Cookie settings, cookie banners, cookie consent… You are asked to review and agree with a website’s cookie settings whenever you visit it for the first time. Some of that data is necessary or anonymous, some is not. And it’s not always easy to set up and manage, as we’ve recently experienced ourselves. This blog aims to clarify the different cookie settings and regulations, hopefully helping you to tackle similar challenges. What exactly do you need to keep in mind when managing your website’s cookie settings?
What are cookies used for?
When you visit a web page, you’re often met with a cookie banner requesting you to accept the different kinds of cookies. Some are always enabled, whereas other can be switched off. That usually requires a few more clicks in a submenu. So what kind of cookies can you accept or reject?
Which cookies DO NOT require consent?
As strictly necessary cookies are essential for a site’s proper performance, they do not require explicit consent from a visitor. That also means a site cannot collect, store, or distribute personal data of the visitor. Instead, it creates a random ID of the visitor, unrelated to any identifiable information. This helps to recognise the visitor for the next time they visit the site so it can load a list of previously visited products, for example.
Preference cookies store data such as your region and language settings.
Which cookies MAY require consent?
Statistic cookie data (or performance cookies) is used to monitor what web pages are visited more often, what links are clicked on the most, etc. It may provide the site owner with anonymised data to improve the experience or service they offer via the site, but often the collection and storing of this data may extend to other services as well. For instance, the data is shared with Google when using Google Analytics without the anonymisation possibilities in the settings. In these cases statistic or analytical cookies by nature may be used for tracking or retargeting purposes. Consent is required in these cases.
Which cookies DO require consent?
Finally, there are marketing, or tracking cookies. These cookies track visitor behaviour over multiple websites. This is what makes you see advertisements from company A on a webpage of company B. If you’re shopping for shoes, you’re likely to see an ad for the same shoes when on a webpage for bicycles.
How about cookie data privacy?
To protect people’s online privacy, the European Union has developed the E-Privacy Directive, which is a lex specialis to the General Data Protection Regulation (GDPR). The E-Privacy directive states that tracking cookies need “consent”, as described above. Tracking cookies are regarded as “personal data” and therefore the consequences of the GDPR apply as well when tracking cookies are placed via your website. The GDPR also sets the rules for all these cookie settings and the data they collect, and how that data is supposed to be handled. Finally, the GDPR determines the fines for organisations that wouldn’t adhere to the regulations.
Third-party cookie collection
Setting all cookies up properly is important, but not always easy. That’s mainly because of the third-party interest in the cookie data. Visitors’ data isn’t just collected by your own company, but also by other companies which use a small part of your website in order to track the visitors’ behaviours. Often, this could be a s small as a single, white pixel, invisible to the naked eye of the visitors. Alternatively, it could be embedded in the Facebook share button on your webpage or in a tool that you use to track your website’s performance, for instance Google Analytics.
We have recently experienced how tricky this can be when we embedded a YouTube livestream on our website. We were aware that we as a website owner have to ask for the explicit consent of our visitors to accept tracking cookie. However, we did not know that embedding a YouTube video places such cookies automatically by Google (Doubleclick), which would have required a cookie banner on that specific page.
We were notified of this misconfiguration by an attentive visitor, Floor Terra, after which we made the right changes to our cookie banner, implemented a cookie consent manager, set the settings right, and requested the related third parties to delete the cookie data they collected in that time.
We highly appreciate and are thankful for people sharing their insights to help us improve, learn, and grow.
How to set up and manage your cookie settings
With many different kinds of cookie settings and regulations to adhere to in your continuously changing online footprint, it can be challenging to manage your cookie settings all of the time. Here are a few tips and things to consider.
- An obvious one: be aware of tracking cookies, especially the ones that are placed on your website by third parties. You need explicit consent from your visitors, also for those third party tracking cookies.
- Use a tool or service to track and map your cookies. With third parties collecting data via your website, it’s important to know just what kind of data is shared with who. Such a solution will also help you set up cookies properly, and could even block certain content when visitors didn’t give the right consent, preventing an incident. This will also help you in the case of a data removal request at these third parties.
- Review your cookie settings periodically. Your online footprint is shifting all the time. New subdomains are easily created, and third-party settings could change too.