Image via istockphoto
Eric Gockel

Written by Eric Gockel


You’ve probably seen those banners on some websites notifying you that they’re using cookies and asking you to say it’s OK to make it go away. Or you could click a little x to make the banner go away without saying it’s OK and continue to browse the website anyway.

Other websites have some tiny text in the footer saying, “By using this website, you accept cookies.” This won’t fly with the new General Data Protection Regulations (GDPR) for your EU visitors.

What are cookies again?

We’re talking about bits of data placed in your browser by websites. Cookies are used for many things, like remembering if you’re logged in, what’s in your shopping cart, and your browser history, as well as helping customize your preferences.

Cookies can also be used by services like Google Analytics to track what pages you look at, for how long, and what search terms you use to land on a page. Advertisers will also track what you’ve looked at and which ads you clicked on.

The GDPR is big on privacy; we recently wrote more about it here. Depending on how some cookies are set up, even if they don’t specifically identify you, they could still be used to single you out based on your device, location, and other criteria. So, cookies will still be a big part of this compliance game.

Gone are the days of pre-checking a checkbox to throw someone in your email list or soliciting them for other unrelated crap they didn’t ask for, at least for our EU friends. You must let people know if and when you capture their information and what you intend to use it for. And ask if it’s OK first. This includes cookies.

According to the ICO in the UK from their Privacy and Electronic Communications Regulations (PECR), the three basic things you need to do to comply are:

  • Tell visitors there are cookies on your website
  • Describe what the cookies are for and why
  • Get the visitor’s consent to store cookie(s) on their device.

Ideally, it would be best to give visitors an option to opt out of any or all of the cookies your site serves up while still allowing them to use your website in some capacity after selecting cookies they don’t want.

“Even if the user refuses the user cookie, the cookie is already dropped and the cookie is already tracked,”

Guillaume Marcerou, Criteo

That said, you need to be able to ask the visitor their cookie preference when they first land on your website before you drop any cookies. Only after they’ve opted in should you start applying cookies.

Making your website cookie-compliant for the newer regulations doesn’t have to cost a lot of dough. You can use services and add-ons, but check with your developer first.

We’ve found that we like Insites’ free and open-source Cookie Consent. It has three types of compliance you can configure:

  • Just tell visitors your site uses cookies
  • Let visitors opt out of cookies
  • Ask visitors to opt in to cookies

For additional granularity, you may want to explore Civic’s Cookie Control, which gives visitors the option to opt out of types of cookie categories like analytics marketing and preferences and third-party opt-out support. It is also available as a plugin module for Drupal, Joomla, and WordPress CMS.

Don’t get burned

After you’ve done your due diligence and documented all the cookies on your website and what they do, new ones can pop up under your radar.

“In general, a website owner can be held liable for GDPR violations by a third party that is collecting EU personal data by dropping pixels.”

Doug McPherson, OpenX

Some third-party components like Optimizely, Google, and others may insert many new cookies without notice. This includes third-party vendors as well as when Javascript libraries are updated.

If you’re not already monitoring, services like Fluxguard help you keep track of third-party code or cookie changes.

Need help crafting a solution for your website? Contact us.

CookiesEuropean UnionGDPR