10th December 2021

Robust cookie permissions are vital: marketers must proactively work with legal teams on their correct implementation

User Photo
James Gardner
Head of SEO
Read time: 7min
Left Angle Mask

More and more organisations are being driven by their legal departments to implement cookie consent solutions (aka consent management platforms CMPs) such as OneTrust across their websites and mobile apps. Frequently, legal departments choose the legally ‘safe option’ of blocking all cookies without explicit consent.  This is usually not the optimum solution for the business or website visitors. 

This blog looks at some of the issues and solutions to obtaining consent in a simple and transparent manner and recommends that marketers take ownership and work proactively with their legal teams for the benefit of the business and their website visitors. 

A theoretically simple solution 

  • A legally simple solution is to implement a new cookie consent module on a website that blocks all cookies by default.   

  • Website and app visitors are encouraged to read detailed cookie and privacy policies before they give their consent to cookies (which have been segmented to a granular level).

  • All prior cookies consents are deleted, and a fresh start made.

The challenges of simple solution

  • Visitors, including regular visitors, to a website are frustrated to be asked repeatedly to make multiple choice answers about which cookies they want to permit. 

  • Lengthy cookie and privacy policies written in legal speak obfuscate the permissions that the visitor is agreeing to. 

  • The business loses visibility about potentially up to 90% of visitors to their website which means they are nearly blind to which of their advertising spend is working.  

  • Valuable cookie consents that have been built up over years are now lost, preventing the targeting of advertising. 

Fairness and transparency 

How marketers obtain consent to use personal data is something that we take very seriously at equimedia.  There are legal necessities and a tacit agreement of fairness and transparency that needs to exist between a website and its visitors. We marketers spend a lot of our time trying to understand and build trust with their customers and potential customers.  This makes us well placed to advise legal departments on ways to present information that gives genuine choice to visitors.  

Categorisation of cookies  

I am using OneTrustas an example of a popular cookie consent solution that is agnostic to the website technology itis implemented on. OneTrust describes itself as “The #1 most widely used platform to operationalize privacy, security & data governance”. For transparency, let me explain that equimedia has no direct relationship with OneTrust, it is simply being used as an example.

A visitor to the OneTrust’s implementation on their own website is greeted with a window that looks like this:

Cookie Consent
The cookie consent options on onetrust.com 

The visitor is required to make one of three choices “Allow All”, “Disable All” or “Customize Settings”. The “Customize Settings” link brings up the following set of options:   

Management Preferences
Management Preferences

It is crucial that all visitors are required to make a choice, it should not be possible for them to continue to use the website whilst ignoring all the consent options presented.  

Cookie categories 

OneTrust designates four categories: 

  • Strictly necessary cookies 

  • Analytics cookies 

  • Functional  

  • Targeting 

Strictly necessary cookies 

The most basic cookie is one that records a visitor’s cookie permission preference.  Without this cookie your website will need to ask a visitor for their permission preferences as they navigate to every single page on the site.  For this reason, this must remain ‘always active’ requiring a user to agree to these cookies in order use the website.  

Analytics cookies 

These cookies are usually for tools such as Google Analytics, Adobe Analytics or Google Ads.  It is worth noting that the terms of use for these three products require all user information to be anonymised.   

Legal teams often take the safe approach and request that these cookies be opt-in.  The problem here is that this leaves marketers blind to up to 90% of users who do not opt-in.  This prevents the tracking of conversions – such as sales transactions or form completions - that are essential for the optimisation of marketing campaigns.  

Consideration: some website owners consider it a commercial necessity to set Analytics cookies to “Always Active” (and explaining why to their website visitors). This is something that you will need to take legal advice on.  

Functional cookies 

Examples of these types of cookies are those that power include website optimisation services such as hotjar, Google Optimize and Adobe Target.  These anonymously observe how users interact with the website so that marketers can use the data to make the journey through the website as seamless and as slick as possible.  

Targeting cookies 

These are the cookies that vex users and privacy groups the most. These cookies allow marketers (whether the website owner or a third party such as a social media company) to build up a profile of the website visitors and to help target their advertising.  An example of this is remarketing advertising to previous website visitors. It is important to remember that they do not collect personal information but gather data based on identifiers for a user’s browser, internet device, search history and location that all contribute to the user’s knowledge graph held by the likes of Google and Facebook. 

