No more 'Click OK to continue'.
From 5 October onwards users must be able to give informed consent for cookies—and withdraw it just as easily.
The DPC's warning was clear: 'Ignore us and we're coming to get you'.
As the date approached, there was fear of a large scale rejection of cookies by users. This would severely impede the ability of many sites to track online activity, as well as deliver other features.
The result ... 3 tiers of rejection
Now the dust has settled, evidence suggests that our worst fears have not been realised.
Speaking to an analytics-specialist friend of mine, 3 tiers of rejection (or acceptance, if you prefer) have emerged.
Tier 1 – Low level rejection
The first tier has very low levels of rejection: approx 20% down.
This is an extremely good result and quite rare. Only the very best implementations achieve such a standard. Some key approaches (explained in detail below) for attaining Tier 1 include:
- Compelling users to make a cookie choice
- Not including a 'Reject All' option
- Reducing fear via good content and UX
- Offering something valuable in return
Tier 2 – Mid level rejection
The second tier has moderate-high levels rejection: 30% to 40% down.
This seems to be the average and typical for those deploying an out-of-the-box solution from OneTrust or Cookiebot, i.e. without any changes in default interaction or content.
Although problematic, lost ground can be recovered. An eventual shift to Tier 1 is possible.
Tier 3 – High level rejection
For those in Tier 3, the impact has been very severe. Losses of 70% to 80% have been mentioned. This is catastrophic in terms of tracking. What remains is essentially useless as a summary of activity.
The cause (as we will see below) is due to a series of bad implementation decisions.
Reasons behind the differences
Although many causes underlie the differences between Tier 1 and Tier 3, a few core reasons standout.
Some institutions are far too strict in their implementation. They have either misunderstood or misinterpreted the requirements of the DPC – though these were pretty clearly outlined in their April 2020 report (PDF).
Yes, the DPC set rules for what must and must not be done — but they also included a fair degree of latitude. You do not have to eradicate cookies. You just have to inform your users that you have them and then give them a choice to accept or decline.
Low risk appetite
Many organisations seem overly keen to avoid a run-in with the DPC. Their eagerness for compliance means users are practically encouraged to reject cookies.
Again, this is not a DPC requirement. Cookies are a normal part of business. There is no need virtue signal by treating them as a grubby little secret.
Perhaps the main reason for high levels of rejection is poor implementation.
In the very worst cases, users don't even have to make a cookie decision. The default design rejects them on their behalf. For instance, in many cases users can fully interact with a website without having to choose.
What a waste.
In this case, there is no point using cookies at all (except those that are 'strictly necessary').
Clawing it back - how to increase consent
Assuming you are not in Tier 1, the good news is that improvement is possible.
Indeed, I expect rejection to decrease over time, as industry becomes better at delivering consent as a normal site feature.
Some top tips to increase acceptance include the following:
1. Compel your users to make a choice
The #1 mistake on most websites is allowing users to browse without having to make a cookie decision. In this case, the law means you can only deploy strictly necessary cookies. For most, that means no analytics or other features
The solution is simple.
Implement a change in your consent platform to prevent browsing until after a user makes a cookie decision. As far as I am aware, the DPC has no rule against this.
My understanding is that you get to set the terms of business for your website. One of those terms can require visitors to make a choice about cookies before browsing content.
Sure, some will still reject cookies – but not as many as otherwise.
2. Do NOT include a 'Reject All' cookie option
On this point the DPC is explicit.
You do NOT have to include 'Reject All Cookies' in the default message that appears onload during a user's first visit.
You only need to present 'Accept All' and a mechanism that allows users to manage cookies further, e.g. 'Manage Settings'.
The caveat is that 'Manage Settings' must have the same visual weight as 'Accept All'. You must not bias users towards one decision or the other.
Admittedly not all websites adhere to this guideline. Many appear to give greater prominence to 'Accept All' by placing it within a button, whilst 'Manage Settings' is a plain hyperlink.
I'll leave to their lawyers to argue that point.
3. Reduce users' fear via good content and UX
I sympathise with users who reject cookies. As web owners, we are terrible at explaining what cookies are and what they do. We deserve our users' suspicion. (Sorry mum!)
Of the very few websites to solve this problem is Laya Healthcare.
Rather than bludgeoning visitors with technical mumbo-jumbo, Laya uses a step-by-step interaction and plain language to guide users through a decision process. Not only is the interaction smooth, the clarity of the content is excellent.
Lay's solution creates a sense that they are on the user's side. I have no doubt they have high levels of acceptance.
They deserve it.
4. Offer something valuable in return
As well as being terrible at explaining what cookies are, as web managers we also have a sense of entitlement about our users' data. Now that it is being taken away, we are affronted.
'But, it's me — I deserve to track you!'
Power is shifting to users. We need better justifications about why we deploy cookies than because I'm worth it. We must persuade — and perhaps trade with our users — by offering something valuable in return.
For example, you have probably seen things like ... 'To watch this video, you much change your cookie settings.'
This is a straightforward transaction: cookie consent for a content feature.
Of course, web managers hope that users will then leave cookies turned 'on' afterwards. But, perhaps they won't.
What's clear is that we have a new motivation to reduce users' fears and to work harder for their trust — and this will drive experimentation into 2021.