How To Check If Your Website Is Cookie Compliant

Key Takeaways

‍

• Tracking the ways visitors engage with your website is key to understanding how they use it, what they're interested in, and whether or not they take the actions that are most valuable to you (like completing lead capture forms or making online purchases etc).

• This kind of tracking is commonly performed using cookies or 'beacons' - tiny, unobtrusive lines of code added to websites which send signals back to analytics platforms such as Google Analytics and Crazy Egg, as well as advertising platforms such as Facebook, Instagram, LinkedIn, TikTok, X and more.

• EU and UK data privacy laws insist that you obtain explicit consent from website users before you use tracking technologies. Failure to do so means you're breaking the law.

• Obtaining consent is typically undertaken using a third-party Consent Management Platform or CMP, which displays a cookie banner on your website to all visitors when they first arrive, and which asks them to either accept, reject, or customise their cookie choices.

• It is quite common for CMP cookie banners to be installed incorrectly. Even if this by accident and not by design, it's still a breach of data privacy rules.

• There are several ways in which you can test your website to identify compliance gaps, including Google's Chrome Browser and specifically by using its developer tools.

‍

Cookies and The Law

‍

Before we delve into the technicalities, it's worth quickly looking at the laws surrounding data privacy and how they're changing.

‍

The legislation we're primarily concerned with is GDPR - the General Data Protection Regulation - which demands that websites must get a user's explicit consent before using non-essential cookies that collect personal data.

‍

Key GDPR cookie requirements are:

‍
Informed consent

Websites must clearly inform users about their use of cookies, the purpose of each cookie, and how they can withdraw consent.

‍
Affirmative action

Consent must be given through a clear, positive action, such as clicking an "Accept" button. Pre-ticked boxes or assuming consent from continued browsing are not compliant.

‍
Granular control

Users should be able to accept or reject different categories of cookies, such as those for analytics or advertising.

Easy withdrawal

It must be as easy for a user to withdraw their consent as it was to give it.

‍
Essential cookies

Cookies strictly necessary for basic website functions, like a shopping cart, are exempt from consent, but users must still be informed about them.

Cookie policy

Websites must provide a detailed and accessible cookie policy that outlines the types of cookies used and their purposes.

Record keeping

Consent must be documented and stored as proof of compliance.

‍

How To Check If Your Website Is Cookie Compliant

‍

There are three things you need to look at:

‍

Firstly, does your website even use cookies to begin with?

‍

Secondly, does it display a cookie banner that gives users a choice over cookies?

‍

Thirdly, is the cookie banner being implemented properly and effectively?

‍

Let's look at these each in turn.

‍

Does Your Website Use Cookies?

‍

The easiest way to check is to open Google's Chrome Browser in Incognito mode, and then enter the URL of your website. We've used ours to walk you through the process. If your website displays a cookie banner, don't interact with it yet.

‍

With your website loaded, look just to the left of your website's address:

Click on the icon to open this drop down menu. Look for 'cookies and site data' and click on it:

It will now open this panel. Look for 'manage on-device site data' and, if present, click on it:

It will now open this pane in which you'll see any cookies that are installed on your website, and their status (i.e. whether or not permitted).

Is A Cookie Banner Present That Gives People A Genuine Choice? 

‍

You may have a cookie banner installed, but it may not be compliant depending on the choices it gives.

‍

GDPR is clear: visitors must explicitly give informed consent, or be free to withhold it.

‍

If your cookie banner works like this, it's not GDPR compliant:

‍

"Our website uses cookies. By continuing to browse, you consent to these cookies."

‍

Problem: The user is not given a choice, cookies are presented as a fait accompli.

‍

"Our website use cookies. Click here to Accept or here to Reject cookies."

‍

Problem: The user is not informed about the cookies and/or their purpose.

‍

"Our website uses a mixture of essential, functional, and marketing cookies. You can either Accept all, Reject All, or Customise your choices."

‍

Problem: The user is still not fully informed about the purposes of the different cookies.

‍

A GDPR compliant cookie banner will:

• Contain a cookie statement that provides a brief overview of the cookies used and their purpose
• Make it clear that users are free to choose their cookies
• Give equal prominence to both Accept All and Reject All buttons
• Let visitors know they can easily change their minds at any time
• Provide a link to the website's cookie policy

Take a look at ours. Yes, admittedly, we try to steer visitors towards accepting cookies for all the reasons given (users enjoy a better experience, we are able to continually improve and grow) and, as a result, a whopping 76% of visitors do accept all our cookies, but it's a choice. We don't strong-arm people with 'consent or pay' tactics, or use trickery like making the Accept All button red and the Reject All button green (yes, we've seen that done), or making the Accept All button a solid color whilst giving the Reject All an almost invisible border and practically transparent text so it's easily missed.

Finally, The Technical Check: Is Your Cookie Banner Implemented Properly?

‍

By default, unnecessary cookies should not 'fire' (i.e. start transmitting visitor data) unless and until users have consented to those cookies.

‍

However, it's not uncommon for CMP cookie banners to be installed and configured incorrectly, either in error or on purpose.

‍

When done with malicious intent, the code that provides the cookie banner functionality is installed in the <head> section of the website's code but not not until after all the cookie code...Which means all those cookies fire before users have been presented with a banner to make their choices, rendering any subsequent selections totally null and void.

