There’s a lot happening regarding websites, cookies, and privacy law. If it’s all a bit unclear to you, then this blog is for you.
I’ve written this from a marketers point of view. I do not have any sort of legal background, nor do I claim to know exactly what’s up. This blog is written to share my knowledge of these topics as an experienced marketer to help you understand what it all means.
An intro
Cookies and cookiebanners have been around for a long time, but many websites didn’t use cookiebanners as they were supposed to be used. Often, the cookiebanner was just a front, displaying: "this website uses cookies".
However, according to the law, depending on the consent that is given in the cookiebar the website is allowed to change its behaviour of 1st- and 3rd party scripts that are allowed to be loaded.
Consent Mode V2
- After implementing Consent Mode V2 Google can understand what Consent a user has given and can 'automatically' change the behavior of its tools based on it.
- If you do not implement Consent Mode V2 this means that Google's tools will receive less data as these tools cannot understand what data the user wants to share.
GDPR (General Data Protection Regulation)
- Personal data cannot be shared unless somebody has given consent.
ePrivacy Directive
- Non-essential cookies cannot share any data unless somebody has given consent. This means both 1st party- and 3rd party cookies.
CMP (Cookie Management Platform)
- Cookie Management Platforms have functionality that make it easier to implement Consent Mode V2 and apply to both laws.
- However, it still needs implementation which might be a bit difficult to do yourself. Luckily, there are many videos around that help you implement a CMP.
- (Most) CMP’s have an automatic cookie blocking feature. Marketeers often setup the CMP using Google Tag Manager. This is perfect whenever you only load cookies through Tag Manager, but (especially to apply to the ePrivacy directive) some websites also load cookies in the website itself. To make sure these cookies can also be blocked until consent is given, you need to implement the automatic cookie blocking feature.
- CMP’s use crawlers to find out which cookies are used on your website. They even create an overview of all cookies that are found, which you can implement on your Cookie overview page by simply pasting code.
- CMP’s have multilingual options. The text in the consent banner can change based on the language somebody has in their browser.
- You need to pay for CMP’s. They often cost between €300-€1.000 per domain per year depending on the size of your website (amount of pages).
Free banner
- Last week I shared a video of a free consent banner that I’ve created with ChatGPT that works with Consent Mode V2. I’ve received lots of positive feedback about it and improved the functionality even further.
- Yet, it does not provide the same value as a CMP. It does not have an automatic cookie blocking feature, isnt’ multilingual, doesn’t automatically show what cookies are used on a website.
- Does that mean that you cannot approve to the *law? No it doesn’t, it just means that you need to perform checks manually.
(*law seen as checks from CookieBot)
Get the Free Cookie Banner
Want to get the free cookie banner and implement it on your website? You can find my YouTube video with full instructions here
By implementing the free cookie banner my website matches the GDPR checks. But it doesn’t match the ePrivacy directive check.
Consent Mode V2 is implemented by using the ‘smart setup’ for Google tags. Which means they always send data, but what data it sends depends on the value of the cookie consent. According to ePrivacy directive this is not allowed. For GDPR this is sufficient.
I’ve now setup everything in Google Tag Manager to only fire when consent is given. Even for the Google Tags:
However, we still don’t pass the ePrivacy directive test (we do see that the marketing tracker has disappeared):
As you can see there are still two ‘Preferences’ cookies loaded. These are from my WordPress plugin that set the language.
After Googling this cookie, a developer from the plugin has written the following:
They say that from a legal point of view this cookie does not need to be changed. From what I’ve read it seems that if it adds functionality to the website, it indeed does not need to change. But hey, I’m not an expert.
They also give the option to block the cookie entirely. But this can cause issues as the plugin might not remember the language setting when switching pages:
Hence, I’m leaving the plugin as is. I think this is essentially a functional cookie (necessary). Most other websites also place it under ‘functional’:
Website 1:
Website 2:
As you can see, it can become a hassle to figure out which cookies are allowed to be used. Especially because not all cookies will be perfectly updated.
If we look at the ePrivacy directive explanation from Cloudflare:
“There is an exception to the user consent requirement: any cookie that is necessary for a website or application to function properly. For example, the directive does not require user consent for a cookie that remembers a user's login. Without this cookie, users would not be able to log in and use the website.”
Our pll_language cookie is definitely part of core functionality. Hence, I’d expect this not to fall under the ePrivacy directive.
To conclude
Manually identifying cookies can be work. But if you don’t make major changes to your website too often, you probably won’t be loading different cookies often. This means you’d just need to make sure that everything is set up correctly once and then only after you make changes that involve cookies.
Do you think it is worth paying €300-€1.000 a year for a CMP or do you want to look at other options after reading this blog?