Reasons you may still not be cookie compliant
Despite the enforcement deadline given by the DPC - which expired on October 5th - a significant number of companies are still not cookie compliant. Other organisations think they are cookie compliant because they added a banner but are not. Are you one of those?
Here are some indicators that you may not be compliant:
- Are you replying on implicit consent? If you are telling people that they agree by using the service or by continuing to browse your website, that is not consent according to the GDPR standard which is the one relevant to consent for cookies. That is not acceptable! Consent needs to be freely given and unambiguous and it requires a clear, affirmative action on the part of the user.
- Do you only have one button? Ok, so you have a button that the user can click to accept cookies but is that the only button? If this is the case and furthermore the button doesn’t do anything because more than likely you have already fired the cookie to the user’s browser then that’s not consent! You need to ensure that that you hold your fire for everything except strictly necessary cookies (we will get to them). Get the user’s consent – clearly, affirmatively – and then you can fire the cookie.
- Are you nudging people towards accepting cookies? So, you have given your cookie banner a face-lift and you know have more than one button. But hold on, the Accept cookies button is TEN TIMES the size of the Reject button (which you have displayed in a color-and-contrast arrangement that has been scientifically proven as the combination that the user is least likely to click). They are wise to this. Equal consideration needs to be given to consent/refuse options.
- Is it difficult for users to withdraw their consent? Some of your visitors who were looking for a way to withdraw their consent for cookies are still wandering the outer reaches of your website navigation, missing, presumed dead. It must be as easy to revoke consent as it is to give it. That means that you need to record consent, so you can revoke it if the user asks you to. This also means you need to keep that preference management interface within easy reach should visitors wish to adjust their preferences.
- Are you being inconsistent? Your list of cookies is one thing but what you are actually tracking, is another entirely. It is really easy for the DPC to check this. Is it worth the risk?
- Is your definition of "strictly necessary" very broad? Some companies think that what counts as a “strictly necessary cookie” is subjective, in other words it means whatever they think is strictly necessary, but this is not so. These are cookies that you simply can’t deliver the service without. Strictly necessary cookies are likely to expire by the end of a user’s session. If yours’ don’t, then they are probably not strictly necessary!
- Do you have ridiculous cookie expiration dates? I know we all expect to live longer thanks to the wonders of science, and everyone knows that when you get a customer you should try and keep them. But what genuine value is there in the ability to remarket to me for the next century? Cookie lifespans should be proportional to their use! Use your common sense and keep them as short as possible.
Did you say yes to any of these? If so, you are not compliant. Contact us today.
Register for our upcoming webinar on the 18th of November with OneTrust about getting compliant, staying compliant and the future of digital marketing.