You may have noticed a number of cookie consent messages like this when browsing the Web recently:
You can’t miss them when browsing sites on your phone…
What’s going on?? Have we been invaded by Cookie Monster?
Well, no. It’s all in the interest of privacy and transparency.
In this post I’ll attempt to answer these questions:
- What are cookies?
- How can you control cookies?
- What’s the law governing cookies?
- Does your site need a cookie consent banner or pop-up?
What are cookies and what do they do?
Cookies are small text files which are created and stored in your browser when you browse websites. Most websites nowadays set cookies.
Some helpful uses of cookies are:
- Authentication: checking that you have logged into a website successfully. This may give you access to premium content on a site. It also means that if you revisit in the near future, you don’t need to log in again.
- Storing products you’ve added to your basket when browsing an online shop. Imagine how hard your grocery shopping would be if that didn’t happen!
- Remembering customization preferences for a website. If you have a choice of languages on a site and you prefer French, your choice may be stored in a cookie.
The dark side of cookies? Cookies have gained a bad reputation for tracking users around the Web and delivering adverts.
First-party and third-party cookies
Cookies can be first-party or third-party – what does this mean?
A first-party cookie is set by the domain you are on. So any cookie on this site set by abrightclearweb.com is a first-party cookie.
A third-party cookie is set by a different domain from the one you are currently on. If you’re on this site and a cookie from linkedin.com is set, that’s a third-party cookie. If you then go from this domain to linkedin.com, that cookie becomes a first-party cookie.
Cookies can also be set for different lengths of time, from minutes to years. A session cookie is one that lasts only as long as your browser is open.
Tracking Cookies are a specific type of cookie that is distributed, shared, and read across two or more unrelated Web sites for the purpose of gathering information or potentially to present customized data to you.
As an example, if you go to a Web site that hosts online advertising from a third-party vendor, the third-party vendor can place a cookie on your computer. If another Web site also has advertisements from the third-party vendor, then that vendor knows you have visited both Web sites. Nothing malicious has occurred, but the advertising company can determine indirectly all the sites you have been to if they have cookies present on those sites.
If you want to get an idea of how tracking cookies interconnect, download the Lightbeam extension for Firefox.
I browsed just six popular sites and found I’d connected with 176 third-party sites. The visualisation shows how they are connected and sharing data. Scary stuff!
The Chrome equivalent is called Disconnect.
We’ve been here before with EU Cookie Law banners
Cookie banners became a familiar sight a few years ago when the EU Cookie Law came in. The law was written into the UK’s Privacy and Electronic Communications Regulations (PECR).
A lot of sites used an “implied consent” model, with a banner saying something like this:
There would normally be an “OK” button, a “more information” link and (possibly) a close button.
Most of us no doubt clicked OK and carried on browsing – probably because we didn’t want the notice hanging around and just wanted to read.
“Implied consent” meant that if the user carried on browsing the site, they were assumed to have agreed with the website’s cookie usage. Otherwise, their only other choice would be to leave that site.
As you’re no doubt aware, a little law called the GDPR came into effect on 25 May 2018. The GDPR set higher standards for the collection and storage of personal data.
Cookies are mentioned in the GDPR in Recital 30, which says:
Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags.
This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
So cookies can be a form of personal data.
GDPR made asking for consent much more explicit and specific. Consent must also be able to be managed and also withdrawn.
How do the new-style cookie banners work?
The new cookie consent mechanisms aim to only load the cookies necessary for a website to function – “necessary cookies” – and block all others unless the user opts into their use.
Cookies are grouped into types. Cookiebot, one of the consent popup vendors, uses the following classifications for the cookies on its own site:
- Necessary: These are needed for the website to function and you can’t opt out of them.
- Preferences: Cookies to remember your choices e.g. language.
- Statistics: Anonymised analytics cookies.
- Marketing: Cookies to track users across various websites and show relevant ads.
- Unclassified: We don’t know what these cookies are yet (!)
Other vendors use the word “functional” to mean necessary.
The cookie consent mechanism must be visible somewhere on the site so that the visitor can change their cookie preferences later on.
Ironically, saving your cookie preferences saves them to another cookie!
What are some of the issues with website cookie consent mechanisms?
