The UK GDPR regulation introduced new measures to give people the protection of their personal data and allow them to choose the personal data they share. In this article, we share our position and recommendations on how to manage consent management for cookies.
Initially, the legislation was interpreted in several ways, depending on the level of risk a company chose to take. Some companies have used a default acceptance policy, which means that cookies would not be placed on users’ browsers unless explicitly permitted. Others have used a default opt-out policy, which means cookies are placed on users’ browsers until they turn them off.
We are now seeing a movement towards the stronger interpretation of legislation, where companies follow the opt in model.
We also find that some of our advertising partners take a strong stand to ensure that the opt-in is tracked before any advertising activity is allowed.
You will undoubtedly have noticed the increase in cookie pop-ups since the UK GDPR regulation came into effect and how these pop-ups have evolved to provide more control to users around the cookies they activate, and therefore personal data that they share.
Essential vs non-essential cookies
Cookies can be defined by two main categories: those which are essential for the proper functioning of the site and those which are not.
Essential cookies are those in which the website will not function without their use. These include essential cookies like those set when logging into a website, without which it would not be possible to log in.
Non-essential cookies are those where the site will function perfectly without them. These include cookies such as Google Analytics and advertising cookies.
What is the difference between opt-in and opt-out?
The opt-out method is to set non-essential cookies the first time the website loads and allow the user to opt out.
UK GDPR regulations are clear: Users must not have set non-essential cookies without accepting these cookies.
The challenge for marketers
As marketers, we have become dependent on sharing personal data for purposes such as measurement through Google Analytics or remarketing advertising. The age of privacy is giving users more control back, so naturally this poses a challenge for traditional marketing methods.
For example, users can choose to opt out of all measurement cookies, which would mean that Google Analytics data cannot be captured for these users, giving an incomplete sample of website usage data.
To ensure compliance with UK GDPR regulations, to provide users with the level of choice of cookies and data sharing that they expect in the privacy age, and to ensure that we are able to continue using advertising platforms with a strict cookie compliance policy, we recommend the following approach.
A balance must be found to allow users who do not need control over cookies to proceed quickly with the use of the website and to avoid frustration on the one hand and to provide options for those who wish to control cookies on the other hand.
- On their first visit to your website, users should encounter a blocking window that clearly indicates which cookies you want to use.
- The user should not be able to interact with the website until action is taken and cookies should not be set until the user has made his choice.
- Two calls to action must be launched. See Figure 1 as an example of good practice.
- The first view of the modal should provide a clear « Accept » call to action that allows you to accept and configure all cookies.
- A secondary call to action that allows users to choose the cookies they prefer.
- For non-essential cookies, we recommend that you classify them in different categories, such as Performance, Measurement, Advertising and any other relevant category. See Figure 2 as an example of how HRH manages this and good practices.