The draft ePrivacy Regulation was first presented by the EU in 2017. However, it has to be agreed by both the European Parliament and the Council of the European Union. (The Council consists of government representatives of each EU member state.)
This is where it gets messy. Since 2017, the European Parliament and the Council haven’t been able to agree on the scope and detail of the ePrivacy Regulation.
That’s because some countries — widely thought to include the Nordic states of Finland and Denmark — want to strengthen the current ePrivacy Directive. They want users, for example, to be able to
set acceptance and rejection of tracking cookies in their browsers, not on every site they visit.
But other countries, notably Austria and believed also to include those with sizeable digital marketing and advertising sectors, say this is bad for business. It’s thought the 27 EU member states are split down the middle on this issue — and they’re all being heavily lobbied by the tech industry.
So the draft regulation has been ricocheting back and forth between the European Commission and its Working Party on Telecommunications and Information Society as they try to agree its scope. In November 2020, the Working Party
However, when it comes down to the detail, there are times when I recommend taking a risk-based approach. That’s what we’ve done at Cyber-Duck — and here’s why.
our original cookie notice. You see these everywhere. They’re pretty meaningless — users just hit accept and continue on their way. It didn’t matter if the user had accepted cookies or not — Google Tag Manager (GTM) fired when they landed as cookies were enabled by default, meaning we would get our analytics data. (Image source: Cyber-Duck) ( Large preview)
But we wanted to be compliant, so we replaced it with this notice. You’ll see that tracking cookies are turned off by default —
in line with ICO guidance. We knew there was a risk we would lose analytics data as GTM would no longer fire on first load.
Let’s see what happened.
Our new cookie banner followed ICO guidelines, but... (Image source: Cyber-Duck) ( Large preview)
Problem solved? Actually, no. It just created another problem. The impact was far more significant than we expected:
The new cookie consent caused our tracked traffic to collapse. (Image credits: Cyber-Duck) ( Large preview)
Look at the collapse in the blue line when we implemented the new cookie notice. We released the new cookie consent on 17 December and went straight from plenty of tracked traffic to almost zero. (The orange line shows the previous year’s traffic, for comparison.)
In both the before-and-after scenarios, the default option was by far the most popular. Most users just naturally click on “accept” or “confirm”. That’s tricky, because we now
know so little about the people visiting our site that we can’t give them the best information tailored to their needs.
We needed a solution. Analytics and marketing data ultimately drive business decisions. I’m sure we all know how important data is. In this case, it was like putting money in a bank account and not knowing how much we’d spent or saved!
Some of the solutions that were posed include
design alternatives (would removing the toggle, or having two buttons with a visual nudge towards the “accept” help?) Or would we enable analytics cookies by default?
For now, we’ve implemented a compromise position. Marketing and analytics cookies are on by default, with one clear switch to toggle them off:
Then we iterated again. (Image credits: Cyber-Duck) ( Large preview)
And here’s what that’s done to our stats:
This iteration brought back a chunk of attributable traffic. (Image credits: Cyber-Duck) ( Large preview)
The new cookie banner was relaunched on 15 January. You can see our website traffic starts to pick back up again. However, we’re not getting the full data we were getting before as Google Tag Manager doesn’t fire unless a user chooses cookies.
The good news is, we are getting some data back again! But the story doesn’t end here. After we had
turned cookie tracking back on by default, the attribution model got messed up. It wasn’t attributing to the correct channel in Google Analytics.
Here’s what we mean:
Scenario 1: (Correct Attribution) User lands on our website via a paid ad (PPC) or from the search result (organic) User accepts cookies straight away. The channel source is attributed correctly, e.g. to PPC. Scenario 2: (Incorrect Attribution) User lands on our website via a paid ad (PPC) or from the search result (organic) User visits a few other pages on our website without responding to the cookie banner prompt (banner appears on every page until it gets a response) User finally accepts cookie banner after browsing a few pages. Attribution comes through as direct — although they originally came from a search engine.
How does that work? When a user browses other pages on the site,
nothing is tracked until they respond to the cookie prompt. Tracking only kicks in at that point. So to Google, it looks as though the user has just landed on that page — and they are attributed to Direct traffic.
Back to the drawing board.
Note: I’m sure by now you’re starting to see a pattern here. This entire experience is new for us and there’s not a lot of documentation around, so it’s been a real learning curve.
Now, how could we solve this attribution issue and stop users from navigating around the site until they’ve selected their cookie preference?
cookie wall is one option we considered, but that would potentially push us further away from being compliant, according to the ICO. (Though you might like to try browsing their site incognito and see if they stick to their own guidance…) In the end, we had to settle on a compromise. (Image credits: Cyber-Duck) ( Large preview)
But that’s what we’ve chosen to go with. The journey ends here for now, as we’re still gathering data. In the future, we want to
explore other tools and the potential impact of moving away from Google Analytics.
So what’s everyone else doing?
Well, McDonald’s UK offers straightforward on/off buttons:
McDonald’s UK gives straightforward cookie choices. (Image credits: McDonald’s UK) ( Large preview)
Coca Cola’s British site nudges you to accept by making the ‘reject’ option harder to find:
Coca-Cola’s UK site nudges you to accept cookies. (Image credits: Coca Cola UK) ( Large preview)
Whereas Sanrio just has an option to agree to ad tracking:
Sanrio just gives the option to agree to cookies. (Image credit: Sanrio.com) ( Large preview)
Hello Kitty, hello cookies.
Die Zeit offers free access if you accept tracking cookies — but for an untracked, ad-free experience you’ll have to pay:
Die Zeit offers free access with cookies — but for an untracked experience, you have to subscribe. (Image credit: Die Zeit) ( Large preview)
And here’s one of my favourite dark patterns. This restaurant site only has the ‘Necessary’ cookies selected. But it nudges you to the ‘Allow all cookies’ big red button — and when you click that, the analytical and ad cookie boxes are automatically checked and set.
Give it a go here! Pinchos’ cookie consent is a good example of a dark pattern. (Imagae credit: Pinchos.se) ( Large preview)
Even the EU isn’t consistent on its own sites.
The European Parliament’s cookie consent offers two clear options:
The European Parliament’s cookie notice gives two clear options. (Image credit: European Parliament) ( Large preview)
The CJEU’s site isn’t so clear:
The CJEU’s cookie consent offers three choices: necessary cookies, accept all and more information. (Image credit: EU Court of Justice) ( Large preview)
While Europol’s site comes with two pre-checked boxes:
Europol’s cookie consent has analytics cookies automatically checked. (Image credit: Europol) ( Large preview)
And if you look at the sites for the
German presidency of the Council of the European Union (July–December 2020), at first it seems as if there’s no cookies at all: Cookies? What cookies? (Image credit: eu2020.de) ( Large preview)
When you land on the site, there are no cookie banners or prompts. A closer look, with cookie extension tools, shows that no cookies are being placed either.
So are they capturing any analytics data? The answer is yes.
The eu2020.de site tracks users using Piwik, now Matomo. No cookies here! ( Large preview)
We found this little snippet in their code, which shows they are using ‘Piwik’. Piwik is now known as
Matomo, one of a clutch of new tools that help with cookie compliance along with Fathom (server-side tracking) and HelloConsent (cookie management).
alternatives and solutions are emerging. We’ll take a closer look at that next time — with new alternatives to third-party cookies that will help you take control of your data and get the insight you need to deliver optimum experiences to your customers. Stay tuned! Further Reading