly when implementing this approach, as it is easy to mislead visitors.
Mistakes to Avoid
You don’t need to stop people entering the site unless they have clicked to accept cookies, so don’t go overboard with something like a page-takeover approach or ‘cookie wall’ as mentioned below, it is unnecessary and can end up losing you visitors, as many will click away.
The time-limited, automatically disappearing banner is one to avoid in this model.
Even if there is another mechanism that remains, it could be confusing to visitors.
Similarly, even if users have continued and allowed cookies to be set, there needs to be an always-available control to opt back out again. Omitting that option would not be acceptable by regulators requiring this model.
Generally, from a regulatory perspective, this approach is pretty low risk… if you get it right. The main issues are errors in implementation that result in behavior that is different from messaging. If this results in unexpected cookies, it could easily be interpreted as deliberately misleading.
Making opting out significantly more difficult than opting in could also be viewed negatively by both visitors and regulators.
Another issue with the soft opt-in model is how long the consent can be valid for. In France, there is a requirement that consent not be stored for more than 13 months after which visitors would need to be given the choice again.
Please click to accept cookies on this site.
With this model, you must block cookies until users perform a specific action that signifies their acceptance of cookies. The action should only signify that acceptance. Essentially this means they have to tick a box or click a button or a link that says ‘I accept cookies’ or something very similar.
Technically it need not be any more difficult that an implied consent model and could be much simpler to achieve.
However, the greatest difficulty can be in getting people to click on the accept link, without completely disrupting the user experience. In the Netherlands where explicit consent was initially adopted, many sites erected what became known as ‘cookie walls’. These forced users to accept cookies before they could get to the site. After which the rules were softened up the rules a little, although some types of cookies still require explicit user consent.
Good Practice Tips
Getting this model right is mostly about considering the overall impact on the user experience of not having cookies set by default.
The cookie wall can work well for recognized brands with very strong or unique content, but even then, expect drop-offs in user numbers. For less compelling sites, this should generally be avoided.
For most modern sites running without cookies means there will be page elements and functionality that will need to be blocked unless or until users accept their use. This is an opportunity to get consent and a good approach here is to replace valued content with in-line cookie accept controls. This highlights the value of the exchange for the user whilst allowing them to access the parts of the site that don’t require cookies.
A general, persistent ‘nag’ notice is also a likely feature of a site with this model. Getting this right is about balancing the need for getting an opt-in with the user experience. If the banner can easily be ignored it will be, but if it gets too much in the way, you can also risk losing visitors.
We would recommend an ongoing commitment to A/B testing of message content, design and page location, to get the right balance here.
Mistakes to Avoid
The biggest error is in giving users the impression of an opt-in model when cookies are being set by default.
Another one is using an opt-in model when it isn’t necessary for the particular jurisdiction. We tend to see this with small websites that have picked up free scripts and haven’t sought any advice.
The other big issue is assuming that opt-in always means stopping people entering the site until they have accepted cookies. It’s not necessary and can be very damaging to both traffic and engagement on sites that aren’t so compelling that almost all visitors will just click to get to the content.
Opt-in is going to be a low risk from a compliance perspective, if it is done correctly, and cookies don’t slip through before consent is given. The biggest risks are really business-related. If you don’t get the balance right, you can either lose a lot of traffic, or you have a lot of unmeasurable traffic. Neither of these options is ideal, but clearly the latter is preferable.
It is also important that once users have opted in, there should remain somewhere on the site the ability to opt-out again, effectively withdrawing their consent. Not providing this could be deemed unfair by regulators, and therefore not fully compliant.
We have set some cookies already and would like to set some more.
As the name suggests, this is really a hybrid approach where different models are applied to different types of cookies according to their purpose.
An example would be relying on Implied Consent for web analytics and Soft Opt-in for third party advertising.
This is a sophisticated approach, and not one seen very often. The detailed following of guidance from some cookie law regulators would result in this model being applied more widely.
We expect to see greater use of this model over time. However, most of the lessons from the different models mentioned above can be applied as appropriate if considering this approach.
07The Do Not Track Question
A final consideration to add to the mix is to decide whether and how to respond to browser Do Not Track (DNT) signals.
Although DNT is a standard feature of most modern browsers, it is almost completely ignored by websites.
DNT is a ‘preference expression’ setting in a browser, which is designed to provide websites with an indication of the end-users wishes. It doesn’t do anything to protect user privacy or limit the setting of cookies or any other similar technology.
There have been years of negotiations to set a global standard for what DNT should mean, and how web sites should respond. This has been carried out by the World Wide Web Consortium (W3C) – which sets most web standards, including the very basics like how HTML works. However, the opposing interest groups, mainly privacy advocates and online advertising businesses appear unable to agree on any compromise. So, the standard has stalled around lack of agreement over what ‘tracking’ means in the context of the request.
Therefore, although there is no legal requirement to honor the DNT signal, websites can choose to do so, and some do. This includes interpreting it as an opt-out from certain types of cookies. The main question is which ones?
A narrow interpretation of the request would support opting users out of Targeting/Advertising cookies, especially as these are mostly third party and capable of profiling users across websites. This is the kind of activity that people most associate with the term ‘tracking’. However, some people believe tracking includes recording page visits within a site for analytics purposes – so that would include stopping the setting of Performance cookies.
The cookie laws allow for websites relying on ‘browser settings’ to signify their consent for cookies. This has largely been interpreted as meaning using direct controls to block cookies, although these limited in scope. However, it could also be interpreted to mean that if a browser sends a DNT signal, then the user is signaling a lack or withdrawal of consent to some types of cookies. That would then require a response from the site
It is important to realize that the usage of DNT is significant amongst general web visitors. Although reliable statistics are hard to come by, in many parts of Europe, it is estimated between 10% and 15% of users are using DNT to request not to be tracked. We anticipate that it will become harder for site owners to ignore such requests from a significant number of users over the coming years.
The EU Cookie Law is in fact 28 different laws – one for each EU member state. Although they are substantially similar, being based on a common EU Directive, there are some subtle (and not so subtle) differences. Different regulators in each country also take very different views of enforcement and have provided different levels of guidance.
This means there is really no one size fits all approach to the cookie law. In fact, multi-lingual websites targeting different users in different EU countries may need to apply several models in one website.
It is our view that these five models represent the basic choices available to website owners when deciding how to apply a solution to the cookie law anywhere in the EU. Making the right choice is about balancing the interests of your brand, your customers, and your regulator. It is also important to make that choice before any other decisions about the message, design and user experience.
Once you have done that, it becomes much easier to manage the implementation.
Global privacy laws such as GDPR, CCPA, and LGPD require companies to inform visitors about the data being collected on their website and provide them with granular choices over the information they are willing to share. In order to comply with these laws and provide a transparent experience that builds trust, website owners are rethinking their compliance.
CookiePro is powered by OneTrust, the worldwide leader in privacy management software. The CookiePro product offerings are an advanced consent solution, made up of Website Scanning & Cookie Consent, Mobile App Scanning & Consent, and Data Subject Requests that can be used together or individually to create an advanced consent solution with an intuitive user interface, simplified billing and 24/7 support.
At CookiePro, the legal and privacy teams continually monitor and drive the improvement of products based on the regulatory landscape. Additionally, CookiePro’s evergreen repository of over 9 million cookies, Cookiepedia, auto-categorizes cookies, making the deployment process simple and easy.
CookiePro is the only consent management tool capable of taking an enterprise-level solution, maintaining that standard and scaling pricing down at a more reasonable affordable price. The solution enables customers to rest easy knowing they have the industry-leading solution at the most affordable rate.