Until recently, cookie consent was an insider-term for digital marketers, but it has slowly gained importance over almost any other topic. This increasing relevance lays on the obligation to actively request users’ consent to use cookies every time they visit a website. How consent is and must be collected is furthermore the basis of controversial discussions.

Cookie consent management is critical for companies; unfortunately, it has often been dealt with partially. Cookie Consent Management lays the foundation to determine which marketing tools and data companies may use to improve the user experience. Best practices, recommendations, do’s and don’ts are highlighted in our two-part blog series.

What are cookies

We encounter cookies on every website and in countless mobile applications. Cookies are often imperceptible for users, but for martech and adtech operators, they are an essential element in their daily work. Cookies are used to store information on a user’s terminal device and make it retrievable; this ranges from storing settings on the Website to IDs for recognizing users. This capability makes standard applications such as web analysis, targeting, media buying, attribution, and user-centered communication possible in the first place. If I can’t recognize a user, I can’t communicate with them.

The use of IDs is a real concern for data protectionists and browser makers since this (and the user’s IP address) must be considered personal information. The motivation is not necessarily the same. While legislators and data protection officers want to cease data sharing practices that have gotten out of hand in the past – primarily through data economy, transparency, and required consent; browser developers see themselves in a race to be perceived as the “browser with the strongest data protection.” This race may create competitive advantages for their own “walled garden” advertising ecosystems and also cause a negative public perception. Either way, as website operators, we face the challenge of establishing a legally compliant user consent process while continuing to set up our ecosystem to ensure maximum impact from our digital presence.

We face the challenge of establishing a legally compliant user consent process while continuing
to set up our ecosystem to ensure maximum impact from our digital presence.

What are the different categories of cookies?

On the technical level: Cookies can be divided into categories based on several characteristics. This categorization is essential for further assessment and the design of cookie consent management.
The first level of classification is the domain for which cookies are set. Here, a distinction is made between first party-cookies (which are set on the site’s domain) and third-party cookies (which are written on the domain of a third-party).

The next relevant level of classification – driven by the legal framework – is the cookies’ purpose of use. These include, for example:

  • Necessary cookies for the operation of the website
  • Cookies for analysis purposes
  • Cookies for advertising purposes
  • Cookies for the integration of social media platforms
  • Cookies for personalization purposes
  • Cookies for website performance and operability

What is Cookie Consent Management?

Cookie Consent Management is an umbrella term covering technologies, processes, information, and (technical and organizational) roles to ensure the legally compliant and secure storage, interpretation and application of a user’s consent to the use of cookies within websites.

The design of cookie consent management is therefore inevitably related to the relevant local legislation. Nevertheless, there are numerous design options – for both the user experience and the organizational structuring of the backend processes, that could influence how effectively the website’s use of technology can ultimately be designed.

What are the different types of Cookie Consent?

Overall, three or four types of “cookie consent” have established themselves on the market, which can be found all over the Internet in various forms and sometimes in creative version:

    • The Waiver of any reference

This can be justified by the local legal framework, the renunciation of corresponding technologies, or the operator’s ignorance.

    • The standard cookie banner

The announcement “This site uses cookies” is intended to make it transparent to the user that information technology is used here. Clicking on a corresponding button hides the banner.

    • The Cookie OptOut

The user sees the warning “This page uses cookies” supplemented by an option to withdraw the use of cookies by clicking a button or a link to a target page.

    • The Cookie OptIn

The user receives the warning “This site wants to use cookies” supplemented with a request to approve its usage by clicking a button.

Within the framework of the OptOut and OptIn solutions established on the market, it is becoming more common to specify the consent or rejection, e.g., by cookie category or at the individual services/providers’ level.

Why is Cookie Consent Management needed?

Requirements GDPR for Cookie Consent Management

Due to the GDPR and decisions of the European Court of Justice (Gerichtshof der Europäischen Union EuGH), the unanimous agreement is that users within the scope of the GDPR must explicitly consent to the use of cookies (so-called opt-in solution). This was expressly stated by the “Planet49” ruling from October 2019. Since then, there has been much agitation around the topic of cookies and consent. The application of OptIn is not only predominantly demanded by responsible parties but also is now becoming the standard.

Moreover, in many cases, what should be standard after May 2018 with the introduction of the GDPR is still neglected: not only the request for a user’s consent is part of cookie management, but also the implementation of internal approval processes as well as the establishment of contractual agreements on data processing with the respective providers; this is because, from a purely legal perspective, personal data is passed on to a third party in the form of IP addresses, cookie IDs, etc.

Requirements CCPA for Cookie Consent Management

Like the GDPR, the CCPA (California Consumer Privacy Act) has extraterritorial validity, which means that companies outside of California must also comply with the resulting data protection requirements if they operate within California. This ruling makes it all the more difficult to apply the sometimes vague requirements of the CCPA to one’s own website presence.

In addition to the rights of access and deletion to which every user is entitled in various forms under the CCPA, the handling of cookies is particularly important for the proper website’s operation. In the case of the CCPA, the requirement here is to set up an opt-out option for the use of cookies; such is available to a user at any time (so-called opt-out solution).

What are the business potentials of Cookie Consent Management?

In addition to the universally discussed legal consequences of what can happen if Consent Management is not implemented or not implemented correctly, numerous opportunities and risks are less well known (see graphic).

Cookie Consent Managment Abb.: Business Impacts of Managing Cookie Consent correctly, Smart Digital 2020

In part 2 of this blog, we will explain what companies can do to implement Cookie Consent Management correctly and thus comply with the requirements outlined and at the same time leverage business potential.

Photo: Castorly Stock| Pexels