(Almost) everything you wanted to know about cookie management

What is cookie management made of? Why are visitors teased with cookie banners, and above all - why is the world of cookies so confusing? Read on to find out!

Contents

• How did cookie management come to be?
• A super short overview of cookies
• Is the Wild West of cookie management coming to an end?
• What makes a cookie banner good and lawful?
• What needs to be taken care of?

How did cookie management come to be?

When cookies are used on the site, the online service provider stores a piece of information in the user’s browser. This cookie can be something as simple as a user’s preference for using a light or dark theme, so that the service remembers the choice on the next visit.

There is a good idea behind cookies. When the visitor visits the website, cookies can be used to keep the visitor’s previous logins and shopping cart functions saved. This makes the user’s experience smoother and more effortless when they return to the service next time.

Cookies themselves are not a bad or unpleasant thing, but how they are used and where the tags that use cookies send the information they collect, may be.

The bigger operators started using cookies for tracking between different sites on an individual level. The EU responded to this with legislation concerning electronic communications and data protection (ePrivacy Directive and GDPR), aiming to protect individuals’ personal data by restricting this activity.

The problem has not been the aforementioned cookies that improve the service experience. The challenge has been that cookies can be harnessed to send data to another site, such as an analytics or advertising platform, resulting in the transfer of information between services.

This led to the EU-level decision that if information is to be stored on a user’s device, the user’s consent must be obtained for its storage.

If the user does not give consent, storing the piece of information is not possible. An exception to this consent requirement are cookies that are essential for the technical implementation of the site’s operation or the transmission of a message. For cookies used for other purposes (such as analytics and marketing), the need for managing cookies and cookie permissions arose. Below in this article, more details about first-party and third-party cookies are provided.

However, the law does not provide a clear guideline on how cookies can be precisely used. This has led to each website implementer making their own interpretations of the law – resulting in highly varied practices.

But have these protective measures really helped in protecting personal data and improving user experience?

The legislation introduced cookie banners, through which users can influence the storage of cookies.

Few users love cookie banners. Asking for cookie consent often burdens the browsing experience. Banners may also raise questions for many ordinary users, and for many, cookies and their purposes may not mean much.

To develop an online service, information about its performance is needed – and without cookies, this is yet challenging to achieve.

A super short overview of cookies

What are first-party cookies?

First-party cookies are set by the website that the user is currently visiting. They are typically used to enhance the user’s interaction with the website. They help maintain sessions and remember login details, preferences, and shopping cart items. They allow for the customization of content and advertisements based on browsing history and interests, and they collect analytics to improve the website. Some first-party cookies provide essential functions for the website.

What are third-party cookies?

Third-party cookies are created by domains other than the website the user is visiting. Third-party cookies can access your visitors’ browsers through external services embedded in your site. Examples of these include:

• An embedded YouTube video
• A social media widget
• An ad widget from an ad network

Third-party cookies are used for tracking across websites, ad retargeting, and showing targeted ads to users via ad platforms or social media. These cookies allow brands and vendors to collect a significant amount of personal data about the user, enabling the creation of detailed user profiles. They can also be used for malicious purposes, such as tracking users to steal their personal information or deliver malware.

On the other hand, third-party cookies enable websites to offer certain functionalities, like real-time chat services. However, the absence of third-party cookies typically does not affect the core features of the website.

Is the Wild West of cookie management coming to an end?

Cookie banners still vary widely. Some categorize cookies by their purpose (advertising, analytics, personalization, security, etc.) or according to the entities setting the cookies (which can number in the dozens in some lists).

Media houses’ cookie banners have become infamous for their “legitimate interest” approach and exhaustive lists of data collectors. But what exactly does this mean?

Ad-supported entities have many ad spaces, widgets, and trackers on their sites, which require tracking users’ activities through cookies. In these cases, media companies list all the entities, which are often numerous. Most organizations do not have such extensive cookie operations.

If it’s a municipal or average company’s online service or eCommerce site, they typically use some analytics tool, a few ad platforms, and perhaps a chat functionality. The most challenging cookies are those used by ad platforms (Meta, LinkedIn, Google Ads), as you also need to explain to the user what information these cookies are storing.

However, there is a desire to limit cookie use for large entities as well. This leads to third-party cookies becoming extinct. For example, Chrome is likely to start restricting third-party cookies by the end of next year. The question is, will this solve the problem?