Identifying and grouping cookies
All cookies on a site have to be identified by name and then assigned to a group. That means the owner needs to do a full audit of all cookies on their site (see below).
Most of these cookie control solutions aren’t free. I’ve seen costs ranging from £8/month to £345/year ex. VAT.
Blocking certain cookies until the user consents to them means disabling the relevant scripts on your website from loading until consent is obtained.
This is something that’s technically difficult. Most webmasters would find it a challenge to do.
Opt-in or opt-out inconsistencies
Different management tools have different ways of managing cookie usage.
For some, you need to check or uncheck a checkbox to opt out.
Others have toggles, which may be toggled on or off to begin with.
This one uses a slider:
Since the GDPR advised not using pre-checked boxes, having cookies “on” to start with seems disingenuous. It means you have to uncheck or toggle off each option before saving your preferences.
But the logic from the website’s point of view will be: we do want to collect that data and we’re going to make it harder for you to opt out.
Some dashboards don’t offer you a proper opt-out at all. Unchecking the “Interest-Based Advertising Cookies” checkbox here doesn’t disable most of these ad cookies. Many of them have individual opt-outs via their vendors. What a pain!
Choices not saved
So I’ve saved my preferences using these cookie banners and then gone back to the same website a few days later.
Guess what? I get asked for consent all over again!
Some cookie consent pop-ups that I’ve seen are not accessible to keyboard only users. A person cannot make an informed choice – or indeed any choice – about cookies if they cannot access the controls.
How else can you control cookies?
Most browsers have a “privacy mode” where you can disable your browsing history and cache. This does not stop cookies being set.
You can block third-party cookies in all major browsers. Remember to configure each browser if you’re using more than one.
There’s an excellent step-by-step guide here:
This will block most (but not all) trackers.
You can delete your existing cookies by following this guide:
Browser vendors and privacy
The Mozilla Foundation has always had a strong commitment to privacy. Their Firefox browser has a feature called Tracking Protection which is enabled in Private Browsing mode by default. You can turn it on for regular browsing too.
Tracking Protection has two modes:
- Basic – blocks most known trackers.
- Strict – blocks all known trackers but may break some features like slideshows and social media.
Apple is also flying the flag for privacy; they recently announced this:
Apple basically declaring war on adtech. Safari will halt tracking, Like buttons etc and ask permission; will thwart device fingerprinting (used by trackers to get round blocking of other tech) #WWDC18
— Adam Banks (@adambanksdotcom) June 4, 2018
Do Not Track
Activating Do Not Track in your browser settings indicates to sites that you would prefer your browsing not to be tracked.
Find out how to enable Do Not Track in most browsers.
Unfortunately, not all sites respect this.
Google Analytics opt-out
This is a browser add-on that opts you out of all Google Analytics across all sites.
It’s available here: Google Analytics Opt-out Browser Add-on.
Mobile browsers’ privacy settings vary.
Chrome for Android‘s privacy settings let you clear your cookies and activate Do Not Track but there’s no control to block third-party cookies by default.
Samsung’s Android browser lets you turn off cookies (it’s not clear what cookies). You can also Delete personal data which includes cookies. You can also turn on a Tracking blocker and download Content blockers.
Like the desktop browser, Firefox for Android lets you disable third-party cookies or all cookies. You can also clear cookies and other data when you exit a browsing session and activate Tracking Protection.
Safari on iOS has a number of privacy settings, including Do Not Track and Block Cookies.
What can website owners do about cookies?
Find out what cookies your site uses
If you are concerned about cookies, the first step is to do a cookie audit on your site.
There are a number of online tools available to help you. Here are a list: Cookie Auditing Tools
My favourite is the Attacat Cookie Audit Tool, a browser extension for Chrome.
It produces a nice report with all the cookies it found and their “naughtiness rating” ranging from 1 (strictly necessary) to 5 (very naughty).
The only downside I’ve found with Attacat’s tool is that I use Chrome as my main browser and the tool wipes all your cookies before the audit. This means a lot of logging back into sites afterwards!
Another option is to do the cookie audit manually. This can pick up on some cookies that the automated tools can’t e.g. cookies set when you log into a website.
When I’m logged into my site on Chrome, I can use Developer Tools to see what WordPress cookies the site is using. (I’ve blanked out some of the values for security reasons.)
