Data Privacy
Group of professionals deliberating on GDPR compliant cookie tracking rules around a core cookie metaphor

Passed back in 2002, the EU's Digital Privacy Directive outlined how companies should approach data collection, privacy, and security in an ethical and legal way. The directive mentions cookies specifically as a useful tool that can facilitate many of the web's core functions like shopping carts, single-sign-on, and persistent website preferences. It also recognizes that cookies have a potential for abuse and it offers a solution: the ability for users to opt-out of cookie tracking if they desire, and a strong set of rules about how personal data can be used.

Now though, an even stronger set of privacy rules have superseded the original data privacy directive and intensified the need for informed consent and affirmative opt-in for all forms of data collection and user tracking. As of May 2018, Europe's General Data Protection Regulation (GDPR) is in effect, and companies are making big changes to become compliant.

That's not the only change in the works, either. In 2019, the ePrivacy Regulation will further impact cookie tracking by simplifying and streamlining the consent process and tweaking the conditions for consent slightly. For now, though, GDPR is law, and that's what we'll be focusing on in this post.

The biggest challenges to cookie tracking opt-in are that (a) consumers aren't well educated about what cookies are and that (b) even savvy consumers aren't aware of the legitimate uses of cookie tracking. The challenge is to present cookie tracking to users in a way that shows that you won't be spying on them (or if you are, why) and shows that cookies can provide value by creating a more convenient experience on your site.

Your cookie tracking opt-in forms should be at least as descriptive as the rest of your processing consent forms. That represents the bare minimum for compliance. For cookie forms specifically, there are a few more things to consider -- especially if you want to maintain a good relationship with your users.

Your cookie opt-in forms should be:

  • Educational - Your form should explain what cookies are in an easy-to-understand way
  • Descriptive - Your form should describe how you'll use cookies and their data
  • Helpful - You need to show how cookies will improve a user's experience
  • Transparent - Tell users who their data will be shared with, how it will be stored, and for how long

Read more about the necessary elements of compliant consent.

Express UK

Hailing from the United Kingdom (the largest English-speaking country to be affected directly by GDPR), this cookie opt-in form is from the UK tabloid Express. We won't comment on the accuracy of Express's reporting, but their forms do a pretty good job of describing what cookies are and letting users opt-out of them.

First, you see this initial popup, which is a fairly-standard cookie opt-in notice:

Cookie notice with the option to change settings. GDPR Compliant Cookie Opt-In Examples

From there, you can see what "functional" cookies Express is using.

A page describing functional cookies which can't be disabled. GDPR Compliant Cookie Opt-In Examples

This is becoming a common terminology for cookies that essentially can't be turned off. According to the Express, the site simply can't be used without these cookies. Assuming that the courts rule in their favor, this can be considered compliant, although we advise against such measures. It's ultimately in-question whether the cookies for Parse.IO and other trackers are absolutely essential to the site.

Once you select "continue," you're shown the cookies that you can actually turn off.

A page showing the additional cookies ussed by Express, which can be disabled. GDPR Compliant Cookie Opt-In Examples.

This form does an okay job at describing the purposes of the processing and allows you to select from a granular list of tracking partners. They could do a better job describing the benefits of such tracking, but they at least include all of the required information. It also links to the Privacy Policy of each example, a good step to helping users understand how data will be used. You can even "reject all" if you don't want to allow any additional tracking.

Overall this form is simple and descriptive, and while the validity of the "Functional" cookies is suspect, that's one area in particular where many companies are taking their chances and deciding to see how the courts will rule.Answers

Every product has unique challenges when it comes to implementing data privacy and security. As an award-winning development agency, we can help you build with compliance in mind.

The Telegraph

We decided to include this as an example of what not to do when allowing your users to select individual cookies. Another British tabloid, The Telegraph, has a fairly standard cookie opt-in notice:

The cookie opt-in banner with the potion to select cookies. GDPR Compliant Cookie Opt-In Examples.

That's all well and good. But, once you try to change your cookie settings, you're taken to this monstrosity:

A form with many boxes to check to disable cookies. GDPR Compliant Cookie Opt-In Examples.

As you can plainly see, the Telegraph forces you to manually uncheck dozens of individual boxes to opt-out of cookie tracking. The above image is cropped, as there are actually more than 70 individual trackers, many of which can't be turned off. There's very little explanation as to why, either.

While there's a button to "Opt-Out All," selecting that option doesn't remove the cookie tracking banner overlay, and doesn't really seem to work. Not only is this an awful experience for users, but it most likely doesn't fulfill the "unnecessarily disruptive" clause of GDPR, Recital 32. Why The Telegraph would need so many cookies in the first place is beyond us, but they should certainly have an easier way to opt-out of them individually.

OneTrust

OneTrust is a privacy-management company that offers prebuilt opt-in and consent solutions. We discovered OneTrust while researching cookie opt-in at CNN. CNN uses OneTrust's cookie tracking opt-in template, so we decided to go snooping into OneTrust's own website.

What we like overall about his form is how it breaks down the different categories of cookie and lets you decide which categories you'd like to allow. This solves two problems: it shows what each group of cookies does without requiring a single wall of text, and it allows users to bulk opt-out of cookie areas they don't want (solving the problem of the Telegraph UK's ridiculously long form).
 

Other Considerations

This post was meant to provide inspiration for how to make your cookie tracking opt-in notices comply with data privacy regulations like GDPR. Overall, know that transparency and informed consent are major factors of compliance and that any attempt to deceive users may backfire. Note that this post is not intended to be legal advice. If you're unsure about your organization's practices in regards to GDPR compliance, make sure to consult with a legal professional.

If you're looking for further resources about user interface and user experience design, check out the IAPP Guide to Consent as well as goodui.org.

Final Thoughts

In 2018, it's now essential that opt-in forms meet high standards of both design and compliance. This is a challenge, but also an opportunity. By showing that you're committed to their privacy and their experience, you can establish a high level of trust with your users.

As your organization takes the necessary steps to achieve GDPR compliance, make sure that user experience and interface design are considered along the way. If you're seeking a technology partner to help implement GDPR compliance measures and do so in a way that delights and surprises users, Cuttlesoft can help.

Related Posts

Enforcement of GDPR and the necessity of data security illustrated by a open bank lockbox
July 3, 2018 • Nick Farrell

Preparing for GDPR Right to Access Requests

Right to Access can be described as a consumer’s right to know what information an organization is collecting about them. Read on to learn how to prepare your software for this new process under GDPR.

Demonstration of GDPR compliant data security practices using handheld device.
June 7, 2018 • Nick Farrell

Techniques for Personal Data Privacy

Over the past decade, we’ve seen what can happen when companies are neglectful with personal data, and in 2018, strong privacy practices can ensure that your company is making headlines for the right reasons.