How to not completely suck at cookie consent

I’m not going to complain about the EU’s actual handling of this stuff (hello, cookie directive), but the way websites are handling it blows.

It was seen as an annoyance to website designers and developers when the EU decided in 2011 that we needed to design in an obvious message about how and why we store cookies on users’ devices. The general idea was somewhat admirable in how it put users and their privacy first, and aimed to give users visibility over their data.

The way it was implemented, however, leaves much to be desired. Many websites indeed flouted the rules, or didn’t implement it consistently or accurately. Not much happened with it until GDPR came along in 2018.

GDPR meant that we now had to be much more explicit with how we use personally-identifiable data. With the inconsistent way websites already “ask permission” to store cookies on end users’ devices, this was bound to turn into a bit of a shit show.

Not only are sites blocking users, popping up endless, slow-loading messages and dialogue modals, but security services started to capitalize on it, meaning ever more slow-loading pages. I don’t even blame website owners and developers for using third-party services simply because the ramifications of not adhering to the GDPR rules are severe and wide-ranging. However it does seem that little thought has gone into designing these services so that they are usable, accessible and not a barrier to entry.

Users will end up accepting all of the terms, even though they have the power to reject them and still get access to the content

Some websites pop up a subtle message that’s usually fixed to the viewport and generally follows the same style as many sites’ implementation of the cookie directive.

But some sites don’t even allow access until you have accepted cookies (and the privacy implications that come with them). Not only does this cause problems with barriers to entry, but it also takes the control away from the website owner (these are usually third-party services), meaning that if it doesn’t work properly on this device or that browser, that affects users as they browse the web in general because the problem isn’t isolated to one site. This can be incredibly frustrating to users and can be counterintuitive because they’ll end up accepting all of the terms, even though they have the power to reject them and still get access the content. Think of it like a smoke detector with a low battery: they chirp and chirp at you to change the battery, but the danger is that people will often just take them off the wall and pull the battery out to stop the nuisance beeping, leaving them without fire alarm coverage and potentially putting them in danger.

A screenshot of The Guardian showing a cookie message

The Guardian keeps it effective with a binary choice to accept or not, though the question is on another page

It really doesn’t need to be this difficult. Here are a few things to bear in mind when trying to play by the EU’s rules:

Review all the cookies you’re storing on your users’ devices

Ask yourself: do we really need this cookie? If you can cut down on what you’re asking to store on your users’ devices you may end up not needing to jump through as many regulatory hoops.

More importantly, the less you’re doing to add endless lines to your privacy policy and terms and conditions, the more trust your audience will have of you and your website.

Concisely inform users that they have the power to control things

When people visit websites these days, they’ll be becoming more and more blind to these cookie messages and other notices about how you’re using and manipulating their data, so it’s really important to be concise with what you tell them and what you ask for.

Consider using just one line to get across what you need to do. If the user doesn’t respond, you must accept that the user doesn’t want to accept the terms and should default to the basics of what is allowed without explicit consent.

Remember, the point of these directives and rules is to give more power to individuals over how companies use (and make money from) their data. Asking simple questions in plain English may make users more likely to accept your terms, anyway.

Test your implementation on as many devices as possible

Not everybody uses the same browser or device; indeed there are countless variations of the same browsers, never mind anything else. Some users will block javascript, some will block trackers and some have ad blockers. These things all affect how they interact with web pages and if that causes problems with their ability to accept or reject your cookies and other terms, they’ll get frustrated, or they’ll think something is wrong and give up.

I’ve seen it myself on a multitude of websites. The page will load and then go dark. A loading symbol will appear but nothing else happens. Some third-party GDPR tool is trying to load but my browser is blocking it for whatever reason. I’m savvy of technology so I know how to isolate the problem, but the vast, vast majority of users won't and they’ll simply go elsewhere.

Don’t default to legal speak

It isn’t necessary to spout ten lines from your privacy policy up-front just to inform users about how you want to use their data. Use your brand guidelines and allow your messages to be informed by your house tone of voice, rather than by your lawyer’s.

As long as you’re giving users the power to dictate their own online destiny, in a simple and easy way, you’re doing just fine.