To anyone browsing the internet in recent years, you may have noticed websites suddenly began showing banners that look like this:
These are cookie consent banners. I like to think of them as the modern Terms & Conditions – few people read them, and fewer understand how they work. But you know that they’re in your way.
Surveying the text of any consent banner, it’s clear they are supposed to empower you to make a well-informed decision about how websites use your data. That’s great and all, but unless you work in the field, how are you supposed to have literacy in this area?
Therein lies the problem – there’s little general education around this topic. I’ve put together this blog to help demystify these cookie banners in a simple and easy-to-understand manner. Let’s go.
Why did cookie consent banners suddenly appear?
It all started in 2018 when the GDPR (General Data Protection Regulation) came into effect in the European Union. The legislation is designed to protect the personal data of EU citizens and give them more control over how their data is collected and used by websites and online services.
From a data tracking perspective, the internet was the wild west prior to the GDPR. Cookies were widely abused to track and profile you, with your data sold to data brokers and in turn used to sell you targeted ads.
One of the key requirements of the GDPR is that websites must obtain “informed consent” from users before collecting their data, including cookie tracking technologies. This means that websites must clearly explain what cookies are being used, why they are being used, and give users the ability to accept or reject them.
Why are there different types of cookies? How do I choose?
Cookies are small pieces of data (text files) that websites read, store, and write onto your browser. Cookies aren’t inherently good or bad, they are merely a technology.
Cookies have been demonised in the public sphere due to their widespread use by online tools to track your behaviour on a website, such as which pages you visit, how long you stay, and what actions you take. However, beyond this creepy tracking aspect, cookies are essential to keeping websites running smoothly.
“Necessary cookies”, for example, are critical to website functionality. They are used to persist login details and shopping cart contents. Imagine you went to an eCommerce store and added a product to your cart. You then navigate to another page, and suddenly the product was no longer in your cart! This is why necessary/essential cookies cannot be turned off in any consent banner.
However, the majority of cookies fall outside of this umbrella and can be turned off. In general, cookies typically fall within the following categories:
- Essential/necessary cookies: essential for websites to work properly, such are those that determine which language or currency the website should use based on your location. You must allow these cookies.
- Performance cookies – collect information about how you use a website, such as which pages you visit most often. These cookies cannot be used to record details such as your name or address. If you do not allow these cookies, the website owner will not know you visited the site.
- Functional cookies – enable websites to provide enhanced functionality and personalization, such as enabling a chatbot or remembering users’ personal preferences or search filters. If you do not allow these cookies, it could make it more difficult for you to use the website effectively.
- Advertising/targeting cookies – used to track your browsing history and build a profile of you, in order to show you targeted ads based on your personal information and behaviour. They are also used to limit the number of times you see an advert, as well as help measure the effectiveness of an advertising campaign. If you do not allow these cookies, you will see less relevant advertising.You will not see fewer ads.
Some websites I visit don’t show cookie consent banners. Why not?
If you’re in a country where data privacy consent isn’t legislatively mandated – New Zealand, for example – websites do not have to ask for your consent. You can be tracked without your consent. Therefore you do not need to be shown a banner.
Cookie consent banners are advanced tools. They can look at your internet IP to determine your geographical region. They could then determine you’re in New Zealand, recognise that they don’t need your consent, and choose to not show you the banner. This allows the website to collect as much data as possible, which from a marketing standpoint is better for them.
If you’re in a region like the EU and visit a website that doesn’t show you a consent banner, then that website is likely negligent and in breach of the GDPR.
To accept or decline?
I often find people asking me whether to accept or decline cookies. This is totally up to personal preference.
When to accept cookies
Some people are less concerned about their privacy, or they want hyper-targeted personalised ads.
If that’s you, accepting cookies will give ad platforms and data brokers more information about you, helping to develop a more accurate profile of you and serve you more relevant ads.
When to decline cookies
Cookies allow websites to track your browsing habits and profile you, which may make some people uncomfortable. If that’s you, declining cookies will help you escape said tracking.
It’s worth noting that you can browse the internet without having to constantly decline cookies on every single website. Browsers such as Firefox, Safari, and Brave have in-built tracking prevention mechanisms which automatically block a wide variety of tracking technologies.
I personally use Brave. It has the same look as Google Chrome, and being built on Chromium, I was able to migrate all my bookmarks over with ease. You also get to enjoy the same browser extensions as the Chrome Web Store.
Keep in mind that if you use these browsers, consent banners will still appear. However, even if you accept or decline cookies from that banner, tracking is blocked at the browser level. Therefore you don’t need to interact with the consent banners to reject cookies – tracking prevention is always active.
Website owners & marketers – what you need to know
The interesting thing about the GDPR is that it is extraterritorial. A user in Germany could visit a New Zealand website and the onus is technically on that New Zealand organisation to comply and ask for that user’s consent.
Ultimately, you fall under the scope of the GDPR if:
- You offer goods or services to people in the EU
- OR you monitor their online behaviour
It is highly likely your website uses analytics or advertising tracking technologies. If you have visitors that come from the EU – or other countries that have adopted data protection laws in line with GDPR principles – then you are responsible for gathering the consent of those users.
New Zealand legislation changes
Reflecting the trend of strengthening data protection laws globally, New Zealand updated the Privacy Act in 2020. At a high level, updates include:
- Informing users when their information is being collected
- Ensuring user information is used and shared appropriately
- Ensuring user information is kept safe and secure
- Ensuring users can access to their information
While the two laws are not identical, the Privacy Act shares several principles which are similar in nature to the GDPR:
- Big penalties: New Zealand increased the maximum penalty for non-compliance from $10,000 (so light!) to $10 million. GDPR has a similar tiered scale of fines, which can be as much as 4% of an organisation’s global revenue or €20 million, whichever is greater.
- Mandatory breach notifications: New Zealand requires businesses to report serious privacy breaches to the Privacy Commissioner and affected individuals as soon as possible. The GDPR requirement for reporting data breaches to authorities is 72 hours.
- Privacy impact assessments: New Zealand requires businesses to conduct privacy impact assessments (PIAs) for new projects or initiatives that involve the handling of personal information. The GDPR requires Data Protection Impact Assessments (DPIAs) for high-risk processing activities.
- Right to access and update personal information: New Zealand gives individuals the right to access and correct their personal information held by businesses. GDPR also outlines a right of access and right to rectification.
- Extraterritorial effect: The Privacy Act has extraterritorial effect, meaning it applies to businesses outside of New Zealand that collect, use, or share personal information of New Zealand citizens or residents. This reflects GDPR’s extraterritorial effect, which applies to any organisation processing personal data of EU residents, regardless of the organisation’s location.
Overseas legislation changes
Legislation continues to rapidly develop in various countries around the world. Beyond the GDPR, notable updates include:
- Japan – the Act on the Protection of Personal Information (APPI) was originally passed in 2003 and updated in 2020.
- South Korea – the Personal Information Protection Act (PIPA) was originally passed in 2011 and was updated in 2020.
- Brazil – the Brazilian General Data Protection Law (LGPD) came into effect in 2020.
- India – the Digital Personal Data Protection Bill was drafted in 2022 and is expected to come into effect in the near future.
- United States – California prominently introduced the CCPA (California Consumer Privacy Act) in 2018. Other states are also beginning to enact their own laws, with legislation coming into effect throughout 2023 from various states including Virginia, Colorado, Connecticut, and Utah
The legislative landscape is evolving quickly while privacy concerns continue to bubble in the public awareness. If you’re not staying updated on a monthly basis, it’s easy to fall behind. It’s imperative to remain proactive.