Recently our legal department is asking to add a cookie disclaimer thing to our marketing website. I hate those and want to put in the least intrusive version. How do people here deal with this? Thanks!!
The best thing one can do is not use cookies -> no need for a consent banner.
If that's not an option, the next best thing is to have an overlay that is as honest as possible and most importantly provides not only an "Accept all", but also a "Reject all" button.
Don't use dark patterns, basically. That is, use the same color, style and size for each of those buttons.
My experience is that most users are so used to these overlays by now, they just look for the button which gets rid of them most quickly. Marketing will typically push to tinker with the appearance of the buttons to increase the conversion rate in favor of the "Accept all" option.
Actually not true, the regulation (eprivacy directive /pecr in uk) applies to all trackers including cookies, pixels, scripts,etc. if you can do with only “strictly necessary” across those then youre right.
Also consider visitors are used to these prompts, without one they may wonder: does this site follow the law?
Except this is not the question. Why is it so hard for people to understand cookies are absolutely needed even if you just want to calculate retention or number of unique visitors.
Cookie permissions and EU advertising options should absolutely be built into the browser, it makes no sense for the user to have permissions on each site individually like this with a different system on each one.
Then the user can centrally review what permissions they gave, revoke them etc.
So no sites should have these kind of approval banners.
Huh, I think I agree. Not only are the banners slow, obnoxious, have a tendency to being manipulative and are different for every website, a web developer can easily ignore the user's choice and track them anyway. Apple made a big leap with the “ask app not to track” and I think browsers should have this as well. If only to get rid of those infernal banners.
I think the closest we are going to get to that is the Consent-o-matic plugin, where you set your permissions centrally and it automatically fills in the forms for every web site it can.
And that leads through to another tip to make your consent request less obnoxious - make sure that plugins like Consent-o-matic do actually work correctly and invisibly with your site.
I don't like them as any other tech person, but lets give a credit where the credit is due. Ads and SEO ruined it way more thoroughly than cookie prompts.
I would ask them what is the absolute minimum required by law and to provide citations and the penalties for not applying it correctly.
The last time I checked (a few years ago) most websites were doing a serious overkill with the banners, where the law didn't require it. Also, for certain companies the possible penalty for not having a banner was so low that it didn't make sense to have such banners at all.
You can see in this thread that 20 different HNers who are passionate about the subject and done implementation before have 20 different opinions on what the law actually does. So how can we expect random businesses to all be on the same page? And this is not years after GDPR started.
Apple.com does not ask consent to track you for marketing purposes.
GitHub used to not have cookies for tracking purposes either but it looks like some people couldn’t live without tracking users so it’s back after 2 years on some subdomains: https://github.blog/2020-12-17-no-cookie-for-you/
If you have a one-click "no to all" for people like me, and a one-click "yes to all" for people who just want to get on with their lives, and both buttons are the same shape/size/color and easily clickable, then you're already waaaaay ahead of the curve.
Make sure that it does work with extensions like I don't care about cookies. That one is usually easy but make sure it works with the uBlock script too.
Do not have that the banner force any site reloads.
Analytics for example can be loaded into a page wihtout reloading.
If that is done the ad blocker users will never notice the banner.
There should be a big "X"-shaped button for simply dismissing the banner, deferring the answer to a later time. After all, if someone is visiting your website for the first time, they likely don't know your site well enough to know whether they want to accept or reject.
Least intrusive: Make it take up so little space that you don’t even need to close it, make the accept button green and the deny button red, and let there be no consequence if neither is clicked. Don’t make anyone aware of the ambiguity that not clicking it is neither consent or denial.
Pointing out this stuff forces you into the path of requiring that people click on it before being able to navigate the website, which is extremely intrusive, and makes all the marketing people insist that you apply dark patterns.
From user's POV: if you do have to ask for cookies, please make the "reject all" button object to all "legitimate interests", so I don't have to manually expand each "purpose" to object. I won't use the site unless I object to all. If it's too big of a hassle at that moment , I'll just leave and not come back
the frustration part sets in when I start reading the page, and then a whole-page popup interruts that experience and makes me disable cookies. Second frsutration is when I have to go dg for the "no". At this point, I reevaluate whether I really want to read this page or not, and if it's not essential, I close the entire page at this point mouthing a silent "fy".
