Are your website cookie banners GDPR compliant?

April 9, 2020

Remember way back when in 2018 when you had to add a cookie banner to your website? Well, you probably did it wrong. You're not compliant now, and you certainly won't be when the new ePrivacy Regulation (ePR) comes out.

Ok, navigate to your website as you read this. How do you now know if I'm right? Look at what banner is displayed when your screen loads in a fresh browser (clean of cookies). Does a banner display that has two options, "Accept" and "Decline"? Ok, then that's a good start. Is there as "Show Purposes / Learn More" link? Even better. Click the "Show Purposes" link. Is there a tracking consent checkbox already pre-selected? Ooops. You're not compliant.

Technically, the ePrivacy Directive 2002/58/EC (yes, 2002!) already made it clear that websites were supposed to do something... what that something was, was ambiguous. There were plenty of ways to get around the "letter" of the directive (and, it was only a directive). GDPR implemented a new set of regulations that governed much more than the little cookie, but cookies are where I'm going to focus for this article.

First off, let's get some of the basic stuff out of the way.

  • Cookies are considered "Personal Data" under the GDPR. Recital 30, GDPR, Definitions.
  • Cookies that are "strictly necessary" to the functioning of the website do not require informed consent. 2009/136/EC, (66) Also known as the "Cookie Law".
  • A cookie that's not "strictly necessary" cannot be placed on the user's system unless they've given "unambiguous consent".

What do these three things mean in reference to your website? First, look into your cookie policy. Did you place a cookie on the user's system prior to them opting-out? Not good. A user has to have unambiguously opted-in to that cookie. Going to delete it if they opt-out, but want to place it there anyway, just for safe keeping? Well, you've just broken the GDPR rule for the processing of "personal data" without consent. There's no easy way to put it, except that you've been doing it wrong and have to change.

Is it ok to have an "Accept" button on that banner as long as there's a "Show Purposes" (or similar)? Probably, for now. But that may change with the new ePR that's currently in draft form. Is it ok in the "Show Purposes" options screen to have pre-selected checkboxes for anything other than cookies that are "strictly necessary"? No. Just ask Planet49.

"No one will opt-in, if we don't obfuscate the choice", you say. Well, you're right. But obfuscation isn't regulated in the GDPR, you just need to "nudge" your users the direction you want them to go. According to one study, GDPR, if applied correctly, would "lead to less than 0.1% of users actively consenting to the use of third-party cookies." (Utz, Degeling, et. al.) This means that you have to entice them to opt-in to tracking by explaining the benefits. A simple, "We can't survive without your support." may be enough to convince your die-hard users.

And no, a "Cookie Wall" won't solve your problems either. The Dutch have already ruled it illegal, but that case is currently under challenge. I'm expecting no surprise here when it gets to the Court of Justice for the EU. Even if you have a paywall, you still can't assume consent. (At this point, I'd like to make a prognostication: Not only will the "Cookie Wall" be found non-compliant, but I would bet that the "Email Address Wall" for downloading marketing content -- like our own whitepapers -- will also be deemed non-compliant, soon enough.)

So, let me get to the bad news (yes, that was the good news). Any consent that you collected for any cookies prior to the introduction of the GDPR have to be recollected. I imagine that most of you probably created new cookies as part of your switch to the 'cookie banner'. That's good. If you didn't, then you need to do so. What do you do with the old cookie? I'll leave that up to you.

But what I mean by that goes well beyond the cookie. Did they consent to being sent a newsletter? Did you have a pre-selected check box there? Then you need to re-collect those newsletter consents as well -- from everybody who consented pre-GDPR. And what about all those third-party cookies that you previously placed on their systems? You may not place new cookies, but those old ones are still there.

Do I have a solution for this problem? Well, that depends on who's reading this. For us, as a company, while we (currently) still have a banner in place, I personally see no reason to place any cookies (except those that shut that banner up -- e.g., "strictly necessary") on our website at all. We sell products and services, and our potential customers find us. We don't need to track their interactions with our website in any way except anonymously (for performance reasons and to make sure we have no dead links). Anonymous tracking doesn't require a cookie. We see the web requests, and we don't need to know where they came from. It's just not in our business model.

If your business model relies on tracking users personally, especially over several websites (3rd party cookies), then I can't help. All I can say is that you've got some rough days ahead, once the ePR Regulation is released.

Simply put, if your business model doesn't require advertising revenue, then you don't need to track your users. I can see the value in the publishing industry, believe me. Better and more targeted ad placement can earn a lot of revenue. After all, targeted advertising is the only real internet-only (non-physical-product) business model that really worked. The publishing industry has been in decline for years, and I'd hate to see the days of free, high-quality information slinking off to behind a paywall. Sometimes that works. The Washington Post (my hometown newspaper) was able to find a way. Sometimes, it doesn't.

I'd also love to know from where our website users come from. But I'd rather them feel comfortable with us as as a company. A company that truly does understand GDPR, and its implications in the pharmaceutical industry. I want them to trust me. I want them to contact me so I can help them navigate this issue (which gets even more complex in pharma). That's why, we'll be removing our tracking cookies as soon as we have the time. At least prior to ePR.

Photo by © AdobeStock

Side Note: I'm still arguing with our marketing department - I don't want Google Analytics on our site either.

Disclaimer: I’m no expert, nor a lawyer. We as a business just provide our customers tools that help them survive these pitfalls. You should feel free to ask your own lawyer for advice. She will probably tell you something similar to what I said. I know mine did.

Greg Herman

Greg Herman

Senior Product and Project Manager at ysura GmbH

ysura means innovation
ysura offers pharma-specific software solutions for sales and marketing, such as customer relationship management (CRM), activity planning, consent management, multi-channel marketing campaigns, order entry, sample management, KOL management and augmented video conference. All modules can be individually adapted and also used as stand-alone solutions. That made you interested?

Contact Us