Cookie Compliance and Privacy

September 21, 2022| by Dan Moriarty

You probably noticed it for the first time several years ago. You were trying to visit some website or online article–but before you could read or do anything else, there was suddenly a pop-up window or banner blocking you.

Sample of an online button with mouse cursor and text says "Accept all Cookies"

And the message wasn’t trying to sell you anything. It was simply about “cookies”. Most followed some version of the following– ”this site uses cookies, and I hope you’re ok with that.” They often didn’t say more than that. Just that this website relies on cookies and they thought you should know. Don’t like it or understand what they’re talking about? Well, too bad.

I guess you could always turn and run, but then you wouldn’t get to read or find whatever it was you were looking for. As they advanced in technology, these “cookie compliance” banners or “cookie walls” have become a little more useful. Now they may include a lot more info, such as a list of the different types of cookies being used, and what they are for. Even better, they often now give you the option to say “no, I don’t want your cookie” (aka, don’t track what I do).

But where the heck did these come from and why did it seemingly start out of the blue? We never got asked this before. Ever wonder why everyone started asking you to “approve” their use of cookies on websites? And perhaps equally important, should you be doing this on your own websites? Let’s take a run through the cookie madness.

Why are you doing this to me?
sad looking dog stretched out on the floor

The short history of cookie compliance banners largely goes back to the GDPR. This major law from the European Union was first enacted in 2018, with the goal of protecting an individual’s right to privacy from a whole host of data mining and user tracking practices. In short, it established a right to privacy online, giving users more say in how their personal information could be collected and used.

Of course this is a European law, and we here in the USA are not a part of Europe (we’re the ones to the left of Europe on our maps). But it isn’t quite that simple. 

For one thing, the Internet is global. If you’re an American-based organization and run a website, you can’t exactly prevent people from outside of the country visiting your website. And the larger your organization, the more likely it is you WANT visitors from all over the world. Suddenly you need to be aware of other countries' laws. And that includes the GDPR.

Without getting into too much detail about the law, just know that it says you have to ask for permission before you track what may be considered personal information. The definition here is pretty broad, so everything from Google Analytics to Facebook tracking pixels is covered under the law. Thus the cookie compliance banner was born.

You won’t see it everywhere, of course. It’s largely regulated to businesses and other organizations with large, wide-reaching audiences. But new privacy laws are coming to the US, and others (like California’s CCPA) have already arrived. So until someone comes up with a better way of dealing with it, expect to see more and more cookie compliance banners everywhere.

Does my site need this?
Greyhound staring off to something in the distance with a questioning look

Ok, first off, I’m not a lawyer, so I’m not really the one to decide this for you. But in my bold and unofficial opinion, the answer is… “definitely maybe?”

Some questions to ask yourself include:

  • Are you sponsoring advertising or paid search through Google, Facebook and other channels?
  • Do you let users “like” or share your site content via social media buttons?
  • Do you embed social media posts on your site?
  • Do you have a “live chat” widget running on your website?
  • Do you embed YouTube videos on your site?

If the answer is yes to any of these questions, then you probably should consider some kind of cookie compliance banner, because your site contains “third party cookies” which track a user’s history, even after they’ve visited your site. 

There are other privacy rights and regulations that may impact your site and the data you collect, based on the privacy laws mentioned above. Maybe it’s not cookies you need to worry about, but your privacy policies as a whole, or how you retain and protect people’s personal information online. 

But for now, let’s limit the conversation to cookies. Looking at the list above, you may discover that your site is deploying cookies, even though you didn’t know it. 

It’s somewhat obvious if you’re paying to run ads on your site that you may be tracking your users. But it’s probably not as obvious that by simply embedding some common items on your webpages, such as a YouTube video, Facebook post, or Live Chat widget, you are also introducing third party cookies to your visitors. Is that your site? Read on.

Third-party vs first-party cookies

It’s important in all of this to understand the difference between a “first-party” and “third-party” cookie. And maybe cookies in general, if you’re not sure.

dog eating a cookie-like treat

Cookies are tiny files sent to your browser from the sites you visit, meant to track your browsing sessions and store information about the content you may be consuming. Some of these cookies are critical to your browsing experience, such as the shopping cart that tracks what you are planning to purchase from an online store, or a login to a password-protected website. These cookies are only related to the site you are visiting, making them “First party cookies.”

Then there are other types of cookies that start tracking you in one place, and continue to monitor your browsing activities even after you leave the original source. For example, a social media sharing button on your site could start tracking a user on your website (even if that user chooses to ignore the “share” button), and continue feeding information back to a social media network on every site you visit afterwards. These are used for targeted advertising, based on your history and what is assumed of your personal profile. For example, you “shared” a pair of glasses from one site and now all these other sites you visit start showing you ads for those same glasses. These are called “third-party” cookies. 

Note that there’s other, similar tracking methods and techniques with different names, such as pixel tracking or tags, but for the purposes of privacy and compliance, let’s lump them in with our third-party cookies, as they are essentially carrying out the same functions.
How can I get one of those?

Let’s say you’ve determined that your site needs some kind of cookie compliance banner. You need it for legal reasons, or you simply want to be a good privacy advocate or get ahead of the curve for future compliance. What are your options?

