State Of GDPR In 2021: Cookie Consent For Designers And Developers

15 min read
GDPR, , LinkedIn

About The Author

Danny Bluestone is the CEO of Cyber-Duck, an agency that delivers UX-driven digital transformation for brands like the Bank of England, The Commonwealth, … More about Danny ↬

Email Newsletter

Weekly tips on front-end & UX.
Trusted by 176.000 folks.

Quick summary ↬ As digital practitioners, GDPR has impacted every facet of our professional and personal lives. Whether you’re addicted to Instagram, message your family on WhatsApp, buy products from Etsy or Google information, no one has escaped the rules that were introduced in 2018.

, and in the US for its search advertising services, is looking to remove third-party cookies from Chrome. (Firefox and Safari already block these cookies by default.)

The complainants say that this change will further concentrate advertising revenue in Google’s hands. Google’s response? The advertising industry needs to make ‘major changes’ as it shifts to a ‘web without third-party cookies’.

Google’s not alone. In October 2020, four French digital advertising lobbies filed an antitrust suit against Apple’s forthcoming iOS privacy change, a feature it’s called App Tracking Transparency (ATT).

ATT, coming in an early-spring 2021 release of iOS 14, shifts app users from an opt-out to an opt-in ad-tracking model. With ATT, every app must get your permission to share your Identifier for Advertisers (IDFA), which enables third-party ad tracking across multiple sites and channels.

The complainants say that by restricting apps’ ad revenue, developers may have to boost app subscriptions and in-app purchases or switch to Apple’s targeted ad platform — all of which will funnel ad spend away from them and towards Cupertino.

Critics including Facebook have slammed the change, saying it’ll hit small businesses who rely on microtargeted ads. Apple has defended the move and praised the EU’s defence of citizens’ data privacy.

To sum up:

Implied consent doesn’t equal consent under GDPR, according to the EU.
We should also avoid cookie walls
Google and Apple are moving against third-party cookies — which some say exploits their dominant market position.

So what does that mean for us, as designers and developers? First, let’s take a look at why this is important.

More after jump! Continue reading below ↓

Meet slots empire bonus codes Email Newsletter with useful tips on front-end, design & UX. Subscribe and get “Smart Interface Design Checklists” — a free PDF deck with 150+ questions to ask yourself when designing and building almost anything.

Once a week. Useful tips on

The draft ePrivacy Regulation was first presented by the EU in 2017. However, it has to be agreed by both the European Parliament and the Council of the European Union. (The Council consists of government representatives of each EU member state.)

This is where it gets messy. Since 2017, the European Parliament and the Council haven’t been able to agree on the scope and detail of the ePrivacy Regulation.

That’s because some countries — widely thought to include the Nordic states of Finland and Denmark — want to strengthen the current ePrivacy Directive. They want users, for example, to be able to set acceptance and rejection of tracking cookies in their browsers, not on every site they visit.

But other countries, notably Austria and believed also to include those with sizeable digital marketing and advertising sectors, say this is bad for business. It’s thought the 27 EU member states are split down the middle on this issue — and they’re all being heavily lobbied by the tech industry.

So the draft regulation has been ricocheting back and forth between the European Commission and its Working Party on Telecommunications and Information Society as they try to agree its scope. In November 2020, the Working Party

However, when it comes down to the detail, there are times when I recommend taking a risk-based approach. That’s what we’ve done at Cyber-Duck — and here’s why.

Here’s our original cookie notice. You see these everywhere. They’re pretty meaningless — users just hit accept and continue on their way.

Screengrab of cookie consent banner. It says ‘Learn how we use cookies to manage your experience and change your settings.’ — It didn’t matter if the user had accepted cookies or not — Google Tag Manager (GTM) fired when they landed as cookies were enabled by default, meaning we would get our analytics data. (Image source: Cyber-Duck) (Large preview)

But we wanted to be compliant, so we replaced it with this notice. You’ll see that tracking cookies are turned off by default — in line with ICO guidance. We knew there was a risk we would lose analytics data as GTM would no longer fire on first load.

Let’s see what happened.

Screengrab of new cookie consent notice showing marketing and analytics cookies turned off by default — Our new cookie banner followed ICO guidelines, but... (Image source: Cyber-Duck) (Large preview)

Problem solved? Actually, no. It just created another problem. The impact was far more significant than we expected:

Google Analytics screengrab showing tracked traffic fall when the new cookie consent was implemented — The new cookie consent caused our tracked traffic to collapse. (Image credits: Cyber-Duck) (Large preview)

Look at the collapse in the blue line when we implemented the new cookie notice. We released the new cookie consent on 17 December and went straight from plenty of tracked traffic to almost zero. (The orange line shows the previous year’s traffic, for comparison.)

In both the before-and-after scenarios, the default option was by far the most popular. Most users just naturally click on “accept” or “confirm”. That’s tricky, because we now know so little about the people visiting our site that we can’t give them the best information tailored to their needs.

We needed a solution. Analytics and marketing data ultimately drive business decisions. I’m sure we all know how important data is. In this case, it was like putting money in a bank account and not knowing how much we’d spent or saved!

Some of the solutions that were posed include design alternatives (would removing the toggle, or having two buttons with a visual nudge towards the “accept” help?) Or would we enable analytics cookies by default?

