By now, everyone has experienced some version of this situation: you’re on your phone or computer trying to read an article, buy a product, or learn more about an upcoming event. The website you’re using displays a massive cookie banner demanding that you hit the (often all-caps) “ACCEPT” button, or that by visiting the site you’re consenting to infinite collection of your data. With no other choice, you click the button or scroll through the site, and the data collection spigot remains permanently turned on. If you’re a consumer, you may think you’re powerless, and you’d be wrong. If you’re a business thinking that this approach is compliant with data privacy laws in the US (like California’s CCPA) or Europe (like GDPR), you’d be wrong too. The difference is that in the case of the business, being wrong could cost you thousands of dollars in penalties for noncompliance.
A brief history of cookie consent
Cookie banners have proliferated on websites since GDPR began requiring them in 2018. In the EU, websites and apps are required to ask users to “opt-in” or provide “explicit consent” for cookies and similar technologies (e.g. web beacons, scripts, etc.) before the site starts to use them. For consent to be valid under GDPR it must constitute a real, meaningful indication of the individual’s wishes and meet conditions such as being informed and specific.
The cookie banner in the example above is what’s known as a “cookie wall”. The European Data Privacy Board, which is the regulatory body enforcing GDPR, has explicitly stated that cookie walls are a violation of GDPR and which can subject companies utilizing these cookie walls to lawsuits, investigations and enormous penalties. It’s pretty clear that if you’re subject to GDPR, you better not be using a cookie wall to manage consent. If you are already using a cookie wall, you should find another solution immediately.
But what about US laws like CCPA? You may have heard that CCPA is an “opt-out” or “implied consent” jurisdiction, so you can use a cookie wall, right? Nope. While it is true that in California you don’t need to obtain consent before utilizing cookies, you do need to provide a way for your website visitors to withdraw their consent and also empower to restrict your ability to sell their personal information (which you may be doing under CCPA even if you’re not a tech company). Forcing visitors to accept all data collection can result in penalties enforced by the California Attorney General of up to $7,500 per incident, and individual consumers can sue you for $750 per incident. Violating a data privacy regulation like CCPA results in massive legal and financial headaches.
So what’s wrong with my free cookie banner?
The first issue is that your free cookie banner is likely to be considered a cookie wall, which neither CCPA nor GDPR allow; if you’re using one then you’re at risk of paying huge penalty amounts to data privacy regulatory bodies. Additionally, you should consider that:
1) There are differences in data privacy regulations across jurisdictions, and your cookie wall isn’t flexible to differentiate between visitors from California, New York, or France. There just isn’t a one-size-fits-all approach to data privacy (even if your cookie wall thinks there is!);
2) Data privacy regulations require you to clearly outline what cookies you are utilizing on your website. Cookie walls don’t provide this type of clarity or transparency;
3) Data privacy regulations are constantly being updated and revised, and your cookie wall likely isn’t keeping up with the changes. Check yours out today, has it changed since January 1, 2020 when CCPA was implemented? Probably not;
4) Your cookie wall is kind of annoying to your customers, and why would you want to annoy them when (and here’s a pro tip for which your marketing team can thank us later) CCPA doesn’t even require a cookie banner (but it does require other updates to your website like “Do Not Sell” so please don’t stop reading); and finally
5) Cookie wall companies aren’t providing their product out of a sense of altruism, so keep in mind that if you’re not paying for the product, you ARE the product.
OK, so now I know that cookie walls are bad. What can I do?
I’m glad you asked. The cookie consent management platform that you use needs to:
1) Adapt to regulations based on a visitor’s geography or residency, so that a European visitor has a different experience than a visitor from California;
2) Provide a mechanism for a visitor to opt-in or opt-out of cookie collection;
3) Automate the process of turning on or off cookie collection;
4) Transparently tell visitors what cookies are set and what they do;
5) Generate audit-ready consent receipts each time a visitor updates their consent; and
6) Remember preferences the next time a visitor arrives at your website.
If your cookie consent management tool does not have these functionalities (and I can guarantee that cookie walls do not) then you’re using the wrong solution. Clym can help. Our cost-effective, scalable, audit ready platform can accommodate websites of any size built on any platform (Shopify, Magento, Wix, WordPress, etc.), and our team is ready to help when you’re ready. Please feel free to contact us today or book a demo to see how we can assist.