First do some planning and documentation. Take some time to look over your site, by yourself or with some outside help. Identify all the areas where cookies are being set. Remember, it can be from things you are doing directly on your site, or it can come from third-party tools you’ve embedded on your pages. Make a list, a spreadsheet, or however you want to track it.

Next determine how you want to let people know. Be upfront about the data you’re collecting, and give your visitors the option to “opt-in” or “opt-out” of tracking. This is where the banner gets used. 

If you’re highly technical and like to do things from scratch, you can pull something together with JavaScript or similar techniques. But why start from scratch when there are so many pre-built (and well-designed) options?

Here’s what I consider your two best options–find a plugin or module to manage the banner, or use a third-party service that specializes in cookie compliance. Both options are valid. Some are free and some cost money, but in most cases you get what you pay for. 

Cookie Compliance Modules and Plugins

If you have a modern website, there’s a good chance you’re running it through some content management system (CMS). If so, then you're in luck. As usual, there’s already some great tools someone else has built which you can implement on your own site. And as long as someone’s maintaining and supporting it, they continue to get improvements over time.

For Drupal users, one of the primary modules to consider is the EU Cookie Compliance module. This lets you display a cookie banner to new site visitors, add additional information about categories of cookies deployed, and a button to easily “accept” or say “no thanks.” 

For WordPress, there are many options, including the GDPR Cookie Compliance plugin. This plugin offers features similar to Drupal’s EU Cookie Compliance module, and is a good starting point for most users. 

Both are free to download, though the WordPress plugin comes with additional “premium” features if you wish to pay a small fee.


Third Party Cookie Banners

Sample cookie consent banner
Sample consent banner from Cookiebot

While using a third-party service typically costs some money, there are advantages to it over the DIY or plug-in approach. For starters, these companies specialize in this area. They usually offer educational resources around the issues of privacy laws, and have a commitment to keeping their products up-to-date with legal compliance. 

As far as getting started, these same services often will have tools to audit your site for cookies, so you don’t have to worry about not catching all the various instances where tracking might be present. 

And best of all, the banners themselves are already built and easy to configure. You simply fill out a few details online, and then you get a snippet of code to embed on your website. Boom, you’re done. Their cookie banners often explain and divide cookies between the critical ("necessary") and the optional (e.g. "marketing"). And they give you the opportunity to add language explaining what each one is doing and why. 

Some sample services include Cookie Consent, Cookiebot, Cookie Script, Cookie Control and OneTrust, though there are many others to consider. In addition to tools for configuring banners on the third party site, there are also tools in a CMS like Drupal for easier integration with these third-party services, such as the Cookiebot, Cookie Control and CookiePro modules.

Is that all I have to do to be “privacy compliant”?

No, that’s not everything. This is simply in regards to third-party cookies. You still need to weigh other considerations to be truly privacy compliant (and potentially to stay within any privacy laws you are exposed to).

For example, do you have an up-to-date and easy-to-read privacy policy readily available to all visitors? Are you collecting or retaining any personal information on your own website and/or in some database? How are you protecting any personal information you collect, and what steps would you take if it was accidentally exposed? Can your site visitors request and access copies of whatever information you’ve collected on them, and request that such information be deleted?

Taking privacy seriously does take some additional work. Consult with your legal team, and make sure you’re not exposed to any legal violations. This is an issue of increasing attention and importance, and not one to neglect. Think about it next time you’re about to redesign your website, and make a good plan to follow. Here at Electric Citizen, we can help during our discovery phase with beginning this process.

Won’t these cookie banners annoy everyone?
Cookie Monster from Sesame Street with the words "Cookie Good?"

Yeah, you will annoy some people who don’t understand why these banners are needed. They may be another expense or tool that needs maintaining. And there’s always a risk you’ve done more than needed, when your site isn’t really tracking any personal information.

But I view this area as “better safe than sorry.” While many of your visitors may not know or care about digital privacy, those who do may really care a lot. And at worst, you’re showing your users that you care about their concerns. At best, you’re staying in line with privacy laws. Overall, it’s ultimately very little cost to get started, so you may as well consider it.

What’s the future of this?

Many companies are starting to take on privacy issues like cookie compliance head-on. Apple, for example, has come out strongly in favor of new privacy protections. Its Safari browser offers to block all third party cookies by default. The iPhone lets users opt out of all tracking from various apps. Firefox later announced that it too will be blocking third party cookies (by default). 

Facebook and Google have made most of their money selling advertising that relies on tracking users behavior. And this tracking has relied heavily on cookies. But changes to the law are clear to them, and they are moving towards new technologies for gathering user information without exposing personal information. 

Should these prove successful and laws continue to weed out the worst of cookie tracking, maybe we’ll reach a future where these annoying cookie banners are no longer needed. I think we will. But it will take time. So for now, expect them to be here to stay. If your site needs one, get it done!

photo of Dan Moriarty wearing a dark blue dress shirt

About the Author:

Dan has been working as a UX/UI designer, business analyst and digital strategist since 2000, prior to founding Electric Citizen in 2012.  More about Dan »