Blog

Cookie Opt-In for GDPR Compliance

Opt-In For Cookie Tracking

Passed back in 2002, the EU’s Digital Privacy Directive outlined how companies should approach data collection, privacy, and security in an ethical and legal way. The directive mentions cookies specifically as a useful tool that can facilitate many of the web’s core functions like shopping carts, single-sign-on, and persistent website preferences. It also recognizes that cookies have a potential for abuse and it offers a solution: the ability for users to opt-out of cookie tracking if they desire, and a strong set of rules about how personal data can be used.

Now though, an even stronger set of privacy rules have superseded the original data privacy directive and intensified the need for informed consent and affirmative opt-in for all forms of data collection and user tracking. As of May 2018, Europe’s General Data Protection Regulation (GDPR) is in effect, and companies are making big changes to become compliant.

That’s not the only change in the works, either. In 2019, the ePrivacy Regulation will further impact cookie tracking by simplifying and streamlining the consent process and tweaking the conditions for consent slightly. For now, though, GDPR is law, and that’s what we’ll be focusing on in this post.

The biggest challenges to cookie tracking opt-in are that (a) consumers aren’t well educated about what cookies are and that (b) even savvy consumers aren’t aware of the legitimate uses of cookie tracking. The challenge is to present cookie tracking to users in a way that shows that you won’t be spying on them (or if you are, why) and shows that cookies can provide value by creating a more convenient experience on your site.

Elements of a Good Cookie Opt-In Form

Your cookie tracking opt-in forms should be at least as descriptive as the rest of your processing consent forms. That represents the bare minimum for compliance. For cookie forms specifically, there are a few more things to consider — especially if you want to maintain a good relationship with your users.

Your cookie opt-in forms should be:

  • Educational
    Your form should explain what cookies are in an easy-to-understand way
  • Descriptive
    Your form should describe how you’ll use cookies and their data
  • Helpful
    You need to show how cookies will improve a user’s experience
  • Transparent
    Tell users who their data will be shared with, how it will be stored, and for how long

Read more about the necessary elements of compliant consent.

Examples of GDPR-Compliant Cookie Opt-In Forms

Express UK

Hailing from the United Kingdom (the largest English-speaking country to be affected directly by GDPR), this cookie opt-in form is from the UK tabloid Express. We won’t comment on the accuracy of Express’s reporting, but their forms do a pretty good job of describing what cookies are and letting users opt-out of them.

First, you see this initial popup, which is a fairly-standard cookie opt-in notice:

COokie notice with the option to change settings. GDPR Compliant Cookie Opt-In Examples

From there, you can see what “functional” cookies Express is using.

A page describing functional cookies which can't be disabled. GDPR Compliant Cookie Opt-In Examples

This is becoming a common terminology for cookies that essentially can’t be turned off. According to the Express, the site simply can’t be used without these cookies. Assuming that the courts rule in their favor, this can be considered compliant, although we advise against such measures. It’s ultimately in-question whether the cookies for Parse.IO and other trackers are absolutely essential to the site.

Once you select “continue,” you’re shown the cookies that you can actually turn off.

A page showing the additional cookies ussed by Express, which can be disabled. GDPR Compliant Cookie Opt-In Examples.

This form does an okay job at describing the purposes of the processing and allows you to select from a granular list of tracking partners. They could do a better job describing the benefits of such tracking, but they at least include all of the required information. It also links to the Privacy Policy of each example, a good step to helping users understand how data will be used. You can even “reject all” if you don’t want to allow any additional tracking.

Overall this form is simple and descriptive, and while the validity of the “Functional” cookies is suspect, that’s one area in particular where many companies are taking their chances and deciding to see how the courts will rule.

 

Every product has unique challenges when it comes to implementing data privacy and security. As an award-winning development agency, we can help you build with compliance in mind.

Contact our experts today.

 

The Telegraph

We decided to include this as an example of what not to do when allowing your users to select individual cookies. Another British tabloid, The Telegraph, has a fairly standard cookie opt-in notice:

The cookie opt-in banner with the potion to select cookies. GDPR Compliant Cookie Opt-In Examples.

That’s all well and good. But, once you try to change your cookie settings, you’re taken to this monstrosity:

A form with many boxes to check to disable cookies. GDPR Compliant Cookie Opt-In Examples.

As you can plainly see, the Telegraph forces you to manually uncheck dozens of individual boxes to opt-out of cookie tracking. The above image is cropped, as there are actually more than 70 individual trackers, many of which can’t be turned off. There’s very little explanation as to why, either.

While there’s a button to “Opt-Out All,” selecting that option doesn’t remove the cookie tracking banner overlay, and doesn’t really seem to work. Not only is this an awful experience for users, but it most likely doesn’t fulfill the “unnecessarily disruptive” clause of GDPR, Recital 32. Why The Telegraph would need so many cookies in the first place is beyond us, but they should certainly have an easier way to opt-out of them individually.

OneTrust

OneTrust is a privacy-management company that offers prebuilt opt-in and consent solutions. We discovered OneTrust while researching cookie opt-in at CNN. CNN uses OneTrust’s cookie tracking opt-in template, so we decided to go snooping into OneTrust’s own website. Here are the pages of their cookie-tracking notice:

  • OneTrust's first cookie page showing what cookies are and what they do. GDPR Compliant Cookie Opt-In Examples.

    The first page gives an accurate description of what cookies are, how they are used, and what types of information they collect.

  • These are the cookies which you can't disable. GDPR Compliant Cookie Opt-In Examples.

    Then, you’re shown “necessary” cookies. Like in the Express UK site, these are cookies which you’re not able to disable. However, we think that this company does a much better job of explaining why.

  • These are performance cookies which can be disabled. GDPR Compliant Cookie Opt-In Examples.

    Next, you’re shown “performance” cookies which help them track site traffic and metrics (i.e. on Google Analytics, as listed).

  • These are

    Then, you can see “functional” cookies which allow for features like site personalization and web chats.

  • These are the tracking cookies in use by OneTrust. GDPR Compliant Cookie Opt-In Examples.

    Finally, you can see “targeting” cookies, which allow them to show relevant ads to users based on web traffic. These are the types of cookies that privacy-wary consumers are most concerned about, so giving the option to disable them is important.



What we like overall about his form is how it breaks down the different categories of cookie and lets you decide which categories you’d like to allow. This solves two problems: it shows what each group of cookies does without requiring a single wall of text, and it allows users to bulk opt-out of cookie areas they don’t want (solving the problem of the Telegraph UK’s ridiculously long form).
 

Other Considerations

This post was meant to provide inspiration for how to make your cookie tracking opt-in notices comply with data privacy regulations like GDPR. Overall, know that transparency and informed consent are major factors of compliance and that any attempt to deceive users may backfire. Note that this post is not intended to be legal advice. If you’re unsure about your organization’s practices in regards to GDPR compliance, make sure to consult with a legal professional.

If you’re looking for further resources about user interface and user experience design, check out the IAPP Guide to Consent as well as goodui.org.

Final Thoughts

In 2018, it’s now essential that opt-in forms meet high standards of both design and compliance. This is a challenge, but also an opportunity. By showing that you’re committed to their privacy and their experience, you can establish a high level of trust with your users.

As your organization takes the necessary steps to achieve GDPR compliance, make sure that user experience and interface design are considered along the way. If you’re seeking a technology partner to help implement GDPR compliance measures and do so in a way that delights and surprises users, Cuttlesoft can help.

Want more Cuttlesoft? Sign up for our newsletter: