When GDPR came into effect in May 2018, it was supposed to put the user at the centre of the data and privacy conversation. It was intended to increase transparency and boost consumer trust, making consent an important part of every online experience and data exchange.
Except it hasn’t been completely successful. This is particularly true in the context of cookie tracking, one of the main things GDPR was supposed to improve. While it may have made many people more aware of this previously clandestine aspect of digital experiences - by forcing companies to gain user consent before tracking users - rather than leading to uniformity and simplicity, it has led to more confusion and more fragmentation. Far from increasing transparency and trust, it’s only entrenching cynicism further.
Recent research done here at AND Digital has indicated the extent of this fragmentation. It paints a confusing picture in which there are wildly diverse approaches to cookie opt-ins, with many organisations even employing dark patterns that manipulate user behaviour.
We’ll outline some of our findings shortly - but first let’s remind ourselves what a cookie is, and the different types we find when online today.
What is a cookie?
Cookies are small files used by websites and applications to store data that the site (or the owners of the site) view as important in helping them to deliver ‘the best possible user experience.’
Of course, this is where some of the problems with cookies begin. What ‘the best possible user experience’ is, exactly, is open to interpretation. At one end of the spectrum they can be used so you don’t have to re-enter a password; on the other, they underpin vast programmatic advertising networks which are able to target or retarget adverts based on your online behaviour.
This vast spectrum of uses is one of the causes of confusion and distrust. When we talk about cookie tracking we often talk in general terms, masking the specific ways in which cookies are used in different contexts.
First and third party cookies
Perhaps one of the most useful distinctions is between first party and third party cookies. First party cookies are simply used in interactions between you and a single website. They’re ‘owned’ by the website owner. Third party cookies, meanwhile, are used in interactions across multiple - sometimes thousands - of different websites. They’re created (and thus owned) by the external tools or platforms that track and share them.
It’s third party cookies that cause most concern, as you might expect. This is partly because of the lack of transparency about these third party providers and, moreover, because of the way they share data across different services.
The impact of GDPR on cookie consent
As mentioned at the start, one of the goals of GDPR was to improve transparency in how data is handled and shared. Its effect was, as you might remember, instantaneous and visible - just about every website you visit - if you’re in the EU - now has some kind of banner or pop up asking you to accept cookies.
Fundamental to GDPR is the notion of user consent. Users, in other words, need to opt-in to tracking (or data collection more broadly). That makes sense - except research has shown that it hasn’t really achieved this.
A study by Amazee Metrics done 30 days after GDPR legislation went live found that:
- 76% of all visitors ignore the cookie banner
- 11% click on “Accept all cookies” (a further 12% just close the banner)
- 0.5% open the cookie settings
And of that 0.5% that do open the cookie settings, 0.33% actively sought out and disabled cookies.
This underlines the point that cookie pop ups fail to really capture user consent. Sure, most users don’t alter or reject the terms, but they’re clearly not actively accepting them either. And this is a major challenge to any organisation that wants to be data-driven: a lack of an effective consent management process affects your ability to gather that opt-in, impacting your ability to push data into your analytics tools, in turn meaning you may struggle to create insights on how your users are browsing your site.
Although analytics tools are developing approaches to plugging these gaps (i.e. Google Analytics 4 is introducing Machine Learning concepts to “forecast” behaviour) the message here is clear - businesses need a considered approach to gathering user opt-in, in order to be granted permissions to create the most impactful customer insights.
AND Digital's Research on cookie popups
While the Amazee Metrics research provides a useful insight into user attitudes, we wanted to dig a bit deeper into the design of cookie consent banners and popup. If users aren’t actively consenting, surely this is due to the way information is conveyed and displayed?
We looked at the top 50 websites in the UK (as defined by their ranking on SimilarWeb). After removing adult sites from the list, we then dived into their cookie management experience for new users on both Safari (which uses integrated blocking tools) and Chrome to see how the biggest sites approached the whole process. What we found was interesting.
94% of the websites we profiled have some form of visible cookie management banner or pop up. Most of these were pervasive, which means if you ignore them, they persist from page to page. Others, meanwhile, were what we call ‘blockers,’ which the user must accept to access the site at all.
Only 74% of these cookie management platforms allow an easy and intuitive way to reject all cookies (for example, a clear “reject all” button, or some other obvious way to opt out). The remainder require varying levels of manual interaction in order to opt out of tracking. So, although the functionality is being relatively well adopted, there’s still a lack of consistency in functionality.
The key takeaway is that the user is not being put first. There are even some interesting instances of cookie dark patterns, where design is used to deliberately guide a user to take one course of action over another.
For those platforms that didn’t offer the option to “Reject All”, we often found that responsibility would be pushed back onto the user. This typically involved paragraphs of text suggesting that browser settings must be altered or extensions added in order to create a fully ‘private’ browsing experience.
(While this seems a considerate and democratic approach, it’s possibly a level of technical involvement that an average web user doesn’t want to embrace - again potentially leaning into accusations of dark patterning.)
The varied language of cookie consent
More interestingly, the language used to describe the nature of these cookies varies drastically. Even with this small sample of websites, we saw:
- Cookies that require User Consent vs Cookies that are of “Legitimate Interest” (with no plain language description of this term)
- Reject All vs Object All (sometimes used within the same platform, and with one switched on versus one toggled off)
- The initial choices presented to the user on the cookie banner can be any combination of:
- Accept (all)
- Cookie Settings
- Edit Settings
- Edit Preferences
- User Management
- Make Changes
- More Information
We even saw instances of “Assumed Confirmation”, where an “Allow All” button could be positioned next to a “Save and Exit” button, but selecting Allow All delivered the same outcome as Save and Exit - frustrating for any user looking to understand what they’re accepting and wanting to continue to review their options!
A huge range of Cookie categories were described as:
- Operational (non negotiable)
- “Strictly Necessary”
- Required Cookies / CCPA Opt-Out
- Advertising Cookies & Pixels
- Targeting & Advertising
- Social Media
Typically, you would find at least three of these terms categorising different cookie types - for example, Strictly Necessary (which cannot be rejected) Functional, and Performance.
This all demonstrates that while just about every company is complying with GDPR requirements, there are serious question marks about the way it’s being done. And, moreover, how effective it is.
Our research shows that cookie management today is massively fractured, delivering conflicting and confusing experiences to the user. This undermines trust, and will ultimately lead to more users opting out.
What can be done
Something needs to be done. GDPR is not working as intended, and many companies are not taking responsibility for ensuring users are fully informed. With so much talk about the value of trust in today’s highly competitive landscape, there’s clearly an opportunity for organisations to prove to users that they actually do care about their consent.
From our results, the team at AND formulated some basic recommendations:
- Make your cookie preference experience clear
- Make it simple
- Make sure the least technical audience is the target model
Following these principles will ensure the user is better informed, and, in the long run will build trust. This foundation is essential if organisations are to achieve those critical user opt-ins, and therefore leverage website data in the most effective and value adding way.
Adam Lee is Data & Digital Lead at AND Digital.
Talk to us about data strategy. Get in touch.