This move is likely to disproportionately impact smaller players that haven’t yet established first-party cookies effectively. Larger companies, on the other hand, have had the resources to structure their websites in a way that makes adapting to this change less disruptive.

What makes a cookie banner good and lawful?

1. It’s clear and comprehensive

A good and lawful cookie banner should clearly display different cookie categories (essential, analytics, preferences, marketing, etc.), the number of cookies, and a list of the cookies. Tools like Cookiebot, Cookie Information, and OneTrust automatically list these. When clicking on details from the banner, you should be able to see all the cookies.

All cookies should have their purpose, duration, and provider/data processor indicated. Each entity is responsible for listing and naming the cookies. If a cookie is not identified, it is very difficult to explain what it is used for. An example of this is the “unclassified” group, which is often a miscellaneous collection of different cookies. Clearly and transparently explain why these features are on the site.

2. It’s user-friendly

The equality of the acceptance banner buttons is essential. Declining cookies should be as easy as accepting them; if cookies can be accepted with one click, declining should also be possible with one click.

Avoid leading the user in the design of the decline and accept buttons, and adhere to a visually ethical and consistent approach. For example, the accept button should not be green, and the decline button should not be red. This is not yet a requirement. The decline option should not be hidden.

The cookie banner must not have pre-checked boxes or “on” toggles for non-essential cookies. Non-essential cookies must not be enabled by default on the service or site; the user must explicitly accept them (opt-in).

According to Traficom, changing consent should be as easy as giving it initially. Practically, this is difficult to implement precisely, but it is one reason why you often see cookie icons floating on the edges of pages.

3. It respects the user’s level of cookie consent

The user’s level of cookie consent must be respected. If a user has not accepted, for example, marketing-related cookies, then cookies set by scripts from Facebook or LinkedIn should not be placed in their browser.

If you use a ready-made cookie banner from a provider like OneTrust, Cookiebot, or Cookie Information, blocking cookies can be done automatically or by categorizing the scripts set in the site’s code yourself. The execution of scripts can also be managed via Google Tag Manager.

What needs to be taken care of?

Implement a ready-made cookie banner solution  

If you haven’t already, now is the time to implement one of the common cookie banner solutions. This will make it easier to record cookie consents and allow you to demonstrate, if necessary, when each consent was given in accordance with Traficom’s requirements. So, if a user or another party requests clarification on consents, the user can see their own consent ID and send it to the website owner, who can then retrieve the user’s consent information from their database using that ID.

Ensure that your banner supports Consent Mode V2

Google Cookie Consent Mode V2 came into effect in March, so if you want to run Google ads, you need to have the new consent mode enabled. If you are using one of the big three providers, your banner supports the new consent mode. Otherwise, it’s worth checking Google’s listing to see if your banner is compliant with the new consent mode.

Monitor the acceptance rate of the banner

Tracking the cookie banner acceptance percentage is recommended. It typically ranges between 50-80% depending on the industry. If the acceptance rate is higher than this, the cookie banner likely does not comply with Traficom’s guidelines, and necessary adjustments should be made, preparing for a drop in figures.

Website visitors are now more aware and are less likely to grant permissions as easily as a few years ago. The more transparently and moderately you handle things, and the clearer you document the use of cookies, the more likely users are to grant permission for cookies.

Consider adding a cookie-less analytics solution

Due to the low acceptance rate of cookies, it’s also worth considering cookie-less analytics solutions as a complementary option, such as Plausible or Matomo. Many websites want to know the number of visitors, which cookie-less analytics provides.

Cookie-less analytics solutions may not be sufficient on their own since more detailed data is often desired. When advertising and tracking conversions, cookies are required to enable tracking and reporting.

There’s no shortage of tools on the analytics side. However, it’s important to remember that server-side analytics solutions also provide cookie-less data. Server-side analytics can accurately and reliably extract traffic volumes.

For example, Google Cloud Platform offers excellent logging tools, allowing metrics to be created using cloud platform tools. By monitoring logs and metrics in a cloud service environment, basic information can be obtained without external or cookie-dependent tracking.

If you would like to hear more, contact us!

Experts:

Panu Ervamaa, CTO, Hion
Niko Karppinen, Web Analytics Lead, Hion
Ville Vainio, Partner and Lawyer, Applex: As the head of Applex’s Technology & Data Protection practice, Ville assists domestic and international clients from SMEs to listed companies, particularly in data protection and technology law. Ville is a certified data protection expert (CIPP/E).