Once you know what cookies your site uses, then the next steps are:
- Work out what the purpose of the cookie is. Attacat’s tool can help here.
- See how long the data is stored for.
- Figure out what code is setting each cookie.
This is a common scenario with social sharing plugins, which can set tracking cookies. Checking mine, I found that just one sharing button for StumbleUpon set 14 cookies!
For that reason, I’ve removed my social sharing plugin from my site and am looking into a cookieless alternative.
Cookies can also be set by embedded content. Embeds are content from other sites shown in full on the page e.g. SlideShare presentations, YouTube videos, tweets, Facebook timelines and so on. There isn’t an easy solution to avoiding setting these cookies other than to not use embeds.
YouTube does provide a “no cookie” version, but you have to link to a video rather than embed it on the page.
Honour Do Not Track
You can honour Do Not Track requests from visitors by adding some code snippets.
Google Analytics: Google Analytics with Do Not Track
Jetpack for WordPress: WordPress.com Stats: Honoring DNT
What’s happening with the ePrivacy Regulation?
The ePrivacy Regulation is the updated version of the Cookie Law. It’s currently in draft. It was due to be released at the same time as the GDPR implementation but has been pushed back.
Article 22 of this draft says:
The methods used for providing information and obtaining end-user’s consent should be as user-friendly as possible. Given the ubiquitous use of tracking cookies and other tracking techniques, end-users are increasingly requested to provide consent to store such tracking cookies in their terminal equipment. As a result, end-users are overloaded with requests to provide consent. The use of technical means to provide consent, for example, through transparent and user-friendly settings, may address this problem. Therefore, this Regulation should provide for the possibility to express consent by using the appropriate settings of a browser or other application.
In a nutshell:
- Consent needs to be asked for in a user-friendly way.
- Most of us have “consent fatigue” – we’re being overwhelmed with requests.
- Browsers and apps could act as consent guardians.
So we may be rescued from an endless amount of cookie banners and pop-ups by browser settings.
This sure would make things a lot easier. Just fix your browser settings once and you’re ready to go!
What is the ICO in the UK saying about cookies?
The Information Commissioner’s Office (ICO) says in its cookie guidance for organisations (emphasis is mine):
You must tell people if you set cookies, and clearly explain what the cookies do and why. You must also get the user’s consent.
There is an exception for cookies that are essential to provide an online service at someone’s request (eg to remember what’s in their online basket, or to ensure security in online banking).
Consent does not necessarily have to be explicit consent. However, consent must be given by a clear positive action. You need to be confident that your users fully understand that their actions will result in specific cookies being set, and have taken a clear and deliberate action to give consent. This must be more than simply continuing to use the website. To ensure that consent is freely given, users should be able to disable cookies, and you should make this easy to do.
What is the ICO’s cookie consent message?
As the UK data protection regulator, we’d expect the ICO to do the right thing about cookies. So what are they doing?
The ICO has a pop-up about cookies which appears on their site when you load it for the first time.
If you choose I’m fine with this or click the X the pop-up disappears. (If you clear your cookies and revisit the site, the pop-up reappears.)
The small orange triangle in the corner of the page minimises or maximizes the pop-up.
The Information and settings link within the pop-up expands it and gives you further information.
The Cookies we use and Adjust your browser settings links both point to their cookie page, which lists all their cookies, their functions and expiry dates.
Turn cookies off removes some cookies, but not all. (Remember, it’s okay to use essential cookies.) The cookie which records consent (or not) expires in about 6 months.
Where does this leave us? Do you need a cookie banner or not?
It’s certainly confusing!
The “old style” cookie banners don’t fit with the current ICO guidance, because they assume consent is granted if you continue browsing, and set cookies anyway.
The “new style” cookie banners with consent choices are better, but they have the downsides of being tricky to implement and overloading people with consent requests – exactly what the draft ePrivacy Regulation wants to avoid.
It would make things a whole lot simpler if browsers handled cookie consent.
As a website owner, it is a good thing to be privacy conscious. Until the updated ePrivacy guidance is published, an interim approach if you run a website might be to:
- list out the ones you do use on your website and why
- respect Do Not Track requests
- give users useful links to control cookies in their browser.
What’s your approach to cookies? Let me know in the comments.