On May 25th 2018, the European Union’s General Data Protection, (GDPR), Act, came into force. But even if your website isn’t hosted in the UK, or in the EU, the GDPR still applies.
For example, despite the GDPR being a European regulation, if a website is owned by an American and hosted in the United States, the GDPR will affect that site if it is visited anyone in Europe.
As long as a person is physically located in the EU at the time they visit a website, the GDPR applies.
So, all websites, no matter from where in the world they are run, if visited by people located in the EU, must adhere to GDPR rules. In other words they must:
- update their website privacy policies to GDPR standards, and,
- adhere to all GDPR rules around any collected data
The GDPR Is About Personal Data Privacy And Protection
While it sounds quite onerous, the GDPR isn’t all bad. It was born out of a good idea, but whose implementation is clumsy.
The GDPR concerns the handling of all personal data held by companies, public bodies and authorities. It’s not just about personal data on websites. It seeks to bring more transparency to, and accountability for, personal data held by third parties.
So, for example, if you keep paper-based customer files in your office, the GDPR affects how you gather, process, store, remove, report on and take care of that private information. In essence it is a good thing.
But What About The GDPR And Our Websites?
The GDPR counts cookies as personal because they are placed on a visitor’s computer and because they can track things that the computer user does.
Further, when it comes to website cookies, the GDPR expects no-one to be denied access to a website, just because the visitor disapproves of cookies.
But some cookies are essential to the running of a site. And other cookies help to make a site worth running. The ones that are essential to the running of a site are called essential cookies. The other are called non-essential cookies.
So-called, “non-essential cookies”, include cookies that website owners need in order to run a business online. Right now for example, this website needs retargeting cookies, tracking cookies and personalised advertising cookies to transform this site from a loss-making hobby into a viable business.
Websites need cookies as they are key to monetization. After all, business websites can’t, by definition, run at a loss. It’s possible the GDPR will cause websites to lose income. If users are given a choice and choose en masse to avoid non-essential cookies, it will affect the site’s ability to earn.
How Are Some Websites Handling This Issue?
You may have noticed some US based sites are simply blocking all EU based visitors. They presumably care little for EU traffic as they make most of their money from US visitors.
For an example of this, see below. It’s a screenshot of what you see on the LA Times website when viewed from within the EU, at the time of writing this post. Hopefully by the time you visit the site, they’ll have figured something out.
In order to run a website – especially one like the LA Times – you have to be able to track user behaviour, repeat visitors and visitor interests It alis helps to run affiliate ads and track their clicks too. If you don’t, you won’t have the intelligence to grow your business. By intelligence I mean data … not IQ.
But the fines for non-compliance to the GDPR are potentially huge . Some of these large sites don’t want to install annoying and complicated to maintain pop-ups. However, without them they may be fined millions by the EU. So their response has been, somewhat understandably, to shut EU based visitors out.
GDPR : Consent Must Be Freely Given
I have a problem with this, as do many other websites. When a visitor arrives at my site, I don’t mind saying:
But I draw a line at having to write code to specifically undo individual cookies as per the user’s specific requirements. I object for three reasons.
My Three Objections To GDPR Cookie Consent Policy
Providing On-Site, User Control Of Cookies Is Technically Difficult
It’s really difficult. It’s definitely beyond the abilities of 99.9% of website owners. The GDPR has been interpreted to infer we must drop no non-essential cookies on the first visit and then ask the user if it is OK to switch them on.
That suggests all sites must run with no non-essential cookies until the user says it’s OK to switch them on.
The only way to record what the user wants is, ironically to drop a cookie. Some of the larger sites are implementing cookie consent in this way, but they have the funds to build and maintain such complex processing.
Implementing user cookie control on our sites will take considerable coding skills. A lot of effort would be expended on a non-productive activity. Most small businesses can’t afford that.
Third Party Cookies Can Change
The problem is, that to implement cookie consent in the way the GDPR implies, you have to real-time monitor all cookies on your site. Why? Third party cookies are called third party, because they are not placed by you.
Third parties services (Google, Infusionsoft, Mailchimp, ActiveCampaign, HotJar, Amazon, Facebook etc.) used on a site, can add new cookies or stop using existing ones at any time.
Further, if a new third party service or advertising feed is added to a site, new cookies will appear.
All these cookies would have to be regularly scanned so that the software is aware of the current list of cookies at any point in time.
There could be scores of cookies with strange, unpronounceable names that are meaningless to most. But still, the idea is that users should know about them, and be allowed to say which ones they like the look of, and which ones should under no circumstances, be downloaded to their individual computers.
As I mentioned before, to capture this, an essential cookie must be placed on the user’s computer. This is so the website can remember this particular user doesn’t like certain other non-essential cookies.
Then next time the same user visits the site, the site will go look for the cookie and use it to remember their preferences, and thereby ensure, the cookies they didn’t like on their last visit, aren’t used.
But what about the new cookies that have been added since their last visit?
I guess the user would have to be asked again.
Buying Cookie Control Software Is Expensive
If the coding skills are not available in-house, a solution can be bought. Companies offering GDPR compliant cookie solutions are milking the situation and charging monthly fees per website. So, if you have 5 websites, you could end up paying £150 per month just to provide cookie management and notification.
Your Website Isn’t The Right Place To Control Cookies
Why should site owners add all this complexity to their websites, when the best and most sensible place to administer cookie control at any granularity and of any type, is in the user’s browser?
The browser is a piece of software run by each individual, so it is the right place to implement individual choices.
Browsers are ALREADY equipped to do this, so if users want to turn cookies off, or remove existing cookies, they already can.
The EU Decision Makers Had Two Options
Consider the following two options which were open to the EU:
- force the update of half a billion individual websites, with half a billion variations of complex, error prone software, clogging the internet with popup after popup, or
- ask the 6 or 7 browser manufacturers to make their existing functionality even more user friendly than it already is, to solve the problem at source.
I can’t figure out why they chose the first option. Can you?
How I’m Doing Cookie Notification
I’m adding a cookie notification popup to all of my sites. If visitors don’t want cookies, they can click a link in my popup. This will take them to a page where they can find instructions on how to switch off and/or delete cookies in their own browsers.
Personally, (you must decide for yourself) I think this method is minimally compliant with the GDPR.
Minimal Cookie Consent
Originally I got the code for my Cookie notification popup from the people at Insites. You can go there and use their free wizard, to create the code for the flavour of cookie consent you’d like to appear on your site.
For example you might want to integrate a much deeper, more complex, version than I have. Their wizard will help you on your way to doing that.
Truthfully, I did intend to do a full integration, but when I looked into it, I realised it would become a full-time job, so I couldn’t. I decided to implement a minimal solution instead.
By minimal, I mean, I direct the users to a page where cookies are explained, and links are provided to instructions to switch off cookies in the their browsers.
I Used WPMagiq To Add The Code
If you believe that encouraging the user to control cookies in their own browser, is adequate for the GDPR, you’ll now find the functionality to add a popup that can do that, in the WPMagiq plugin.
I used WPMagiq on this site. I added the following wording to the pop-up, but of course, you can use your own wording.
Cookies are used to make sure you get the best experience while on the site, to help us target our ads to suit your personal behaviours and preferences, and to help us understand how well we’re doing for our visitors. No – I don’t want thatLiz’s wording for Cookie Consent
Can I See A Demo?
You may have seen the popup box on this site already. But if you have previously agreed to cookies, it might not appear again.
If you’d like another chance to see the popup in action on this site, simply visit the site in an incognito window, in your browser. If you do that, the popup will fire.