Many of our clients are struggling with handling cookie consent on their websites. This is only natural since it's a hot topic with a lot of room for interpretation. And while Bluebird is a Digital Marketing Agency and not a law firm, we have gathered our thoughts and experiences on how to handle consent on websites. The following guide will show you our recommendations for collecting sufficient data from your website while also protecting your user’s privacy. Important to add though is that if you want legal certainty, we advise you to get real legal counsel.
What is Consent Mode?
While most Europeans are fairly familiar with the term “cookie banner”, Google Consent Mode might not be as well-known. It’s a technology that alters the tracking behavior of Google tracking tags. When a user is consenting to be tracked, those tags are recording the data as usual – meaning that the collected data is sent to the Google Ads & Analytics servers.
If consent is denied, however, anonymized and cookieless pings are sent to a third Google server. There, the data will be used in Machine Learning algorithms, so-called Conversion Modeling. The data is aggregated so that no individual can be filtered out. Google advertising products (with Google Ads in the forefront) are already using this data in their bidding algorithms to optimize advertisers’ ROAS. As for Google Analytics, it's yet to be uncovered if and how this data will be incorporated.
Why a cookie banner?
Now, these things have been around for quite a while now; in fact, since about 2009. But hang on a minute – wasn’t GDPR put in effect from 2018? The reason this may cause confusion is that there actually has been a previous installment, the ePrivacy Directive; and since its amendment in 2009, member countries of the EU are directed to implement laws that regulate the usage of data storage. So before GDPR came into place, there were privacy protection laws in effect in some EU countries. And that’s how some of the misunderstandings might have come up. The complete law text of GDPR is actually only mentioning the term “cookie” once. That’s because it's not just about storing cookies, it's about tracking any personal data. Certain cookie values are considered to be personal data since they are directly connected to a legal person (or rather, their device). A typical example is the Google & Facebook click IDs (fbclid & gclid). So rather than thinking in terms of cookie consent, you should be thinking about consent for personal data tracking.
What kind of consent banner should be used?
The next biggest misunderstanding is probably regarding the content of the banner itself. You are most likely familiar with two main types:
A banner that informs you about the usage of cookies on this site
A pop-up that lets you select what kind of cookies & tracking you want to allow
In short, it’s the latter version you need to use. A simple informative note might have been enough in some countries before GDPR came into effect, but now you have to give users the choice. And the choice needs to be granular – meaning that the user must be able to choose between different types of tracking purposes. And while there are no laws, but only guidelines (page 12, 3.1.3 Granularity), these are the most commonly used categories:
Strictly necessary: Cookies & other info that make the site work. For example the items you added to a shopping cart.
Preferences/ Functionality: For example what language you prefer to use on the site.
Statistical/ Performance: Website usage data.
Marketing: Data that is used to engage and optimize marketing efforts.
It's disputed whether Google Analytics (and similar 3rd-party tools such as Adobe) falls under the statistical category, as they may share this consented data with their marketing products. Here at Bluebird, we see it as Google is continuously driving technologies to be privacy compliant while still getting the most out of its products. Frankly, Google can’t afford to lose the European market. But as mentioned earlier, if you want certainty, we recommend you seek legal counsel. Or, as a more bullet-proof solution (yet a work-intense setup) you could list every third-party tool you use and give users the options to decide on an individual basis.
How to place the consent banner?
Some of our clients were startled when they implemented their first consent banner. As they didn’t want their users to be welcomed on their website with a big, annoying banner, and therefore moved it to a more discreet position, often as a bottom ribbon. Unfortunately, years of internet usage have conditioned users to ignore such overflows (keyword banner-blindness). They didn’t give it enough attention and continued browsing and converting on the website - without ever making a consent statement, and therefore, by default, never gave their consent.
The result was a massive drop in behavioral and conversion data. And while we understand the aesthetic and user-friendliness concerns, this led us to the recommendation of placing the consent banner in a more “promoted” way. When you have the possibility to make a customized banner, you can incorporate it into the look and feel of your site. And you probably want to use design elements to encourage the user to accept all tracking. You should also consider urging the user to make a choice before even using the website.
And even better, if you have the possibility, we recommend testing what cookie message design works best for your site and customers. Keep in mind that the message can look very different on smaller screens than on larger screens.
What about the technical setup?
The implementation and position of the banner are obviously not enough! You need to act on it accordingly. Tracking tags whose consent has been denied shouldn’t fire and store and send personal data. When you are using Google Tag Manager for your tracking tags, Bluebird can assist you with the complete implementation together with your IT department. Contact your Bluebird manager for more information.
What about Google Consent Mode?
A special case is the Google Consent Mode. Here, Google tracking tags are essentially “listening” for the consent status. It's a piece of code where the tags can be read regardless of whether the user consented or not. They will fire either way, but the destination and content that is tracked are different (see above). An interesting feature, and the reason why we use the term “listen”, is that there is a default consent value and an actual consent value. To be GDPR compliant, a first-time visit should always be set to “deny consent” as a default. If that’s the case, the tags fire to the third Google server with the anonymous information. But if the consent was given afterward, even when the user has already triggered a few events while browsing, the tags will fire again and send the consented personal data instead. To work with all this in the best possible way, at the very least these default values should be incorporated into the banner/ website code itself. Many consent management platforms (CMP) have a native Consent Mode integration, see Google’s official list. It's possible to integrate it via GTM as well, but depending on the side speed it might be tricky to synchronize the firing sequences. Give us a call or drop an email if you’re unsure what solution is best for you!
Some final words
Yes, the regulations that came with GDPR are hard to interpret (even for lawyers) and can be difficult to be entirely compliant with. And while you’re most likely a part of the online marketing/ analytics business, you’re also an internet consumer yourself! So it’s good to know that you are in charge of the data you share. Even from the business point of view, this and other similar regulations worldwide including technological challenges (Apple’s ITP), have been a catalyst for exciting new technologies. Machine learning is getting more advanced, yet easier to access. Facebook and Google are driving their server-side tracking solutions which offer great potential and data flow control – and we’re sure that there will be much more to come!