It is quite safe to assume that every one of us comes across cookies daily when browsing online services. However, while it used to be customary to just inform visitors of cookies with a banner popping up at the top of the page, all except essential cookies now require the visitor’s consent. This is one consequence of Traficom’s new cookie guideline discussed in this article.
Cookies are text files less than 4 kB in size
To make sure everybody is on board, let’s summarize first what cookies are.
Technically, cookies are small files at most 4 kilobytes in size that contain strings, i.e., sequences of characters. When you visit an online service, these files are saved on your device to enable the strictly necessary functions of the website, such as logging in, staying logged in, and remembering the items in your shopping cart in online stores. In a way, these necessary cookies can be thought of as a waiter. The waiter will write down your order, possible allergies, and table number.
Cookies are stored on your device for the duration of the session or longer if necessary. When revisiting the same website, your device will send the long-term cookie data to the website so that it can associate you with your previous visits, for example.
For the sake of clarity, this article refers to all of these comparable technologies as cookies.
The use of non-essential cookies always require consent
Broadly, there are two kinds of cookies: Cookies that are necessary for the website’s functioning and cookies that store information about the visitor for marketing and other purposes. Necessary cookies can be used without the visitor’s consent, whereas consent is mandatory for all other cookies.
The difference between necessary and non-essential cookies is not as straightforward as one might imagine. Permanent login cookies, for example, can be considered necessary only if the visitor can clearly understand that their login will be maintained for a longer period (the “stay logged in” option) and this has a clear function for the usability of the site. For example, a permanent login cookie can improve the user experience of services like Facebook because you do not have to log in every time after closing the browser. Traficom’s cookie guideline for service providers contains many good rules of thumb on the differences between necessary and non-essential cookies, which you can read more about in Section 3.3 of the cookie guideline.
“In principle, the storing of cookies and comparable data on user devices and the use of this data requires the cancellable consent of the user, as well as understandable and comprehensive information concerning the purpose of the storage and use of data.”
Consent must be an active and voluntary decision
This kind of banner is no longer valid to use. The visitor must be asked for their consent for using non-essential cookies.
Most often, websites request consent with a banner. The new guideline also comments on the properties of the banner, stating most importantly that the cookie banner or other mechanism used to request consent must not prevent the visitor from accessing the website. In other words, the banner must not hide the website’s content, and the visitor has to be able to browse the site without giving consent for cookies.
The visitor can’t access the site without answering the cookie banner first. On top of that, the banner strongly guides the visitor to accept all cookies on the service provider’s this and other websites.
The visitor must be able to choose which data is collected during their visit and whether non-essential data is collected at all. In addition, refusing to give consent must be as easy as granting it, meaning that granting and refusing consent must have equal value as alternatives. In other words, the refusal option must not be hidden or made otherwise less visible. Manipulating the visitor with choices of color, for example, is also forbidden.
Granting and refusing consent are not equal options with this cookie banner, as the user is persuaded to give their consent with a differently-colored button.
The consent for cookies must also be documented outside the visitor’s device. Obligatory documented information includes the date and time of the consent, what information was provided to request it, and the strictly necessary credentials for associating the consent with the device in question.
The visitor must also be able to cancel their consent for non-essential cookies at any time and as easily as it was to grant it. It is also forbidden to penalize the visitor by artificially lowering the quality of the service, for example, if they refuse consent for cookies when using the online service for the first time or cancel their consent later on.
Cookies must be categorized and explained
Nowadays, cookies must be categorized, and the visitor must also be able to choose cookie categories they want to allow or reject. A common way to affect these is to list the categories on the cookie banner’s cookie settings.
This website provides a good example of how asking for consent is done according to the cookie guideline. Both options – granting and refusing consent – are equal to each other, and the website can be used without answering the cookie banner.
By opening the cookie settings, the cookies are here categorized precisely and specified with detail. It is easy to see what kind of cookies the website uses, why, and how long the personal data is stored.
Every online service has to arrange their own cookie management
Traficom’s guideline only explains what should be taken into account in cookie management – it does not comment on how cookie management of online services should be implemented. Every holder of an online service is responsible for ensuring that it collects visitor data according to data protection regulations and the cookie guideline.
There are several cookie management systems on the market. When selecting the preferred system, it is advisable to take into account factors such as the country in which the cookie register is being stored. This determines, among others, the legislations that must be adhered to in storing and using the data in the cookie register. It is also advisable to take a careful look at the accessibility and customizability of the cookie banner and any other features of the cookie management system. An ideal cookie banner follows the guidelines, is easy to use, accessible, and fits well with the website’s visuals.
Are there any options beyond cookies?
Cookies are crucial for purposes such as retargeting advertising, where advertising is targeted to a website’s former visitors, identifying a returning visitor, or tracking a visitor for the duration of several sessions. The latter features make it possible to sort visitors into new and returning ones, attribute goals and purchases to a campaign even if the visitor is converted only during their second visit, and track a group of visitors who accessed the site during a specific period of time. As was already mentioned, cookies enable storing the IP address of visitors who have given their consent, enabling functions such as more accurate location reporting.
One application that is gaining popularity and is excellent for cookieless analytics is Matomo Analytics. In Matomo’s cookieless analytics, only the latest website visit feeds data for tracking goals, multi-attribution and cohort reports are not in use, and the accuracy of location reporting varies. In addition, Matomo’s cookieless analytics cannot obtain totally accurate data on unique, new, and returning visitors, days since the last visit, numbers of user-specific visits, and days to conversion. However, Matomo’s anonymous cookieless tracking can provide data on how the visitors use the website, among other things, and this data can be used to produce valuable information without the need to identify visitors.
When all the service’s traffic is processed anonymously and without cookies, all the visitor data collected from the site has equal value. This makes the analysis itself easier – even while it is also true that previously, more data could be collected without requesting consent and it was possible to profile both single visitors and visitor groups of an online service more accurately.
By always following the most up-to-date instructions, you can ensure that the collection and processing of personal data in your online services comply with the latest legislation and judicial views. By doing this, you can avoid the possible sanctions of breaking the law and guarantee the ethical processing of personal data.
When creating the cookie banner, it is also advisable to keep its accessibility and ease of use in mind. You should not think of the cookie banner as a necessary evil either: while requesting consent for using cookies is mandatory and the guideline dictates certain criteria for the appearance and content of the banner, it can still be presented with distinctive copy and an aesthetic that is in line with the company’s brand.
The key points to remember from the updated cookie guideline:
- Non-essential cookies always require consent.
- The consent must be a voluntary and active decision.
- The cookie banner must not prevent the visitor from browsing the website either.
- The visitor must also be able to cancel their consent at any time, and this must be as easy as it was to give it.
- Cookies must be categorized and explained.
- The personal data stored in the cookie register must have legitimate storage periods which are pre-determined and also documented.
Sweet tooth aching for more cookies?
"*" indicates required fields