The ruling reads that “Storing cookies requires internet users’ active consent. A pre-ticked checkbox is therefore insufficient”. This means that when you visit a website, and they ask if you’re okay with cookies, you should basically just be able to click ‘no’ and be done with it — unchecking a bunch of pre-checked boxes no longer counts as active consent. It should not look like this:
Buzzfeed’s cookie banner, once clicking through to “show vendors”
Buzzfeed use Quantcast to manage their cookie consent — if you decide to click through to set some preferences, you will be confronted with this long list of vendors. Some are already set to ‘on’. There’s no context as to what these are for.
Luckily there is a ‘reject all button’, but what if you never dug down this far? Are we to assume those are set to ‘on’ no matter what? The dark design pattern of not surfacing this information is prevelant accross many websites — it’s not transparent and does not give the user any real control.
☝️ This is why this new ruling is a good thing. The GDPR has always said that you need to get active consent from users before processing data that is not essential to delivering your site or service, but this ruling has very much clarified what ‘active consent’ means when it comes to cookies.
It’s actually pretty simple: you should not have to ‘opt-out’ of unessential cookies — the default should be that you receive no such cookies until you say you’re okay with them. Otherwise, what’s the point in being asked?
Make sure your cookie consent solution is lawful: check that you have proper control of how your users get consent. Good practice is to set default states for unessential cookies as off — give the user a chance to actually turn them on.
Even before this ruling, it was unlawful to drop cookies before getting active consent — but that never really stopped anyone.
It’s natural to be worried about losing out on analytics if those cookies aren’t being dropped straight away — or ever. Something that we’ve seen and will be implementing ourselves very soon in a ‘donate statistics’ button. This is a different way to ask if you can gather site stats and other analytics you might want to improve your products.
🤔 Why would anyone click that button? If someone likes what you’re doing, the chances are they will click it; people are much more likely help out organisations if they buy into the mission. First of all, you are being transparent with your users by having a button like this. Secondly, you are offering them full control of whether or not they give you data.
We’ve outlined more tips on how to handle cookie consent right here.
You shouldn’t have to do anything — it’s on the companies who run these websites to have a think about how they handle cookie consent.
If you ever want to check how many cookies a site might be dropping, our tool, aptly titled TrackerTracker does just that. Just scan a domain, and wait for the results — it will show you what cookies a website drops before getting consent from you. Another great tool is Privacy Badger; you can add it to your browser and it will block third-party scripts that are not needed for the page to work.
Here are some TrackerTracker results — lapatilla.com is one of the worst we’ve ever scanned.
Part of the problem is enforcement. Though this cookie consent ruling is great, as before, it could be tough to enforce. Even before this ruling, it was unlawful to drop cookies before getting active consent — but that never really stopped anyone.
How have websites been getting around this? Most cookie banners are entirely cosmetic — they don’t work; they don’t wait for your consent before dropping cookies, they just drop them as soon as the page has loaded. Clicking ‘yes’ or ‘no’ is a pointless action.
Being able to control the flow of your own data is a vitally important of maintaining privacy. That’s why this ruling is an important stepping stone to acheiving that.