SO, as others have already said, definitely a "reject all" and be done with it right in the beginning, without the need for any forther clicks. Better yet if the banner is just a sliver on the side that doesn't interrupt my reading experience (clearly, as long as I didn't click "yes" on cookies, it can't set any; so it would be default-no, allows me to read, and if I want to click in the corner for something else, I can. Even better if it has an "X" to close that unintrusive side window, and of course the X gets treated as "reject all".
The GDPR law is quite clear - it is MANDATORY to have an equal way to reject consent as to grant it. So basically you must have equally designed button "accept" and "reject" on the same banner frame.
See, the problem is solved even before it appeared - if your company will comply with the law then the banner would not be obnoxious by design.
Make sure that if someone visits your web site with Javascript turned off, and that means that the cookies won't be used anyway, then they can still read the content without a non-functional cookie banner covering all the content up.
Make it as tiny as legaldepartmentally possible, it doesn't need to take the full width of the page, nor does it need to have any colored background. Also doesn't need several sentences or text
I think the effort would be best spent avoiding cookies and trackers in the first place.
What do you plan on using cookies for? There might be some ways of doing similar things without cookies or trackers (server-side analytics for example) that are more respective of users and also eliminiate the need for any banners at all.
I know my company's website has a pointless cookie modal - the necessary cookies are just for session affinity on a gateway (which I don't believe you'd need a modal for anyway), and the unecessary cookies are from one analytics integration that's been used just once since it was set up, and another that is used for the most basic reports that you could get from just the access logs.
> What do you plan on using cookies for? There might be some ways of doing similar things without cookies or trackers (server-side analytics for example) that are more respective of users and also eliminiate the need for any banners at all.
For EU things you must make sure what you're doing with this aligns with consent from the user / other justifications. Whether it's server side or cookies doesn't matter for GDPR, it's the collection & use of the data.
To OP, try not to collect data at all, and if you need to then make the consent banner not block the use of the website. Also don't animate it in, just have it there.
Personally ... I think the best option (if you have to have cookies (and there are plenty of reasons you may want/need them)) is to have screen-wide, contrasting-color, short-top-to-bottom bar with a single OK or Accept button for dismissal
Do not give people options about cookies - either they accept (and dismiss the notice), or they leave
When I am presented with cookie options, I start to wonder why there are "unnecessary" cookies present: why are you letting me accept "necessary" cookies or "all" cookies? Why would you have ones that are not needed? Seems hyper sketch ... and I'll go elsewhere (or reject all)
> When I am presented with cookie options, I start to wonder why there are "unnecessary" cookies present: why are you letting me accept "necessary" cookies or "all" cookies? Why would you have ones that are not needed? Seems hyper sketch ... and I'll go elsewhere (or reject all)
Because some are required for the functioning of the site. They can justify dealing with those without you approving it.
Some are there for advertising, that's not required for you to use the site but they'd definitely like to. So they need you to actively consent.
If you're adding a cookie banner for legal reasons, that means you're covering against GDPR, which says that you're -not- allowed to refuse service based on someone not wanting cookies that are not necessary for providing the service (e.g. all the analytics/tracking crap).
You're obligated to give them a way to opt out while continuing to use your service, and it should be as easy to decline as it is to accept[0]. The funny part, of course, is that countless services have put up banners that don't make it easy at all to reject, which means they're still not compliant, they just make the legal team feel warm and fuzzy.
That's why you see necessary vs all, because it's "can we track you or not". If you're just doing absolutely required cookies (e.g. session cookie), you don't even need a banner.
starbugs|2 years ago
If that's not an option, the next best thing is to have an overlay that is as honest as possible and most importantly provides not only an "Accept all", but also a "Reject all" button.
Don't use dark patterns, basically. That is, use the same color, style and size for each of those buttons.
My experience is that most users are so used to these overlays by now, they just look for the button which gets rid of them most quickly. Marketing will typically push to tinker with the appearance of the buttons to increase the conversion rate in favor of the "Accept all" option.
bglazer|2 years ago
mrgreenfur|2 years ago
Also consider visitors are used to these prompts, without one they may wonder: does this site follow the law?
YetAnotherNick|2 years ago
foft|2 years ago
Then the user can centrally review what permissions they gave, revoke them etc.
So no sites should have these kind of approval banners.
sigwinch28|2 years ago
giladvdn|2 years ago
mnw21cam|2 years ago
And that leads through to another tip to make your consent request less obnoxious - make sure that plugins like Consent-o-matic do actually work correctly and invisibly with your site.
muzani|2 years ago
diffeomorphism|2 years ago
quickthrower2|2 years ago
7373737373|2 years ago
philwelch|2 years ago
rogerian|2 years ago
I you have to have one I'd suggest it have a Reject All button which makes the banner go away without any further clicks.
