Robust cookie permissions are vital: marketers must proactively work with legal teams on their correct implementation

More and more organisations are being driven by their legal departments to implement cookie consent solutions (aka consent management platforms CMPs) such as OneTrust across their websites and mobile apps. Frequently, legal departments choose the legally ‘safe option’ of blocking all cookies without explicit consent. This is usually not the optimum solution for the business or website visitors.

This blog looks at some of the issues and solutions to obtaining consent in a simple and transparent manner and recommends that marketers take ownership and work proactively with their legal teams for the benefit of the business and their website visitors.

A theoretically simple solution

A legally simple solution is to implement a new cookie consent module on a website that blocks all cookies by default.
Website and app visitors are encouraged to read detailed cookie and privacy policies before they give their consent to cookies (which have been segmented to a granular level).
All prior cookies consents are deleted, and a fresh start made.

The challenges of simple solution

Visitors, including regular visitors, to a website are frustrated to be asked repeatedly to make multiple choice answers about which cookies they want to permit.

Lengthy cookie and privacy policies written in legal speak obfuscate the permissions that the visitor is agreeing to.
The business loses visibility about potentially up to 90% of visitors to their website which means they are nearly blind to which of their advertising spend is working.
Valuable cookie consents that have been built up over years are now lost, preventing the targeting of advertising.

Fairness and transparency

How marketers obtain consent to use personal data is something that we take very seriously at equimedia. There are legal necessities and a tacit agreement of fairness and transparency that needs to exist between a website and its visitors. We marketers spend a lot of our time trying to understand and build trust with their customers and potential customers. This makes us well placed to advise legal departments on ways to present information that gives genuine choice to visitors.

Categorisation of cookies

I am using OneTrustas an example of a popular cookie consent solution that is agnostic to the website technology itis implemented on. OneTrust describes itself as “The #1 most widely used platform to operationalize privacy, security & data governance”. For transparency, let me explain that equimedia has no direct relationship with OneTrust, it is simply being used as an example.

A visitor to the OneTrust’s implementation on their own website is greeted with a window that looks like this:

The visitor is required to make one of three choices “Allow All”, “Disable All” or “Customize Settings”. The “Customize Settings” link brings up the following set of options:

It is crucial that all visitors are required to make a choice, it should not be possible for them to continue to use the website whilst ignoring all the consent options presented.

Cookie categories

OneTrust designates four categories:

Strictly necessary cookies
Analytics cookies
Functional
Targeting

Strictly necessary cookies

The most basic cookie is one that records a visitor’s cookie permission preference. Without this cookie your website will need to ask a visitor for their permission preferences as they navigate to every single page on the site. For this reason, this must remain ‘always active’ requiring a user to agree to these cookies in order use the website.

Analytics cookies

These cookies are usually for tools such as Google Analytics, Adobe Analytics or Google Ads. It is worth noting that the terms of use for these three products require all user information to be anonymised.

Legal teams often take the safe approach and request that these cookies be opt-in. The problem here is that this leaves marketers blind to up to 90% of users who do not opt-in. This prevents the tracking of conversions – such as sales transactions or form completions - that are essential for the optimisation of marketing campaigns.

Consideration: some website owners consider it a commercial necessity to set Analytics cookies to “Always Active” (and explaining why to their website visitors). This is something that you will need to take legal advice on.

Functional cookies

Examples of these types of cookies are those that power include website optimisation services such as hotjar, Google Optimize and Adobe Target. These anonymously observe how users interact with the website so that marketers can use the data to make the journey through the website as seamless and as slick as possible.

Targeting cookies

These are the cookies that vex users and privacy groups the most. These cookies allow marketers (whether the website owner or a third party such as a social media company) to build up a profile of the website visitors and to help target their advertising. An example of this is remarketing advertising to previous website visitors. It is important to remember that they do not collect personal information but gather data based on identifiers for a user’s browser, internet device, search history and location that all contribute to the user’s knowledge graph held by the likes of Google and Facebook.

Google Consent Mode

Where setting analytics cookies as “Always Active” is not possible, an alternative option called Google Consent Mode is in beta testing. When Consent Mode is deployed and a website visitor declines Analytics cookies, the cookie consent modules does not place a cookie onto the visitor’s browser (obviously). Instead, it sends a ping to Google’s servers via the consent module that allows any conversion events that take place during the session to be recorded. This will allow the analytics tools to register that a conversion has taken place but nothing else about the visitor. The beta of Consent Mode works for Google Analytics, Google Ads, Floodlight and Conversion Linker.

The legal framework for this is still not fully clear. Undoubtedly cookie and privacy policies will need to be updated if Consent Mode is deployed.

The equimedia Analytics & Insight team is testing this solution and will provide advice and recommendations shortly.

Impact on tag management solutions

Websites commonly deploy tag mangers such as such as Google Tag Manager or Adobe Tag Manger to simplify the management of the tags for the myriad of third-party services that a modern website requires.

Depending on the implementation of OneTrust (or any other cookie consent system) it may be necessary to re-configure the triggers in the tag manager so that they fire (or not fire) correctly and in the correct order.

