ClickThrough's Strategy Director Al Rowe looks at a recent EU ruling and what it might mean for website owners.
Is your cookie notification fit for purpose?
I don’t know about you, but I have had multiple conversations where marketing managers have taken a keen interest in what their website cookies actually do.
This is mainly because each of them has had members of their client-base start to ask more questions. Is this a sign that people are taking data security more seriously now that GDPR has bedded in?
What has happened?
Possibly, but it is probably more likely that it is due to a recent EU ruling (known as Schrems II) in which a top EU court has ruled that US companies can’t be trusted with personal data.
In July, the EU has called into question a key data-sharing protocol known as Privacy Shield. This allows American companies to transfer our personal information to the US for processing.
The problem says the EU is that Privacy Shield does not protect EU citizens from the likes of the NSA who run mass surveillance programs. If you want to read more about the ruling click here (https://www.theverge.com/2020/7/16/21326795/eu-us-personal-data-transfer-privacy-shield-invalidated-sccs-upheld). The judgement itself can be read here (http://curia.europa.eu/juris/documents.jsf?num=C-311/18).
What does this mean in practical terms to UK businesses and their websites?
Several things. In particular, because this ruling relates to US abuses of personal data, it means that we need to take a close look at what marketing tech we have operating on our sites and decide if we are willing to take the risk that using that US company is ok. The simplest way to do this is simply ask yourself the question; what actual information could this 3rd party tool collect and is it personal.
You may remember when GDPR came in that many of us had to question whether Google drive was storing our business data inside the EU or whether that data may be finding its way into US data centres. You can read more about what Google said about this here (https://cloud.google.com/security/gdpr). IN short, Google intent to comply with GDPR but it could not guarantee that data would not leave the EU so long as the Privacy Shield mechanism was used.
Because of the Schrems II ruling, you may have noticed that when you use Google services, you are faced with a new cookie message. This is because Google has announced that it will be reverting to collecting consent at the point of usage. In other words by asking you directly before you use their services.
In fact the conversations I have had with some of our clients have specifically been about what data might be leaving the EU.
It is inevitable then that those that take this seriously may then take a closer look at what their websites are doing in terms of protections for their users. What I have found is that a number of cookie declaration systems in common usage are not really fit for purpose and are only really a loose interpretation of GDPR. Who knows what the standard will be post Brexit, but for the time being the UK remains signed up to GDPR.
What is wrong with my cookie notification system?
The problem is that what should happen is that when someone visits your website, no cookies are dropped and the message should come up to ask for the user to proactively opt-in (or out) to use of cookies. Once that choice is made, a cookie is then dropped to store this preference so the website doesn’t have to ask again (until the cookie expires - when that is depends on the browser).
If the user agreed to cookies then the website can then store cookies. If the user opted out then the website should not be storing cookies. The problem I have seen is that in reality, many cookie systems are really just decoration and use all cookies regardless.
If you want to find out whether your website is compliant you can visit https://www.cookiebot.com/en/. They will send you a helpful report. Cookiebot is a very comprehensive solution and has a number of different pricing points. If you feel that a solution like this is overkill for your website, or is too intrusive, then take a look at something like https://metomic.io/pricing.
A word of caution. Do take proper time in testing and playing around to get it right for you. For example, if your website uses 3rd party embedded tools, such as Google Maps or financial calculators or anything like that, you may find that they will only work if information can be stored in cookies. Therefore, if a user opts out of cookies, the tool may break.
This is all quite a challenge for marketers since, in order to do our jobs, we rely on the accuracy of our tools and it can be very inconvenient if we start to realise that large numbers of our visitors are opting out. This even includes Google Analytics.
Fortunately, there are a few things you can do:
- Reclassify your cookies. If you feel that that calculator must work and that the website is not offering the full experience without it, you can add those cookies to the “necessary” category. This should mean that at least for those users choosing to accept necessary cookies, the functionality should work.
- Add the JS file to the exclusions list. Or exclude the page. There are some complications if the tool required the embedding of third-party JavaScript which phones home. Even though the cookie has been classified as necessary, the functionality may still not work. In this circumstance you can either exclude the relevant JavaScript file from being included by the cookie system or you can choose to exclude that page altogether.
- Force users to at least except necessary cookies. You may have seen on some news websites that you cannot actually use the website unless you accept at least the necessary cookies. This is not usually built into systems like Cookiebot, but you can make it so that the cookie message is more of a nag screen and make it that the content is only visible if the user accepts at least necessary cookies. This will be overkill for many.
So, it seems that data protection is not going away any time soon. If anything, it is becoming more stringent over time. Perhaps this is because we all realise how all our online actions are interconnected and how important our personal data is.
At this unusual time of differing politics worldwide the question is who do you trust with your and your customer’s data?