Nothing is more soul destroying than having to click several times to make the nonsense go away.
abcd_f|2 years ago
giladvdn|2 years ago
kolinko|2 years ago
The last time I checked (a few years ago) most websites were doing a serious overkill with the banners, where the law didn't require it. Also, for certain companies the possible penalty for not having a banner was so low that it didn't make sense to have such banners at all.
cm2012|2 years ago
speedgoose|2 years ago
GitHub used to not have cookies for tracking purposes either but it looks like some people couldn’t live without tracking users so it’s back after 2 years on some subdomains: https://github.blog/2020-12-17-no-cookie-for-you/
red_admiral|2 years ago
LordHeini|2 years ago
Make sure that it does work with extensions like I don't care about cookies. That one is usually easy but make sure it works with the uBlock script too.
Do not have that the banner force any site reloads. Analytics for example can be loaded into a page wihtout reloading.
If that is done the ad blocker users will never notice the banner.
quickthrower2|2 years ago
aragonite|2 years ago
mrgreenfur|2 years ago
sshine|2 years ago
Pointing out this stuff forces you into the path of requiring that people click on it before being able to navigate the website, which is extremely intrusive, and makes all the marketing people insist that you apply dark patterns.
eviks|2 years ago
gljiva|2 years ago
bigger_inside|2 years ago
SO, as others have already said, definitely a "reject all" and be done with it right in the beginning, without the need for any forther clicks. Better yet if the banner is just a sliver on the side that doesn't interrupt my reading experience (clearly, as long as I didn't click "yes" on cookies, it can't set any; so it would be default-no, allows me to read, and if I want to click in the corner for something else, I can. Even better if it has an "X" to close that unintrusive side window, and of course the X gets treated as "reject all".
Yizahi|2 years ago
See, the problem is solved even before it appeared - if your company will comply with the law then the banner would not be obnoxious by design.
lapsis_beeftech|2 years ago
mnw21cam|2 years ago
btilly|2 years ago
eviks|2 years ago
unknown|2 years ago
[deleted]
unknown|2 years ago
[deleted]
reportgunner|2 years ago
jesuslop|2 years ago
unknown|2 years ago
[deleted]
sdflhasjd|2 years ago
What do you plan on using cookies for? There might be some ways of doing similar things without cookies or trackers (server-side analytics for example) that are more respective of users and also eliminiate the need for any banners at all.
I know my company's website has a pointless cookie modal - the necessary cookies are just for session affinity on a gateway (which I don't believe you'd need a modal for anyway), and the unecessary cookies are from one analytics integration that's been used just once since it was set up, and another that is used for the most basic reports that you could get from just the access logs.
IanCal|2 years ago
For EU things you must make sure what you're doing with this aligns with consent from the user / other justifications. Whether it's server side or cookies doesn't matter for GDPR, it's the collection & use of the data.
To OP, try not to collect data at all, and if you need to then make the consent banner not block the use of the website. Also don't animate it in, just have it there.
The ICO guidance in the UK is pretty good https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-re...
Note that consent is not always the best justification for lawful processing.
jacobsimon|2 years ago
warrenm|2 years ago
Do not give people options about cookies - either they accept (and dismiss the notice), or they leave
When I am presented with cookie options, I start to wonder why there are "unnecessary" cookies present: why are you letting me accept "necessary" cookies or "all" cookies? Why would you have ones that are not needed? Seems hyper sketch ... and I'll go elsewhere (or reject all)
mnw21cam|2 years ago
That's outright and explicitly illegal.
(I just thought I'd make that point in a quicker and simpler way than the otherwise great sister post.)
IanCal|2 years ago
Because some are required for the functioning of the site. They can justify dealing with those without you approving it.
Some are there for advertising, that's not required for you to use the site but they'd definitely like to. So they need you to actively consent.
pocketarc|2 years ago
You're obligated to give them a way to opt out while continuing to use your service, and it should be as easy to decline as it is to accept[0]. The funny part, of course, is that countless services have put up banners that don't make it easy at all to reject, which means they're still not compliant, they just make the legal team feel warm and fuzzy.
That's why you see necessary vs all, because it's "can we track you or not". If you're just doing absolutely required cookies (e.g. session cookie), you don't even need a banner.
[0]: https://gdpr-info.eu/issues/consent
unknown|2 years ago
[deleted]