These days, you’ve probably noticed all the annoying, cookie-consent banners and popups that are showing up on websites and wondered, “What’s all this fuss about cookies?”
A cookie is a little piece of code that gets downloaded to your browser whenever you visit any website. This code snippet serves many purposes. First, cookies are used to help provide a better user experience, such as remembering the items you put in a shopping cart before you were ready to check out.
Cookies are also used to generate website analytics, tracking the numbers of visitors to a site as well as their behavior while on the site. And yes, cookies are also used by third-party advertisers to track traffic from ads placed on various websites.
An example of advertising cookies gone wild happened to me a few years ago when I was in the market for a new mattress. Of course, my first step was to look up online reviews for the various types of mattresses and their manufacturers. Then I quickly made my choice and bought the mattress.
The problem was that for several months afterward, the sidebars of most of the social media and news sites I visited were plastered with ads for mattresses. I was annoyed that they hadn’t gotten the memo that I was no longer in the market for a mattress!
We’ve all become more aware of the amount of data that’s out there regarding use as well as the sloppy ways in which some businesses have handled our personal information – including not being forthcoming about security breaches.
The European Union (EU) has taken the lead in creating legislation that requires businesses to put protections in place for the collection, use, and storage of identifiable personal data of EU citizens. On May 25, the GDPR (General Data Protection Regulation) legislation will go into effect for companies doing business with EU clients.
While the GDPR is geared more to business practices regarding personal data in general, the ePrivacy regulation has been working in tandem with the GDPR to write legislation that regulates the use of cookies that track, store, and use an EU website visitor’s personal data.
The intent of the new ePrivacy regulation is to insure that any website with visitors from the EU obtain freely given user consent to process and store their personal, identifiable data.
Most of the existing cookie notification popups inform users that the site they are visiting uses cookies (all sites do) and offered visitors the option to leave the site or to check a permission box that removed the notification box and let them browse the website.
These “agree to our cookie policy or leave the site” popups are considered more of an “ultimatum” approach rather than a “freely given choice”; therefore, they won’t meet the new privacy criteria to be set forth in the upcoming EU ePrivacy regulation.
The new website cookie legislation requirements are to be based on three premises:
- EU website visitors must be offered a “freely-given choice” about the use of their data, which means that a site can’t pressure them into accepting cookies in order to access the website.
- The EU visitor must be informed of and give a clear affirmative to the various uses of their information, whether by checkboxes or a menu. These checkboxes or menus must not include pre-checked boxes since that makes them opt-out rather than opt-in.
- At any time, an EU website user should be able to withdraw previously-given consent through the same mechanism with which they gave it.
The rollout of the ePrivacy regulation for websites was to coincide with all the privacy policies being implemented by the GDPR by the May 25 deadline. However, the issues around how to obtain all these permissions on a website, without completely undermining the user experience, has caused the web regulations to be delayed.
The latest good news is that website owners may not need to worry about getting consent with cumbersome popups after all. The ePrivacy regulations folks are working on a method to allow users to indicate consent for various third-party cookies through their browser settings.
Under these refreshed rules, the burden for cookie-compliance will shift from administrators and front-end website development to the technical settings of browsers and applications.
When finalized, these changes should signal an end to the need for cookie-consent popups and/or cumbersome opt-in processes.
If you have a small, US-based website with customers in the EU and you choose to comply with GDPR regulations, you can use one of the old-style popups that you’ll find in the WordPress plugin repository. Check out this post from WPBeginner which will help you choose and install an appropriate popup.
But if you’re a small business in the U.S., you may want to take your chances. First, it’s unlikely that anyone in the EU will try and prosecute a small U.S.-based company for cookies violations at this point in time. Second, if you wait a bit for the new Eprivacy ruling to come out, there most likely will be built-in browser consent.
In the meantime, it’s a good idea to inform yourself about what data is being collected by your website, it’s plugins, advertising, and analytics. Once you know what you are doing and why, create a privacy policy that clearly spells out what data you collect, how you store it, and what you’ll do in case of a breach.
I hope that was clear as mud.