Some of the OneTrust implementations that we’ve worked on recently did not require any additional configuration of tags as OneTrust’s autoblocking handles this. However, it is always essential to test source code to ensure to ensure that the tag manager fires properly in the first place.

8 top tips for implementing a new cookie consent system

1. Marketers should take ownership for using best practice for obtaining consent. Be proactive about explaining the issues and discussing the options with your legal team. Do not avoid this engagement when you know that your consent framework is below best practice. The result could be that your legal team will mandate an implementation without understanding the impact on website visitors or marketing performance.

2. Audit your existing permissions framework. There may be elements where the permissions are too weak for today’s legal requirements and best practice. However, it is likely that other elements such as email opt-in are perfectly fine. Segment and audit your permissions to avoid the ‘if in doubt, trash everything and start again’ approach.

3. Communicate your plans early (minimum of 6 months) to all stakeholders including your external marketing and technical agencies. There may be implications that you are unaware of. Use this opportunity to educate stakeholders of the legal and best practice requirements in each jurisdiction that you operate.

4. Take the opportunity to review and update your website’s terms and conditions and privacy policy and engage with your legal teams to ensure it is readable and understandable by your target audience. If appropriate, support your target audience by providing a simplified explanation to the legal terms.

5. Every single visitor to your website is obliged to interact with your cookie consent module which makes it one of the most vital UX elements on the whole website. We often see cookie consent modules that are applied ‘out of the box’ by web development teams with no consideration for the website’s styling or usability, so consider customising your cookie consent messages.

Involve your UX and CRO teams from early in the process so that they can make it easy and obvious for a visitor to make their choices. It is against best practice to pre-select “Allow all” but design clues can make this the obvious choice. Nearly always make the “Allow all” button the right-most choice on a desktop and the bottom-most choice on a mobile and make it highly visible.Naturally, test functionality and performance on both desktop and mobile devices.

6. Test the implementation on a small part of your web assets (in both staging and live environments). The implementation can be technically challenging and the knock-on impact to important Core Web Vitals elements such as page load times and CLS (page jumping around on load). A high risk ‘big bang’ approach is rarely a wise strategy.

7. Negotiate a time for full implementation that is outside of your peak trading season and isolated from other web development work. It is not a good idea to implement this at the same time as a new website or migration because it will be difficult to understand if the change in web performance and analytics data is due to the website change or the change in cookie consent.

8. Agree with stakeholders a periodic review of the permissions. An annual review is sensible in most cases.

Please get in touch with equimedia’s experienced Analytics team for more information or a review of your Analytics set up or processes.

Useful references:

ICO Guide to Consent

Cookies, the GDPR, and the ePrivacy Directive

Consent Mode (beta) - Analytics Help (google.com)

OneTrust Supports Google's Newest Solution: Consent Mode

Get In Touch

First Name

Last Name

Phone

Company Name

Job Title

Equimedia needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our terms of service.

Privacy & Cookie Policy ...

This site is operated by equimedia Limited, a company incorporated in England (registration number 3892399), the registered office of which is First Floor, Stella Building, Whitehall Way, Windmill Hill Business Park, Swindon, SN5 6NX.

As a valued visitor to our website, we are committed to maintaining your privacy and being clear & transparent on how we use cookies and any personal data you submit to us.

PERSONAL DATA

If you complete a form on this site, you will be asked to provide certain information about yourself (such as your name, address and email address). equimedia respects the privacy concerns of users of this web site and complies with all applicable UK Data Protection legislation currently in force in relation to its treatment of personal information. This privacy statement sets out our policy in relation to how it uses any personal information collected from you through your use of this site.

By disclosing your personal information to equimedia Limited, you consent to the collection, storage and processing of your personal information in the manner set out in this privacy policy.

In the event that you would like to update your details or have any queries regarding this privacy statement please contact equimedia by any method set out at the bottom of this page.

Prior to completing a form on this website you will also be asked to confirm that you have read our terms and conditions. Our terms and conditions explain how we securely store and use your data. They also explain how this website uses cookies (as below).

USE OF COOKIES

equimedia use cookies to recognise website visitors and to store the way visitors use this site. This allows us to analyse website activity, so we can optimise the user experience and make sure we offer the best content for visitors. We use cookies in order to give us information on the number of visitors to different parts of our website and thus to monitor which areas are most useful.

We also occasionally run targeted advertising to generate relevant traffic for this website. In order to target this advertising effectively, we use a cookie to ensure this advertising is targeted and relevant.

The cookies we use do not contain any personally identifiable information.

LINKS

This site contains some links to other websites. We are not responsible for the content or privacy policies of any of these sites.

CHANGES TO THIS POLICY

The equimedia privacy policy may change at any time, so you may wish to check it each time you visit our website.

CONTACT DETAILS

By Post:

equimedia Limited
Stella Building
Windmill Hill Business Park
Whitehill Way
Swindon
SN5 6NX

CAPTCHA

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

Post Information

Author	James Gardner
Channel	SEM