惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

The Cloudflare Blog
Microsoft Security Blog
Microsoft Security Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
L
LangChain Blog
W
WeLiveSecurity
P
Proofpoint News Feed
月光博客
月光博客
NISL@THU
NISL@THU
L
LINUX DO - 最新话题
Webroot Blog
Webroot Blog
T
Threatpost
Y
Y Combinator Blog
www.infosecurity-magazine.com
www.infosecurity-magazine.com
T
Threat Research - Cisco Blogs
Vercel News
Vercel News
Jina AI
Jina AI
阮一峰的网络日志
阮一峰的网络日志
S
Schneier on Security
J
Java Code Geeks
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
小众软件
小众软件
MyScale Blog
MyScale Blog
N
News and Events Feed by Topic
Stack Overflow Blog
Stack Overflow Blog
有赞技术团队
有赞技术团队
The Hacker News
The Hacker News
Schneier on Security
Schneier on Security
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Help Net Security
Help Net Security
Recent Announcements
Recent Announcements
S
Security @ Cisco Blogs
C
CXSECURITY Database RSS Feed - CXSecurity.com
S
Securelist
T
The Exploit Database - CXSecurity.com
云风的 BLOG
云风的 BLOG
C
Cisco Blogs
雷峰网
雷峰网
量子位
Google DeepMind News
Google DeepMind News
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Spread Privacy
Spread Privacy
L
Lohrmann on Cybersecurity
I
Intezer
T
The Blog of Author Tim Ferriss
G
GRAHAM CLULEY
D
DataBreaches.Net
V
Vulnerabilities – Threatpost
P
Privacy & Cybersecurity Law Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
罗磊的独立博客

Blog of Simple Analytics

The EU wants to kill cookie banners Google is tracking you (even when you use DuckDuckGo) German court rules Meta’s tracking tech violates GDPR Closing the data gap - Simple Analytics x Usercentrics The EU-US data deal may be dead in the water You are missing 20% of your website data with GA4 How a reverse trial will push Simple Analytics to the next level Google will start tracking all your devices (WTF?) Big Tech Fails EU’s Digital Services Act: Only Wikipedia Passes the Test Meta fined $102 million by the Irish Data Protection Commission Europeans spend 575 Million hours per year clicking cookie banners The most interesting GDPR fines GDPR and fines: all there is to know Google loses key antitrust case Web Analytics for Crypto Companies Web analytics for publishers Google pulls Uno Reverse card: Rolls back decision to kill third-party cookies Privacy Monthly July 2024 Privacy Perspectives June 2024 Privacy Monthly June APRA fumbles targeted advertising Privacy Monthly May Meta loses key privacy battle Google delays cookie phase-out once again Privacy Monthly April 2024 Web Analytics and Consent Cookies 101 Privacy Monthly March 2024 German authority cracks down on cookie banners Google Tag Manager vs Google Analytics Google search alternative Data retention in Google Analytics Guide to Google Analytics and Cookie consent What are Google Analytics' identifiers? How to export data from Google Analytics Privacy Monthly February 2024 The Criteo case: a big deal for Big Tech Privacy Monthy January 2024 What the Digital Markets Act means for privacy Google Settles in $5B Incognito Mode Lawsuit Legal troubles for Adobe Analytics Web analytics for nonprofits HIPAA and mental health Why Meta subscriptions are under attack, and why it matters for privacy Privacy Monthly: December Simple Analytics AI Host analytics on Cloudflare Zaraz Add Google Analytics to Convertkit Google Analytics Pricing - Paid vs Free Road to 1 Million ARR - October update CCPA and Data Protection: all there is to know Analytics without a cookie banner Enterprise Analytics Privacy Monthly: November 2023 Delete Act: all you need to know Mobile App Tracking Under Fire The road to 1 Million ARR - September Update Privacy Monthly: October 2023 HIPAA violations First challenge to the EU-US data transfer framework Direct Marketing under GDPR Road to 1 million ARR - August Update CCPA vs CPRA: what is new? Privacy Monthly: September 2023 A/B Testing with Simple Analytics Dobbs v. Jackson ruling is a privacy mess Privacy Monthly: August 2023 What are your rights under the CCPA? When does the CCPA apply? How does the HIPAA compare to the CCPA and GDPR? Why Meta is in a world of trouble CJEU: cookie-based analytics collects sensitive data Road to 1 million ARR - July update All about the new Data Transfer Framework Road to 1 Million ARR - June update What is PHI under HIPAA? Sweden declares Google Analytics illegal Searching for GA4 Alternatives? Top 10 Reliable Options for Google Analyticss Ultimate HIPAA Compliance Checklist: Essential Steps for Healthcare Providers Privacy Monthly: June 2023 More troubles for Google Analytics The path to 1M ARR - May Update Data Processing Agreements Minimal Product Analytics Facebook data transfers declared illegal Is Google Analytics CCPA-compliant? Help us with your input GDPR Compliance Checklist Privacy Monthly: May 2023 Simple Analytics: Privacy-first website analytics Improve your e-commerce performance with analytics European Facebook blackout is closer than we think Know your website’s Carbon Emissions - and how to reduce it The path to 1M ARR - April 2023 How to add video tracking using Google Tag Manager? How to track form submissions using Google Tag Manager? Why is my Simple Analytics data different from Google Analytics? Debug Simple Analytics script How to Import Google Analytics Data to Simple Analytics
Cookie banners: How to stay GDPR compliant?
Carlo Cilent · 2023-05-16 · via Blog of Simple Analytics

