Last week we discussed cookies and their regulation under EU law and mentioned how non-essential cookies require consent. These are the sort of cookies that power cookie-based web analytics services such as Google Analytics and Adobe Analytics. Today we will dig more into consent and what it means for web analytics specifically.
- What does cookie consent look like?
- Consent is specific
- What are the most common issues with consent?
- Conclusions
Let's dive in!
A tl;dr on consent and cookies
Before we head in, let’s go through a high-level overview of consent and cookies:
- Web analytics cookies always need consent because they are non-seential.
- GDPR consent is only valid when it meets specific criteria: it is freely given, specific, informed, unambiguous, and possible to withdraw.
So: analytics cookies require consent, and this consent needs to meet certain standards. This means that your cookie banner needs to be designed a certain way. But there is more to it, and while most of the rules are uncontroversial, some are hotly debated in the legal community.
Let’s dive in!
What does cookie consent look like?
Consent is unambiguous
In a nutshell, the GDPR’s requirement for unambiguous consent means that only active, opt-in consent is valid. There is no such thing as an implicit or opt-out consent under the GDPR.
The rule of opt-in consent has important consequences for cookie banners. A well designed cookie banner uses affirmative wording such as “I accept cookies” or “I consent to the use of cookies”. This is different from merely acknowledging or understanding that cookies will be used.
Additionally, a well-designed website does not write cookies until users make a choice. Ignoring a banner or clicking a “close” button to dismiss it never, ever constitutes or implies consent.
Consent is specific
Consent is only valid when given for a specific purpose. This entails that consent must be granular: when the same cookies are used for multiple purposes, then you need multiple consents- one for each purpose.
In practice, the best way to collect granular consent is to use your web analytics cookies for web analytics only. This allows you to collect a separate consent for other cookies such as user authentication cookies, and to write essential cookies without user consent (which is absolutely fine under the law).
Consent is informed
This requirement is intuitive: if I don’t know what I am consenting to, then I am not really consenting in any meaningful way. I do not necessarily need to understand all the tiny technicalities about your web analytics, but I do need to understand the facts that really matter for my decision: who takes my data, what data they take, for what purpose, and with what potential consequences.
In practice, this means that a cookie banner should:
- Tell the user what the cookies are for.
- Use clear, accessible, accurate language.
- Tell the user with whom their personal data will be shared. For Google Analytics, this includes Google and its advertising partners.
This information needs to be concise and in plain English. In practice, it is usually a good idea to deliver the most crucial information through the cookie banner and link to a cookie policy with more in-depth information.
Consent can be withdrawn
Consent is revocable. You should allow users to review their cookie preferences and easily opt out of any cookies they might have agreed to.
Please note that the withdrawal of consent sometimes comes with a request for erasure. In that scenario, you get a deadline for deleting all the data from the requestor. This means all the web analytics data that relates to their cookies and the unique ID they contain.
Most companies don’t think about this stuff when they set up their web analytics and have no clue what to do when they get a request for erasure. We can’t go into too much depth here, but an organization should, at the very least:
- establish a clear procedure for handling requests
- ensure it can easily retrieve and delete data from individual users. For web analytics, this means being able to filter data points by unique IDs.
Consent is freely given
The GDPR requires every consent to be freely given. This is why your hospital cannot collect consent to the use of your data as a requirement to provide health care, and why employers should refrain from having employees sign GDPR consent forms. You have no meaningful choice when witholding consent means dying or losing your job.
What are the most common issues with consent?
Two compliance issues have surfaced lately with web analytics. Deceptive cookie banners are found all over the Internet and try to nudge users towards accepting cookies they do not really want, while cookie walls require visitors to pay to get rid of cookies.
Both of these issues are fairly controversial in the privacy community. Let's see what the fuss is all about, and what it means for web analytics
Deceptive banners
Accepting cookies is always easy as pie, but rejecting them usually requires you to jump through hoops. This is a deliberate design choice: many banners nudge users into accepting cookies by making the rejection process to be as annoying, confusing and time consuming as possible. Visitors often give in because they don’t have the time or patience to figure their way out of every cookie banner they see.
Deceptive designs look like a good solution for websites. After all, the user clicked “I accept”, so everything should be fine. Right? Not quite. If consent was extorted through deception and exhaustion, then it is neither free nor unambiguous.
Thankfully, the European Data Protection Board took a stance against deceptive cookie banners. Its stance is not unanimous but is shared by the vast majority of enforcers. We are starting to see some serious enforcement, too.
Bottom line: if you really need to use cookie-based analytics, be on the right side of the law and make your cookies easy to reject. Make sure that the “reject all” button is clearly visible, clearly worded, and available on the first level of the banner’s interface!
(And yes, this means that many users will reject your cookies.)
Cookie walls
Some cookie banners do not include a “reject all cookies” button and offer a different choice instead: users can either accept cookies, or sign up for a paid subscription that allows them to browse the site without cookies. In other words: pay with your money, pay with your data, or leave. These banners are referred to as cookie walls and are typically used by digital newspapers.
Cookie walls entail a commodification of personal data that a part of the privacy community considers undesirable at best and unlawful at worst. Proponents of cookie walls say that publishers cannot provide content for free and need ad revenue to keep up the work. Critics of cookie walls point to contextual advertising as an alternative source of revenue for publishers and observe that a fundamental right such as data protection cannot be commodified (they are right, by the way).
In practice, your mileage with a cookie wall may vary depending on your jurisdiction. For instance, cookie walls are used by many German news outlets because regulators tend to be somewhat lenient on that front.
We really dislike cookie walls, but if you really want to implement one, it might be prudent to wait for a while. Meta took a page from news outlets and implemented a pay-or-ok subscription schemes in an attempt to justify its aggressive surveillance-based advertising. European regulators will soon need to take a stance on Meta's approach, and once they do, their position on cookie walls will probably become clearer as well.
(By the way: pay-or-ok is a really big deal for the future on the GDPR! If you are curious about this crucial privacy topic, feel free to check out our blog on Meta subscriptions.)
Conclusions
Overall, consent rules for web analytics are fairly stringent in the EU. This creates a problem for cookie-based analytics: strategies that lead to good opt-in rates for cookies, are likely to violate the law. Websites are stuck between a rock and a hard place, as they have to choose between low opt-in rates or a compliance risk.
This is why many companies are moving towards cookieless analytics solutions. And we are proud to offer the most privacy-friendly one!
Simple Analytics is the cookieless web analytics solution that collects no personal data. This makes it trivial to comply with the GDPR and other privacy legislations. Our service is also easy to learn and navigate, thanks to our intuitive UI and handy AI assistant. If this sounds good to you, feel free to give us a try!