image of Are you still GDPR compliant?

Are you still GDPR compliant?

May 25, 2020 - 14 min read

In the following few pages, I will walk you through the new guidance that was released in February 2020 and the actions you need to take in order to be compliant with the new cookie law. Start out with a closer look at the new rules, followed by the actions we need to take and a brief implementation guide. 
At the end of the article, I will reflect on how these new laws will affect the market and suggest where to go from here.

Are you not familiar with GDPR? Read GDPR for latecomers here: https://medium.com/@charlibregnballe/gdpr-compliance-for-the-latecomers-f47818571320

So what are the rules?

Put simply; The user needs to be able to choose whether they want to allow or disallow cookies upon visiting a website that’s using cookies. Don’t know what a cookie is? Learn more here: https://www.allaboutcookies.org/cookies/

In more detail, there are a few things we need to take into consideration in our quest to reach compliance.
First off, the user needs to be presented with the different options when he enters the site and before any cookies are set in his browser.
You need explicit consent from the user before you can add any cookies that collect or process personal data. The options could be the following:

  • Allow all cookies
  • Allow selected cookies -> With a list of cookies categorized into statistics, marketing, preferences, and necessary cookies.
  • Do not allow, but the necessary cookies.

Or like this example, with only 2 buttons:

Cookiebox modal

*Remember when presenting the option where the user can select which cookies to allow, you cannot make the checkboxes be checked by default. It has to be an active action from the users' side to select which ones to accept. Second, we need to list all the cookies on the site with a description of their purpose. Furthermore, it’s required to provide an option for the users to withdraw or change their consent and this needs documentation, of course. Let’s go into even more detail and go through the actions step by step.

Actions we need to take

  • First of all, you need to create an overview of the cookies that are on your website. We can divide them into the following categories;
    • Necessary cookies -> These cookies are needed to make the website work properly. It could be a session cookie that keeps the user logged in across sessions.
Note; Since the HTTP protocol is a stateless protocol, it is needed to have these kinds of session cookies. For instance, if you want to remember the user between page views where you keep him logged in.
    • Preference cookies -> It is a bit more vaguely defined, but these cookies are set to allow some kind of functionality, like remembering a choice the user made. It could be their country or their preferred sorted order of items.
    • Statistic cookies -> An example could be google analytics. They are used for collecting data to be used for statistics. But keep in mind that they also can contain personal data.
    • Marketing cookies -> This is harder because these 3rd party cookies are usually set in the user’s browser, in order to collect data and/or recognize him on other websites. The purpose is usually to show him “relevant” ads. If you browse a product on a web shop, this product could very likely be presented in an ad at a later time, due to these marketing cookies.
Put simply; The marketers set a cookie in the browser and if this cookie is recognized on another site, the advert system knows that you are likely to be interested in this particular product.
  • Create a list of all cookies and describe their purpose.
  • Create a dialog popup box where you present the user with the option to store only necessary cookies, all or selected ones. It’s important that the checkbox is not checked by default.
  • Configure and store the user’s consent and make it editable and withdrawable.
  • Create a cookie policy, where you describe how you use the cookies, what data you store, why you store it and what it’s used for. And if you share it with a 3rd party.

Implementation

Since some of these actions are hard for a non-technical person or even a technical person to deal with, we can consider using a service to handle this. I’ve had good success with and can recommend a service called cookiebot. They can take care of the following:

I should mention that I am not associated with Cookiebot by any means.

  • Listing and describing all cookies
  • Dialog popup with the configurable options and text
  • Handle consent on the user level

It does require a little configuration though. Depending on your website I would suggest you go through the following steps:

  1. Implement cookiebot. -> It's simple, just add the scripts to your site.
  2. Run a scan to see what cookies you have and make sure they all have a category and a description/purpose.
  3. Configure the dialog box to have the right buttons and text.
  4. Create a new page where you:
  • Add your cookie policy.
  • List all the cookies you have. This can be done from a cookiebot script.
  • Present an option for the user to see, edit and withdraw their cookie consent, which is also a feature of cookiebot.

Once this is done you should try to open your website (with cookies cleared of course) and see if it's working. Remember to make sure that no cookies are set before you click the dialog box. If you still see some cookies, you can manually add them to cookiebot script.
It can happen in cases where tracking scripts are loaded before the cookiebot script or if you use google tag manager. In the cases where you need to manually handle the cookies, you can edit the script to look like this:

<script type="text/plain" data-cookieconsent="statistics"> <script type="text/plain" data-cookieconsent="marketing">


Depending on the cookie type.
Cookiebot will then pick up the tag and make sure to include or exclude it.

For google tag manager scripts are often added through triggers and can sometimes overrule the cookiebot script. 
To handle that, you need to adjust the triggers to only fire if the cookie of the script type is present. As in the example, this trigger only fires when true conditions are true.

The condition is created as a variable like this:

GTM and cookiebot

GTM and cookiebot

You can find the variable as a community template gallery in tag manager by searching for cookiebot. This will make sure the cookie consent of statistics is present before firing.
So it basically checks for the cookie with the consent type and only fires if it’s present. Remember to adjust the category so they are listed correctly as either statistics, marketing, preferences, or necessary.
Once you are done, remember to double-check that everything is working as intended.