‍

More often than not, it's done by mistake.

‍

Most CMP cookie banners are injected into websites using software like Google Tag Manager. But when setting up the necessary Tags and Triggers, it's important to ensure that cookie consent defaults to a state where unnecessary cookies will not fire unless and until users update their consent preferences by interacting with the cookie banner. This is where we see most errors being made - the assumption appears to be that simply deploying the banner is enough and that everything will be taken care of automatically, but that's not correct.

‍

Another common problem relates to things like widgets and plugins used on Wordpress websites, which also need extra configuration that isn't performed properly.

‍

So, how can you tell? 

‍

Well, it's a bit more technically involved than you may be used to, but it's easy enough to do when you know what you're looking for and where to find it.

‍

Open a Chrome Browser window in Incognito mode again, and type in your website URL. Don't interact with the website in any way, or make any selections on the cookie banner for now.

‍

Right click anywhere and select 'Inspect' from the drop down menu:

This will open the developer tools. In the right hand pane, click on the Network tab:

Now, use the filter function to look for evidence of network requests from the end-points that your cookies will be transmitting user data to, such as Google Analytics or Facebook etc, using these common network request / script patterns that act as giveaways:

‍

Google Analytics

‍

Data Transmission: google-analytics.com/g/collect or google-analytics.com/collect

‍

Script Load: googletagmanager.com/gtag/js

‍

Cookie IDs: _ga, _ga_*, _gid, _gat_*, _gcl_au

‍

Google Ads

‍

Data Transmission: googleadservices.com/pagead/conversion_tracker

‍

Script Load: googleadservices.com/pagead/conversion_async.js

‍

Cookie IDs: _gcl_au, _gcl_aw, _gcl_ha

‍

Meta (Facebook) Pixel

‍

Data Transmission: facebook.com/tr?id=...

‍

Script Load: connect.facebook.net/en_US/fbevents.js or fbevents.js

‍

Cookie IDs: _fbp, fr

‍

(Ask us for a full list of others if you need them).

‍

In this example, where we look for our instance of the Meta Pixel, filtering on fbevents.js you can see that it returns no results because cookies haven't been accepted via the banner:

To further validate cookie firing status, next go to the Application tab and filter based on cookie ID values.

‍

Sticking with our own website, you can see here that the filter returns no results for _fbp:

‍

These checks verify that our cookie banner is set up correctly: it is not allowing marketing cookies, for instance, without user consent.

‍

Now, let's have a look at how it appears when we interact with the cookie banner and accept cookies so you can see the difference.

‍

For this, it's important to refresh the browser window to create fresh network requests.

‍

Here we are again in the Network tab, filtering on fbevents.js, the script that's necessary for the Meta Pixel to function and initiate data sharing:

And, to validate this, when filtering in the Application tab, we can see the _fbp cookie ID and a data transmission event recorded against it:

You can see, now that marketing cookies have been accepted, that our Meta Pixel is firing and has, in this case, recorded a PageView event that's it's transmitted back to Meta.

‍

The Wrap-Up: How To Check Your Website Is Cookie Compliant With GDPR

‍

Cookies are essential to businesses and charities, providing crucial insights that can help with everything from advertising to website structure and content creation, like blogging. They are also helpful to website visitors, remembering prior content preferences for instance.

‍

But they are subject to increasingly stringent data privacy rules, which have been strengthened in the EU and UK in the past couple of years.

‍

Compliance is essential. Failure to implement proper cookie controls on your website that empower visitors to make informed choices about whether or not to accept unnecessary cookies brings with it the risk of sanctions and reputational harm. Not only that, but in response to tightened data privacy rules, platforms like Google Analytics and Meta-owned Facebook have introduced their own updated protocols which now mean that if their sophisticated machine learning systems detect the absence of website consent signals, or improper consent, they automatically apply their own restrictions - choking-off access to insights that aid your marketing planning, preventing you from building remarketing audiences, and making it difficult to optimise your ad campaigns.

‍

To make sure your website handles cookies properly, you should:

• First of all check that cookies are actually present (if not, you have nothing to worry about)
• If cookies are used on your website, you should make sure that a cookie banner is presented to visitors when they first arrive and that it briefly explains your use of cookies and their purposes; makes it clear users have a choice; facilitates that choice; let's people know they can change their selections in the future if they wish; gives equal prominence to Accept All and Reject All buttons; and contains a link to your privacy policy
• Then check to make sure that your cookie banner is implemented effectively so that no unnecessary cookies are set without user consent, which you can do in Incognito Mode in Google's Chrome browser using the in-built developer tools (right-click anywhere on your website, press F12 on Windows, or use Command + Option +I (Cmd + Opt + I) on Mac) and check the Network tab for requests associated with common cookies, and then in the Application tab looking for cookie IDs without accepting unnecessary cookies and then again after accepting them. By default, you should see no cookie script loads or data transmission calls unless and until you have accepted cookies via the banner

‍

Found this useful (if perhaps a little technical if it's your first time)? Help us spread the word about the importance of cookie compliance by sharing it on your social media. Want some practical help reviewing your GDPR cookie compliance? Head to our contact page and start a conversation.

‍