Cookie banners are everywhere on the Internet, and everyone hates them. They break the navigation flow and often require several clicks through a confusing interface to say “no thank you.” Today we will look at them and explain what they are for and- most importantly- how websites can avoid needing one.

Let’s dive in!

  1. What are cookies?
  2. What are cookie banners?
  3. Why are cookie banners needed?
  4. Does your website need a cookie banner?
  5. How do I make my cookie banner compliant?
    1. Do not manipulate visitors!
    2. Provide clear, transparent information
    3. Honor user preferences
  6. Are cookie banners bad for your website?
  7. Between a rock and a hard place
  8. Time to go cookieless

The UK Government chose Simple AnalyticsJoin them

What are cookies?

Cookies are pieces of information stored on a user’s browser. Websites use cookies for various purposes, such as analytics, web marketing, ensuring web security, making automatic log-ins possible, remembering your language and UI settings, and tracking items in your online shopping cart.

Not all cookies are the same. Third-party cookies are the most invasive, as they can track you across different websites. On the other hand, first-party cookies cannot do that. Other important distinctions between cookies are essential vs. non-essential and identifying vs. non-identifying.

Cookie banners are pop-ups that ask for your consent to the use of cookies when you first land on a website. If you have Internet access, you know exactly what they look like and how annoying they are.

Cookie banners pop when you first visit a domain and prevent you from browsing it until you make a choice. Some present you with a transparent choice, while others make rejecting cookies as confusing and annoying as possible- for instance, by hiding the option to reject cookies with a low-contrast font or by burying the option in a second layer that requires multiple clicks to access. They typically contain a link to a privacy policy (which is more exactly a privacy notice in the legal jargon).

cookie-banners.png

In the EU, the ePrivacy Directive requires consent for a specific type of cookie- that is, non-essential cookies. If you use non-essential cookies, you need consent before your website reads and writes them. In practice, you need a cookie banner to process such cookies.

Rules are different in other jurisdictions. Some laws have similar requirements to the ePrivacy Directive, while others only require a cookie notice or require no pop-up at all.

If your website uses non-essential cookies, then it needs a cookie banner. Non-essential cookies are not needed for the functionality of a website and are typically used for web analytics and marketing.

In practical terms, you need a cookie banner if you use Google Analytics or any other cookie-based analytics software.

Do not manipulate visitors!