For now, we’ve implemented a compromise position. Marketing and analytics cookies are on by default, with one clear switch to toggle them off:

Screengrab showing iterated cookie notice with marketing and analytics cookies switched on by default — Then we iterated again. (Image credits: Cyber-Duck) (Large preview)

And here’s what that’s done to our stats:

Google Analytics screengrab showing tracked traffic partially recover from 15 January — This iteration brought back a chunk of attributable traffic. (Image credits: Cyber-Duck) (Large preview)

The new cookie banner was relaunched on 15 January. You can see our website traffic starts to pick back up again. However, we’re not getting the full data we were getting before as Google Tag Manager doesn’t fire unless a user chooses cookies.

The good news is, we are getting some data back again! But the story doesn’t end here. After we had turned cookie tracking back on by default, the attribution model got messed up. It wasn’t attributing to the correct channel in Google Analytics.

Here’s what we mean:

Scenario 1: (Correct Attribution)

User lands on our website via a paid ad (PPC) or from the search result (organic)
User accepts cookies straight away.
The channel source is attributed correctly, e.g. to PPC.

Scenario 2: (Incorrect Attribution)

User lands on our website via a paid ad (PPC) or from the search result (organic)
User visits a few other pages on our website without responding to the cookie banner prompt (banner appears on every page until it gets a response)
User finally accepts cookie banner after browsing a few pages.
Attribution comes through as direct — although they originally came from a search engine.

How does that work? When a user browses other pages on the site, nothing is tracked until they respond to the cookie prompt. Tracking only kicks in at that point. So to Google, it looks as though the user has just landed on that page — and they are attributed to Direct traffic.

Back to the drawing board.

Note: I’m sure by now you’re starting to see a pattern here. This entire experience is new for us and there’s not a lot of documentation around, so it’s been a real learning curve.

Now, how could we solve this attribution issue and stop users from navigating around the site until they’ve selected their cookie preference?

A cookie wall is one option we considered, but that would potentially push us further away from being compliant, according to the ICO. (Though you might like to try browsing their site incognito and see if they stick to their own guidance&mldr;)

Screengrab showing compromise cookie consent notice with tracking switched on by default — In the end, we had to settle on a compromise. (Image credits: Cyber-Duck) (Large preview)

But that’s what we’ve chosen to go with. The journey ends here for now, as we’re still gathering data. In the future, we want to explore other tools and the potential impact of moving away from Google Analytics.

So what’s everyone else doing?

Well, McDonald’s UK offers straightforward on/off buttons:

Screengrab of McDonald’s cookie consent offering three options: reject all, accept cookies and cookie settings — McDonald’s UK gives straightforward cookie choices. (Image credits: McDonald’s UK) (Large preview)

Coca Cola’s British site nudges you to accept by making the ‘reject’ option harder to find:

Screengrab of Coca-Cola’s cookie consent notice with ‘accept all cookies’ highlighted — Coca-Cola’s UK site nudges you to accept cookies. (Image credits: Coca Cola UK) (Large preview)

Whereas Sanrio just has an option to agree to ad tracking:

Screengrab of Sanrio’s cookie consent showing ‘Ok’ confirmation button — Sanrio just gives the option to agree to cookies. (Image credit: Sanrio.com) (Large preview)

Hello Kitty, hello cookies.

Die Zeit offers free access if you accept tracking cookies — but for an untracked, ad-free experience you’ll have to pay:

Screengrab of Zeit’s cookie consent — Die Zeit offers free access with cookies — but for an untracked experience, you have to subscribe. (Image credit: Die Zeit) (Large preview)

And here’s one of my favourite dark patterns. This restaurant site only has the ‘Necessary’ cookies selected. But it nudges you to the ‘Allow all cookies’ big red button — and when you click that, the analytical and ad cookie boxes are automatically checked and set. Give it a go here!

Screengrab of Pinchos cookie consent — Pinchos’ cookie consent is a good example of a dark pattern. (Imagae credit: Pinchos.se) (Large preview)

Even the EU isn’t consistent on its own sites.

The European Parliament’s cookie consent offers two clear options:

Screengrab of the European Parliament’s cookie consent — The European Parliament’s cookie notice gives two clear options. (Image credit: European Parliament) (Large preview)

The CJEU’s site isn’t so clear:

Screengrab of the CJEU’s cookie consent — The CJEU’s cookie consent offers three choices: necessary cookies, accept all and more information. (Image credit: EU Court of Justice) (Large preview)

While Europol’s site comes with two pre-checked boxes:

Screengrab of Europol’s cookie consent showing mandatory and tracking cookies checked — Europol’s cookie consent has analytics cookies automatically checked. (Image credit: Europol) (Large preview)

And if you look at the sites for the German presidency of the Council of the European Union (July–December 2020), at first it seems as if there’s no cookies at all:

Screengrab of Germany’s EU2020 site showing no cookies and no cookie consent notice — Cookies? What cookies? (Image credit: eu2020.de) (Large preview)

When you land on the site, there are no cookie banners or prompts. A closer look, with cookie extension tools, shows that no cookies are being placed either.

So are they capturing any analytics data? The answer is yes.

Screengrab of Matomo code from eu2020.de — The eu2020.de site tracks users using Piwik, now Matomo. No cookies here! (Large preview)

We found this little snippet in their code, which shows they are using ‘Piwik’. Piwik is now known as Matomo, one of a clutch of new tools that help with cookie compliance along with Fathom (server-side tracking) and HelloConsent (cookie management).

So alternatives and solutions are emerging. We’ll take a closer look at that next time — with new alternatives to third-party cookies that will help you take control of your data and get the insight you need to deliver optimum experiences to your customers. Stay tuned!