If you've been trying to figure out GDPR compliance for your organization, then you have probably heard the term “cookie consent.” Unfortunately, cookie consent is not some new fad diet that will be going away a few months into the new year. Unless, maybe, you consider slimming down your Google Analytics tracking a type of diet?
Cookie consent refers to getting permission from your website visitors to collect personal data.
Under GDPR, you are not allowed to collect personal data from your EEA users without their consent. So the bottom line is, no consent, no fancy tracking cookies!
But, you can collect this data for your visitors if they permit you.
In this video and post, we are going to look at how to obtain cookie consent from your website visitors. We'll examine some of the more common tracking consent tools that are in use. And, we'll also look at the on-page events that signal permission to track your visitors' data.
Google Analytics, Personal Data, and Cookie Consent
Before we start looking at cookie consent banners or pop-ups, let's review when you need permission to track user data.
Advanced Google Analytics installations
Here are some of the advanced features in Google Analytics that rely on personal and third-party data.
- Display features
- User IDs
- Replicating Client IDs across devices
- Custom dimensions and metrics
- Remarketing features
These features bring personal data on your users into Google Analytics. This data is usually displayed in aggregate in your Google Analytics reports, but a few of these advanced features allow you to see the specific activity for individual users.
Basic Google Analytics installations
Basic Google Analytics installations don't use display features or advanced tracking. In this case, you can avoid tracking personal data by anonymizing user IP addresses. To learn more about anonymizing user IPs, you can read our previous post on this topic.
If you don't collect personal data, then you don't need to ask for permission to track your visitors anonymously. The key word here is anonymous. If the data your collecting is anonymous and not user-specific, you don't need consent.
What type of consent do you need to collect personal data using Google Analytics?
How do you obtain cookie consent from your website visitors?
Before I share my understanding of how your website visitors can provide tracking consent, I have to offer this warning:
I am not an attorney. So, this post is not providing you with legal advice about cookie consent. I can only share my simple, caveman-like understanding of this process. You should consult your attorney before implementing any of these ideas.
Here's my interpretation of how consent requirements work under GDPR.
Advanced Google Analytics collection and tracking under GDPR
Many of us want to continue collection user data. This data helps enhance our analytics. As we've discussed in previous posts, the collection of user data enables features like segmentation, table filters, and more.
If you use advanced Google Analytics tracking features, or you collect third-party data, you most likely need a cookie consent banner, at least for your EEA users.
What does a cookie consent banner look like?
You've probably started to see cookie consent notifications across the internet.
Here's an example of a consent notification on a website I love, Conversion Works. This website is using a tool called Cookiebot to deliver their consent banner.
If you click to see the cookie declaration, it shows where they embed their cookies.
How does Cookiebot work?
Cookiebot is getting a lot of attention right now. Their consent notification tool is transparent, simple, and effective.
Let's take a look at how this tool works. We can use the Google Chrome developer tools to see Cookiebot in action.
If I visit the Cookiebot site, I can see the scripts their running in my developer window under the network tab.
This session is the first time I visited this site, and I haven't clicked their tracking consent opt-in yet. I also haven't scrolled the page yet.
Tracking scripts and Cookiebot
Usually, when you visit a site that's using Google Analytics, the analytics.js beacon gets pushed when your browser loads the page.
There are a couple of different ways Cookiebot tracks consent. This tool will record tracking consent when I check “OK” on their cookie notice. They will also record that I've consented to these cookies when I scroll past the notification on the page.
Cookie consent on page scroll
You can see Cookiebot's tracking in action when I scroll past the cookie banner. First, they log my consent to be tracked. Then Cookiebot starts setting cookies and collecting my data. If you look at the scripts that were triggered by my scroll action, you see Hotjar, Facebook, Google Analytics, as well as others being initiated.
These tracking scripts would typically fire right away on page load. But in this case, they are delayed until I click on their tracking notice or scroll past their cookie banner.
Cookie consent is happening in two different ways on this website. I can provide explicit permission for tracking when I click “OK” on their notification. Or I can provide implied consent when I scroll past their tracking notice.
There are some differences in how various types of cookie consent software display their tracking notices. But these tools all operate on the same basic premise. They delay your tracking scripts until consent has been obtained from your website visitor.
