On May 25, 2018, the world marked another historical internet milestone as the European Union (EU) launched a sweeping set of data privacy laws known as General Data Protection Regulation (GDPR). GDPR gives consumers protections and rights for how their personal data is collected and used, and it comes with serious penalties for businesses that violate those rights. GDPR is not just limited to businesses operating within the EU. Any company that reaches customers in the EU is subject to these laws – which means almost all e-commerce businesses and services will need to be GDPR compliant now that the laws are in effect. In this post we will cover providing informed website consent which is one the of most visible user experience aspects of GDPR.
A 30,000 Foot View of GDPR
At a very high level, GDPR governs how businesses handle personally identifiable information (PII). This is a very important GDPR distinction and there still is some uncertainty about what actually constitutes PII. Regardless of how PII is defined, consumers have specific rights for the data that is collected about them. Below are a few (but certainly not all) of the consumer rights afforded by GDPR:
- The Right to Breach Notification
Under the GDPR, a data breach that is likely to “result in a risk for the rights and freedoms of individuals” must be reported to customers “without undue delay” within 72 hours of first having become aware of the breach.
- Right to Access
GDR gives consumers “confirmation as to whether or not personal data concerning them is being processed” as well as “where and for what purpose” consumers’ personal data is being used. “Data controllers” are required to provide a copy of any personal data being collected, free of charge, in an electronic format upon request.
- Right to be Forgotten
Also called Data Erasure, consumers (also called “data subjects”) can request that data controllers erase their personal data and cease any further processing of their data.
Website Visitors’ Right to Consent
One of the primary (and perhaps the most visible) aspects of GDPR is the right to opt-in consent for website data collection. The right to consent has some very important components that User Experience Managers and Web Designers need to be aware of:
- Data collection consent must be “clear and distinguishable from other web features and components”.
- Consent must be provided to site visitors in an intelligible and easily accessible form, using clear and plain language.
- Consent must include opt-out selections that are “as easy to withdraw consent as they are to give”.
Website Consent User Experience
GDPR website consent compliance begins with the all-important cookie notification (commonly called a cookie banner). It is important to note that under GDPR, “cookies” is a broad term that covers any tracking pixel that is used on your site. Since GDPR requires that cookie banners be “clear and distinguishable from other web features and components”, most User Experience Managers and Web Designers choose to display their banner through a modal window at the top or the bottom of a site’s landing page. When deploying a cookie banner, be very mindful and deliberate with the delicate balance between being informative and raising undue suspicion. Below are some tips to keep in mind when designing your cookie banner:
- Make your banner fit naturally into your page.
Banners should feel like they are informative rather than a warning. Choose background colors and font faces that align with your current web pages. The key here is to provide consumers with the information they need without alarming them.
- Remember that less is more with your cookie banner.
- Align your consent with your company’s policies.
GDPR provides some guidelines around establishing cookie consent, but what constitutes acceptance (scrolling, changing pages, clicking a CTA, etc.) is another area that is being widely interpreted and debated. Be sure you are aligning your cookie banner acceptance with your company’s legal counsel.
Cookie Banner Consent Models
To effectively create a cookie banner, it is helpful to understand the five consent models by which cookie banners can be made:
- Information Only
This model tells the user that cookies are in use, and their choices are to accept the fact or navigate away.
- Implied Consent
Summary: We are using and have set cookies, but you can switch them off.
- Soft Opt-In
Soft opt-in can look a lot like Information Only, however the crucial difference is that cookies are blocked on first arrival to the site (the landing page). Any further user interaction, such as clicking on a link to a second page, is then taken as consent, and cookies are then set normally on the second page.
- Explicit Consent
Summary: Please click to accept cookies on this site.
With this model you have to block cookies until users perform a specific action that signifies their acceptance of cookies. The action should only signify that acceptance. Essentially this means they have to tick a box or click a button or a link that says ‘I accept cookies’ or something very similar.
- Mixed Consent
Summary: We have set cookies already, and would like to set some more.
As the name suggests, this is really a hybrid approach where different models are applied to different types of cookies according to their purpose. An example would be relying on Implied Consent for web analytics and Soft Opt-in for third party advertising.
A Couple of Cookie Banner Examples
Nottingham Forest Football Club uses a simple and effective Information Only consent model. Tracking begins whether you accept cookies or not, there is a clear explanation of cookies page, but there is no built-in way to turn cookies off. Users that do not wish to be tracked further must exit the site.
MailChimp uses a Mixed Consent model of Implied Consent and Soft Opt-In models. Some trackers are blocked on landing pages, and any of the individual trackers on this site can be turned off and back on again at a visitor’s discretion.
Consent Management Platforms
We mentioned earlier that GDPR requires every tracking mechanism on your site be “as easy to withdraw consent as they are to give”. Therefore, after creating a well crafted cookie banner, make sure that users have a way to opt-out of tracking that they do not wish to participate in. Many sites provide links that instruct users how to disable cookies in their browsers altogether, but the best way to ensure GDPR compliance is to use a service or a website plug-in that will manage the opt-in and out process for visitors. Consent Management Platforms (CMPs) perform tasks such as scanning your site for cookies and creating dynamic opt-in and out toggles for visitors.
Below are two free IAB certified CMPs. You may want to start with one of these solutions before moving to a paid one:
- One Trust
“OneTrust offers a free edition of our privacy management platform to help organizations operationalize their privacy program for GDPR compliance.”
“Ezoic’s Consent Management Platform is a free application inside the Ezoic app store that gives publishers the ability to configure and setup privacy and cookie permissions for visitors to comply with GDPR regulations.”
You can also write your own CMP solution provided it covers all of your tracking pixels and cookies. AppNexus has a CMP GitHub project here.
My Own Legalese
This post is meant to be a design guide and not a legal guide for your GDPR compliance. Make sure to consult with your company’s legal counsel as you develop your cookie banner model, its messaging, and opt-out methods.
I am a veteran digital analytics evangelist and thought leader with over fifteen years of experience in information management and application development. I specialize in providing strategic and technical guidance for complex digital analytics implementations, and I love giving digital analytics talks and presentations. My contact info is here.