Cookie banners have been around for a long time, especially in Europe, but until the EU’s General Data Protection Regulations (GDPR) came into effect in 2018, they weren’t a big deal.
Cookie banners exist because the ad tech industry took a useful tool and weaponised it – using a mix of 1st and 3rd party cookies, they track web users across the web and build up detailed profiles of them. There is some debate about whether or not this level of invasiveness actually yields better result, but marketers think they want more data so they will have MOAR DATAS.
When GDPR kicked-in, most websites deployed one of those banners that says “Hi, we use cookies and we assume if you carry on browsing, you’re OK with that”.
But then – in a shocking development – someone actually read the GDPR detail, and also looked at the older Privacy in Electronic Communications Regulations (PECR). In 2019, someone pointed out to the UK’s Information Commissioner’s Office (ICO) that their own website was breaking GDPR and PECR. ICO, woken from its slumbers, put on its reading glasses and looked at the detail. It was true: the regulator was breaking the regulations it existed to enforce.
ICO issued new guidance, which can be summarised as:
- You need to explain to users that you’re setting cookies
- Explain what the cookies are for
- Ask for users’ consent
- Cookie walls – “if you don’t accept my ad cookies, no access for you” – are not acceptable
- Advertising and analytics cookies cannot be classed as ‘strictly essential’
This meant that “we use cookies and hope you’re OK with that” no longer cut the mustard.
Crap cookie banners typically:
- Are really vague about what cookies they use and why
- Don’t offer options to consent to individual cookies or categories
- Set cookies before you’ve had a chance to consent
- Set cookies even when you say ‘No’
- Make the process really confusing using dark patterns