Is page scrolling enough for user consent
Now you might be wondering if this implied consent process is compliant with GDPR? Do you need users to click the “OK” button to track their data? Or is page scrolling enough?
Let's take a look at some additional resources.
Facebook GDPR documentation
Now I'll admit, it's rare for me to trust a vendor when it comes to regulatory issues.
But Facebook has some very clear explanations of who needs to ask for cookie consent, and how it works.
Who needs to get cookie consent?
Here are some of the types of websites Facebook identifies as needing consent.
These websites include:
- Blogs that use an analytics provider to collect aggregate demographic data about users
- News media websites using cookies to display ads
- Anyone using the Facebook tracking pixel
Well, that list calls out pretty much everybody on the internet!
Which on-page actions indicate user consent?
Facebook also shares the acceptable ways to get cookie consent. I was pretty impressed by how specifically they describe the ways consent can be authorized.
Here's how Facebook interprets consent. You can obtain cookie consent when a visitor takes one of the following actions:
- Navigating past your consent notification
- Dismissing your cookie banner
- Clicking your “I agree” button
Keep in mind; this is Facebook's position on cookie consent and GDPR compliance. You should discuss your own tracking consent solution with your attorney.
In this post, we are merely sharing examples of the most common approaches to cookie consent. I am certainly not recommending a specific strategy.
That said, the documentation Facebook's providing is consistent with current cookie consent trends I am seeing implemented by other websites.
Deleting user data
Facebook also provides some guidance on allowing users to opt-out of tracking and deleting their data.
I am going to do a video and post in the coming weeks on how to use the Google Analytics user deletion tools. You can join our email list to make sure you catch that article.
Now that we have some reference points let's get back to looking at how to implement a cookie consent notification.
Cookie Consent notification software
I know a lot of you are fretting implementing a consent notification pop-up. But I don't think we need to be intimidated by this problem. There are a lot of options for displaying cookie notices. And there are many free tools that we can use to get our tracking notices set up on our websites.
Here's a rundown of some the more common consent notification systems being used.
We already looked at how Cookiebot works and discussed it's popularity.
I'll also mention that I was tagged in this tweet from Andy Crestodina. He cautioned that one of his clients saw a significant drop off in traffic after installing Cookiebot.
The analyst in me is skeptical that this decrease in traffic is a direct result of Cookiebot. You can see that this site's USA traffic is also down. So, there could be many reasons for this dip in traffic.
But I appreciate the heads up from Andy. We need to be aware that cookie popups could affect our traffic data in Google Analytics. And really, anytime you implement a change in your tracking you want to consider the potential ramifications to your analytics.
Iubenda cookie solution
This tool was recommended to me in the comments section of one of our previous posts (thanks Falk!).
Iubenda offers a free version of their software for websites that get less than 25K pageviews a month.
Goole Tag Manager (GTM)
My friend Julius at Analytics Mania created a tracking consent solution using GTM.
As Julius mentions in his article – if you haven't already migrated GTM, this as good a time as any. It's generally easier to adjust your tracking scripts with GTM than it is to fix scripts that are hardcoded on your site.
The team at Portent also introduced a GTM cookie consent form. This solution includes a geofence based on your users' IP address. The geofence attempts to limit your cookie banner to only users from EEA countries.
Personally, I am still undecided on using geofence. There are pros and cons to geofences that depend on your approach to this strategy.
Jetpack for WordPress
Jetpack offers it's users a free cookie banner. If you're using WordPress, the set up for this cookie banner is as simple as adding a widget to your website.
Keep in mind some of these solutions only include display banners. They don't affect how and when you fire your tracking scripts. Under GDPR your tracking shouldn't deploy until after your EEA users have provided consent. So, a cookie consent banner is only half of the solution you need for GDPR compliance.
How are we obtaining cookie consent on Jeffalytics?
I can't answer this question just yet. We are still working towards GDPR compliance. But I am willing to share our strategy once it's in place.
If you want me to share the full Jeffalytics GDPR roadmap once it's complete, then leave a comment below. If there's enough interest, we can do a dedicated video sharing my GDPR compliance solution.