You should also create a new cookie policy alongside your privacy policy. In the new cookie policy you should describe the following:

  • List the cookies you store. Cookiebot includes this in their service, where you just paste a script in, which will generate the list.
  • Why you store them and what their purpose is. This should actually be for each cookie. Leave no cookies unmarked or undescribed.
  • Describe the different cookie categories, like marketing, statistics, preferences, and necessary cookies.

You also need to handle the users' consent here. For each user, you need to be able to document which consent they have given and when. And they should easily be able to view, edit and withdraw their consent. Luckily this is also a service cookiebot offers, simply a script you add to the page. On your account, you can follow the consent and see statistics. Some people add a description of what a cookie is and how to remove it from the browser, as a service to the users. If you share data with a 3rd party, you should also list them here with an explanation of who they are, what you share with them, and why.

How does this affect the market?

We have yet to see the full effect of the new law, but it will bring big changes. Disallowing marketing cookies does mean that the user will not be able to see adverts on your site the traditional way. The thing is, you have no way of knowing which cookies a banner sets, what data they collect, what they use it for, and how the user can retrieve it. And since it is an active choice to allow these, it is very likely that the majority of the users will disallow it.
The new law combined with the different browsers starting to block the 3rd party cookies out of the box makes it a good time to start innovating since this will change the market. Does that mean banners and online advertising are dead? - No.
Does it mean the 3rd party cookie is dead? - Maybe. It does mean that we have to start looking into alternatives though. There is already a wide range of services trying to address this issue. Some are utilizing 1st party cookies and serve ads without the option to make “normal” retargeting. Others turn their focus toward the native ad formats. Some even make their own sandbox version of an ad-serving data center. From the advertiser's point of view, the traditional 3rd party cookie makes it possible to see which pages the users visited and expose the user to the same advert on different platforms. This will likely disappear, at least the way it used to be. The option to group users into categories, like if you visited a shop that’s selling shoes, the advertisers will know you are interested in shoes, will also be very limited in the future. You do still have the option to gather, analyze, and group data from the visitors on your site. You are then able to expose a group of users to a selected range of ads, so it will be somewhat relevant. The law here is trying to prevent 3rd party cookies, that collect data, which you have no control over, while the 1st party cookies are within your control, so you can make sure they do not violate the law. So the options are either with correct consent from the user or without personal data. It just means we have to do it differently and with respect to people's privacy and the law.
No matter if you are a marketer or a publisher, I think we will see an increased use of native advertising and content marketing. And if the publisher websites adapt to the new changes and follow up with a new data strategy, to expose users to relevant content, then it would likely be somewhat close to the ads we know. The main difference and this is important, is that the ads will be booked on the site they will display on. So if a publisher writes an article about shoes, this will (hopefully) attract a group of shoe-interested people and then you will be able to buy an ad there. What we can hope the publisher will do is also expose the user who viewed the shoe article, to the shoe advert on different pages, but still on the same site.

Where to go from here?

Usually, tight constraints create a great space for innovation. One thing is certain though, we need to look into other options for tracking and advertising along with a long-term strategy for how to collect, process, and use our data. For statistics, your google analytics will only give you data from the users who accepted the statistics cookies. So the data will be inaccurate. 
A range of options is already available, where you can get almost the same data points from either 1st party cookies and/or serverside tracking. So you will, if you invest some time and money, be able to get an analytics-like product up and running, where you track all sessions, but without violating the law. The important thing is to not rely on data from 3rd party cookies, since they will be less and less frequent. This will lead to inaccurate datasets and therefore not a viable long-term solution. 
With the 1st party cookie, you can control which data is collected and simply not collect any personal data or make sure you have consent before you do it. For the advertising, we will hopefully see an even stronger working relationship between publishers and marketeers, because the RTB advert market will properly drop.
This could very well favor niche sites with increased use of native advertising and content marketing. Marketers will need to advertise on relevant pages with their content to reach the right audience.
Somehow it reminds me of the market a few years back.
I would advise all the publishers to look into how they can collect and use the data in a legal way.
Collecting data with 1st party cookies and serverside tracking can give you an even better understanding of your users. Combined with a well-defined strategy and a good implementation, you will be able to segment users and create a mini-marketing platform. Marketers can push their adverts to categorized and segmented groups of users, depending on their product or content, through your platform. Put simply; You can create personalized content based on the data you collect, on our site. If you are a publisher, it is important to provide some valuable options for the marketeers and keep providing good ad spaces. With a strong platform, you might even be able to increase your revenue, since you have the right audience and provide some good options to target them. Keep in mind it will be harder to target your audience on other sites. If you are a marketer, this means that you can’t just spend all your budget on RTB adverts, programmatic, and retargeting. You have to reach out to the media or publisher sites who has the audience your client wants to reach. Targeting the right audience is still the way to go, but it might be less spread and more focused campaigns in the future. Less is more maybe? Feel free to reach out to me if you have any comments, questions, or feedback in general.