Google Consent Mode 

Where setting analytics cookies as “Always Active” is not possible, an alternative option called Google Consent Mode is in beta testing.  When Consent Mode is deployed and a website visitor declines Analytics cookies, the cookie consent modules does not place a cookie onto the visitor’s browser (obviously). Instead, it sends a ping to Google’s servers via the consent module that allows any conversion events  that take place during the session to be recorded.  This will allow the analytics tools to register that a conversion has taken place but nothing else about the visitor.  The beta of Consent Mode works for Google Analytics, Google Ads, Floodlight and Conversion Linker.  

The legal framework for this is still not fully clear.  Undoubtedly cookie and privacy policies will need to be updated if Consent Mode is deployed. 

The equimedia Analytics & Insight team is testing this solution and will provide advice and recommendations shortly.  

Impact on tag management solutions  

Websites commonly deploy tag mangers such as such as Google Tag Manager or Adobe Tag Manger to simplify the management of the tags for the myriad of third-party services that a modern website requires.  

Depending on the implementation of OneTrust (or any other cookie consent system) it may be necessary to re-configure the triggers in the tag manager so that they fire (or not fire) correctly and in the correct order.    

Some of the OneTrust implementations that we’ve worked on recently did not require any additional configuration of tags as OneTrust’s autoblocking handles this.  However, it is always essential to test source code to ensure to ensure that the tag manager fires properly in the first place.  

8 top tips for implementing a new cookie consent system

1. Marketers should take ownership for using best practice for obtaining consent. Be proactive about explaining the issues and discussing the options with your legal team. Do not avoid this engagement when you know that your consent framework is below best practice.  The result could be that your legal team will mandate an implementation without understanding the impact on website visitors or marketing performance.

2. Audit your existing permissions framework. There may be elements where the permissions are too weak for today’s legal requirements and best practice.  However, it is likely that other elements such as email opt-in are perfectly fine. Segment and audit your permissions to avoid the ‘if in doubt, trash everything and start again’ approach.  

3. Communicate your plans early (minimum of 6 months) to all stakeholders including your external marketing and technical agencies.  There may be implications that you are unaware of. Use this opportunity to educate stakeholders of the legal and best practice requirements in each jurisdiction that you operate.

4. Take the opportunity to review and update your website’s terms and conditions and privacy policy and engage with your legal teams to ensure it is readable and understandable by your target audience.  If appropriate, support your target audience by providing a simplified explanation to the legal terms.

5. Every single visitor to your website is obliged to interact with your cookie consent module which makes it one of the most vital UX elements on the whole website. We often see cookie consent modules that are applied ‘out of the box’ by web development teams with no consideration for the website’s styling or usability, so consider customising your cookie consent messages.

Involve your UX and CRO teams from early in the process so that they can make it easy and obvious for a visitor to make their choices. It is against best practice to pre-select “Allow all” but design clues can make this the obvious choice.  Nearly always make the “Allow all” button the right-most choice on a desktop and the bottom-most choice on a mobile and make it highly visible.Naturally, test functionality and performance on both desktop and mobile devices.

6. Test the implementation on a small part of your web assets (in both staging and live environments). The implementation can be technically challenging and the knock-on impact to important Core Web Vitals elements such as page load times and CLS (page jumping around on load). A high risk ‘big bang’ approach is rarely a wise strategy. 

7. Negotiate a time for full implementation that is outside of your peak trading season and isolated from other web development work. It is not a good idea to implement this at the same time as a new website or migration because it will be difficult to understand if the change in web performance and analytics data is due to the website change or the change in cookie consent.

8. Agree with stakeholders a periodic review of the permissions. An annual review is sensible in most cases.  

Please get in touch with equimedia’s experienced Analytics team for more information or a review of your Analytics set up or processes.


Useful references: 

ICO Guide to Consent

Cookies, the GDPR, and the ePrivacy Directive

Consent Mode (beta) - Analytics Help (google.com)  

OneTrust Supports Google's Newest Solution: Consent Mode