GDPR, ePrivacy, cookies,... these are buzzwords which have been around for some time now in the digital landscape. Probably you have had several thoughts racing through your mind about GDPR and privacy laws. How will this impact my digital marketing strategy? How can I get my website compliant to GDPR policies? The truth is that still a lot of websites, marketers and advertisers have lagging knowledge on this topic and still quite some websites are not compliant to this legal framework. In this article we will give you an overview of how you can comply with those laws and what you need to know to make your website GDPR compliant.
The usage of cookies
A cookie is a small piece of data that is stored on your browser by a website that you visit. It is mainly used to identify a user or more specifically a browser and it is widely used for advertising and targeting purposes but also for the proper functioning of websites. F.ex. if you’re coming onto a website and you select your preferred language, then a cookie will retain that information so that each time you go to another page or come back to the website it remembers which language you have selected.
As an advertiser or marketer you might be using advertising platforms such as Google or Facebook that use cookies for conversion tracking, remarketing, attribution and even audience targeting. As you can guess, cookies can contain significant amounts of personal information about your online activity, preferences, & location and therefore they require explicit consent from the user under the GDPR compliance law. You can find cookies on your browser in the Inspect tool by clicking right-mouse on a website > Inspect > Application > Cookies.
GDPR, Cookie Consent and Cookie Banners
The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy in the European Union. The GDPR aims mainly to give control to individuals on how their personal data is processed. In the light of GDPR, cookie consent is the most used legal basis that allows websites to process personal data and use cookies. Cookie consent means that a website can only collect personal data or process data from users after they have given their explicit consent and must be obtained before any activation of cookies, except strictly necessary cookies.
Typically, GDPR cookie compliance is achieved on websites under the form of a cookie banner that gives the user the possibility to give his explicit content for different types of cookies (e.g. strictly necessary, functional, performance, targeting cookies) via an affirmative act, like clicking a button ‘Allow all cookies’. The categorization of cookies is important as the user needs to have the choice to opt-in or opt-out for specific purposes on the cookie banner. This will allow websites to respect the user’s choice and activate or deactivate cookies for the use of specific functionalities. See below an overview of the specific purposes and categories of cookies:
- Strictly necessary cookies: These cookies cannot be turned off as they are needed to run the website properly, they do not store any personal information. Always opt-in.
- Functional cookies: These cookies remember choices you make (such as language or location) and tailor the experience to improve your experience.
- Tracking & performances cookies: These cookies gather information about how you use a website, for example which page you visit most often. Used to improve user experience of the website.
- Targeting & advertising cookies: These cookies collect information about your browsing habits and your interests in order to make advertising relevant to you.
You can basically do two things to get consent from a user on your website:
- Implement a cookie banner on your website with the help of a Consent Management Platform or CMP such as OneTrust, Cookiebot, ConsentManager,...
- Implement a manual cookie banner using custom javascript code by your development department
Obviously using a CMP is the easier option as it has all the functionalities to comply with GDPR already built-in the tool but it is a costlier solution as you will need to pay a monthly subscription.
Now that you know how you can create a cookie banner on your website, you might be asking how you can handle the consent of a user in your tag management system like Google Tag Manager that is commonly used to set cookies on your website, these tags collect unique user behavior and therefore you should update the tracking based on the user’s consent. To do so you will have to update your tags by deploying accept and block triggers that will enable or prevent your tag from firing. On one hand, a datalayer variable ‘true’ will be pushed when the user has given it’s consent that will enable your tags to fire (and drop cookies). On the other hand, a datalayer value ‘false’ will be pushed when no consent is given and prevent your tags from firing (and collect user information).
Checklist for implementing Cookie Consent
In order to get your website fully compliant with GDPR and handle user information in a privacy-safe way, we have outlined all the steps that will need to follow below:
- Investigate all 1st and 3rd cookies that your website is using by using a cookie crawler
- Map and categorize those cookies into the different cookie categories
- Manual or CMP implementation of the cookie banner
- Tracking and tagging implementation - Take action based on user’s cookie preferences
- Analyze the impact on data gathering
What’s next?
Cookies and GDPR laws are still very prominent topics in the digital environment but with tracking prevention technologies such as ITP from Safari and the recent announcement of Google Chrome that it will stop using browser cookies by 2022. The industry is already preparing for what will happen next in a cookieless world.
To know more on how the industry is adapting to a cookieless world read the article of my colleague on ITP and GDPR!