Your cookie banner should be transparent and allow users to reject cookies easily.

You don’t need to take our word for it. Months ago, a European Data Protection Board task force published a report on cookie banners. The task force examined the most common deceptive design strategies from cookie banners and found them to be mostly illegal. Therefore, deceptive cookie banners do not collect valid consent and make the use of cookies unlawful under the ePrivacy Directive.

The Board is the EU institution where all privacy authorities from the Union and the EEA sit, so the report gives us a good idea of how cases will be handled.

In a nutshell, rejecting cookies should be as easy as accepting them. If you really need to use cookies for tracking, put a “reject all” button in the first layer, make it as visible as the “accept button,” and ensure that the option does exactly what it says.

Of course, if you do this, more people will reject your cookies. There is no way around this: Empowering people to make privacy-friendly choices is the very reason for the existence of cookie banners.

Provide clear, transparent information

There is more to cookie banners than allowing for easy cookie rejection. Under the GDPR your cookie banner needs a cookie notice or link to one. This blog can give you an idea about the information you need, but each notice must be tailored to a specific website.

Honor user preferences

This goes without saying, but if your visitor does not want cookies, you should not place them.

This is far more common than you may think: many websites simply ignore cookie prefences entirely- because they don't care, or because they didn't set up their web analytics correctly.

Not honoring cookie preferences is a terrible idea. It is fundamentally unfair and also quite likely to get you in trouble because users can easily check their cookies for each website. If you lied to them and ignored your preferences, they might (understandably) decide to make your life harder and reach out to a privacy authority.

Cookie banners are not great for your website. User experience is key, especially for first-time visitors. Annoying them with a big, flashy pop-up as soon as they land on your website is not exactly a good start.

Cookie banners are not great for web analytics, either. An increasing number of users reject cookies. It’s difficult to get accurate numbers, but according to Eurostat data from 2020 and 2021, almost half of European Internet users between the ages of 16 and 74 sometimes reject advertising cookies (you need to play around with the Eurostat’s website, but the data is there). It is not a stretch to imagine that a substantial portion of them reject cookies often.

These numbers are based on cookie banners found “in the wild,” so to speak. In all likelihood, rejection rates would be much higher if all users were presented with a transparent cookie banner that makes rejection easy, as required under EU privacy law. In fact, a study from a Chilean government agency shows that 95% of people reject cookies when given a clear and transparent choice!

Of course, using cookies can allow a web analytics tool to collect more accurate, fine-grained data. But is losing data from a substantial portion of your audience worth it?

And let’s not forget that widely used browsers such as Safari and Brave have built-in settings that can automatically block certain cookies, and other browsers can do the same with ad-blocker extensions. When users of these technologies visit your websites, some cookies (typically third-party ones) will still be blocked, even if they click “accept” on the banner.

According to 2021 data, about 35% of Europeans limit the use of cookies through their browser or device. This means that as much as one-third of your audience might be invisible to cookie-based analytics. These visitors cannot be convinced, deceived, or worn down through “click fatigue.”

Between a rock and a hard place

Users of cookie-based analytics face a dilemma in the EU.

Nudging visitors via a deceptive banner can net you passable opt-in rates but also violates EU data protection law. This is both wrong and risky- even more so now that the rules are clearer than ever.

On the other hand, people don’t like being tracked and will often say “no thanks” when given a transparent choice. If you allow visitors to reject cookies easily, expect your acceptance rates to drop pretty badly.

And as if this wasn’t enough, a substantial portion of your audience will block your cookies via their browser no matter what you do.

compliance.png

Time to go cookieless

The tighter GDPR enforcement gets, the more the cons of cookie-based analytics will outweigh its pros. If you ask us, web analytics without tracking is the privacy-friendly, respectful, and future-proof way to go.

This is why we built Simple Analytics to provide you with insights without collecting a single bit of personal data. Our software is built to do more with less, all while complying with privacy laws. If this sounds good, feel free to give us a try!