What’s Happening With GDPR And ePR? Where Does CookiePro Fit In?

About The Author

Suzanne Scacca is a freelance writer who specializes in web design, WordPress, and SEO. In her free time, she builds new websites, experiments with popular … More about Suzanne ↬

Email Newsletter

Weekly tips on front-end & UX.
Trusted by 200,000+ folks.

Now that we have a year of GDPR under our belts, and the ePR is coming soon, there’s no better time than now to review your websites. Do you know what kinds of cookies collect information from your site? And have you provided visitors with information about an option to accept those cookies? If your site is currently not in compliance, or you’re not sure if it is, read this post and start using CookiePro’s cookie consent tool to get your sites moving in the right direction.

(This is a sponsored article.) Is privacy an issue on the web? According to this ConsumerMan piece from NBC News a few years back, it is:

The Internet has become a serious threat to our privacy.
— Jeff Chester of the Center for Digital Democracy
Your online profile is being sold on the web. It's kind of crazy and it's not harmless.
— Sharon Goott Nissim of the Electronic Privacy Information Center
There are no limits to what types of information can be collected, how long it can be retained, with whom it can be shared or how it can be used.
— Susan Grant of the Consumer Federation of America

While there’s been talk of introducing a “Do Not Track” program into U.S. legislation, the EU is the first one to actually take steps to make the Internet a safer place for consumers.

On May 25, 2018, the General Data Protection Regulation (GDPR) was enacted. Soon to follow will be the ePrivacy Regulation (ePR).

With these initiatives holding businesses accountable for the information they track and use online, web developers have to add another thing to their list of requirements when building a website:

The protection of user privacy.

In this post, we’re going to look at:

  • Where we currently stand with GDPR,
  • What changes we’ve seen on the web as a result,
  • What’s coming down the line with ePR,
  • And take a look CookiePro Cookie Consent tool that helps web developers make their websites compliant now.

GDPR: Where Are We Now?

With the one-year anniversary of GDPR upon us, now is a great time to talk about what the updated legislation has done for online privacy.

GDPR Recap

It’s not like the EU didn’t have privacy directives in place before. As Heather Burns explained in a Smashing Magazine article last year:

All of the existing principles from the original Directive stay with us under GDPR. What GDPR adds is new definitions and requirements to reflect changes in technology which simply did not exist in the dialup era. It also tightens up requirements for transparency, disclosure and, process: lessons learned from 23 years of experience.

One other key change that comes with moving from the previous privacy directive to this privacy regulation is that it’s now consistently implemented across all EU states. This makes it easier for businesses to implement digital privacy policies and for governing bodies to enforce them since there’s no longer any question of what one country has done with the implementation of the law. It’s the same for all.

What’s more, there are clearer guidelines for web developers that are responsible for implementing a privacy solution and notice on their clients’ websites.

Has GDPR Led to Any Changes in How Websites Handle Data?

It seems as though many companies are struggling to get compliant with GDPR, based on a test done by Talend in the summer of 2018. They sent data requests to over a hundred companies to see which ones would provide the requested information, per the new GDPR guidelines.

Here is what they found:

  • Only 35% of EU-based companies complied with the requests while 50% outside of the EU did.
  • Only 24% of retail companies responded (which is alarming considering the kind of data they collect from consumers).
  • Finance companies seemed to be the most compliant; still, only 50% responded.
  • 65% of companies took over 10 days to respond, with the average response time being 21 days.

What Talend suggests, then, is that digital services (e.g. SaaS, mobile apps, e-commerce) are more likely to fall in line with GDPR compliance. It’s the other companies — those that didn’t start as digital companies or who have older legacy systems — that are struggling to get onboard.

Regardless of what actions have been taken by businesses, they know they must do it.

A 2018 report published by McDermott Will & Emery and Ponemon Institute showed that, despite businesses’ inability to be compliant, they were scared of what would happen if they were found not to be:

GDPR report - failure to comply costs
Data on what businesses believed to be the greatest costs of failing to comply with GDPR. (Source: McDermott Will & Emery and Ponemon Institute) (Large preview)

Those that said they feared financial repercussions were right to do so. The GDPR assesses fines based on how severe the infringement is:

  • Lower level offenses result in fines of up to €10 million or 2% of the the revenue made in the prior fiscal year.
  • Upper level offenses result in fines of up to €20 million or 4%.

Some high-profile cases of fines have already popped up in the news, too.

Google received a €50 million penalty for committing a number of violations.

Mainly, the issue taken with Google is that it buries its privacy policies and consent so deep that most consumers never find it. What’s more, a lot of their privacy policies are ambiguous or unclear, which leads users to “Accept” without really understanding what they’re accepting.

Facebook is another company we shouldn’t be too surprised to see in GDPR’s crosshairs.

Their penalty was only for £500,000. That’s because the fine was assessed for grievances issued between 2007 and 2014 — before GDPR went into place. It’ll be interesting to see if Facebook changes its privacy policies in light of the much larger sum of money they’ll owe when another inevitable breach occurs.

It’s not just the monetary fine businesses should be nervous about when failing to comply with GDPR.

Stephen Eckersley of the UK Information Commissioner's Office said that, after the GDPR went into effect, the amount of data breach reports increased exponentially.

In June of 2018, there were 1,700 reports of companies in violation of GDPR. Now, the average is roughly 400 a month. Even so, Eckersley estimates that there will be double the amount of reports in 2019 than there were in previous years (36,000 vs. 18,000).

So, not only are the governing bodies willing to penalize businesses for failure to comply. It seems that consumers are fed up enough (and empowered!) to report more of these violations now.

Let’s Talk About ePR For A Second

The ePrivacy Regulation has not yet become law, but it’s expected to soon enough. That’s because both GDPR and ePR were drafted to work together to update the old Data Protection Directive.

ePR is an update to Article 7 in the EU Charter of Human Rights. GDPR is an update to Article 8.

EU Charter of Human Rights
The Freedoms laid out by the EU Charter of Human Rights. (Source: EU Charter of Human Rights) (Large preview)

Although they’re separately defined, it’s best to think of ePR as an enhancement of GDPR. So, not only do businesses have to take care with data collected from individuals, the ePR says that they have to be careful with protecting the identity of individuals, too.

As such, when the ePR rolls out, all digital communications between business and consumer will be protected. That includes:

  • Skype chats
  • Facebook messages
  • VoiP calls
  • Email marketing
  • Push notifications
  • And more.

If a consumer has not expressly given permission for a business to contact them, the ePR will prohibit them from doing so. In fact, the ePR will take it a step further and give more control to consumers when it comes to cookies management.

Rather than display a pop-up consent notice that asks “Is it okay if we use cookies to store your data?”, consumers will decide what happens through their browser settings.

However, we’re not at that point yet, which means it’s your job to get that notice up on your website and to make sure you’re being responsible with how their data is collected, stored and used.

What Web Developers Need To Do To Protect Visitor Privacy

Do a search for "How to Avoid Being Tracked Online":

A sample Google search
Search for “How to Avoid Being Tracked Online” on Google. (Source: Google) (Large preview)

There are over 57 million pages that appear in Google’s search results. Do similar keyword searches and you’ll also find endless pages and forum submissions where consumers express serious concerns over the information gathered about them online, wanting to know how to “stop cookies”.

Clearly, this is a matter that keeps consumers up at night.

The GDPR should be your motivation to go above and beyond in putting their minds at ease.

While you probably won’t have a hand in the actual data management or usage of data within the business, you can at least help your clients get their websites in order. And, if you already did this when GDPR initially was enacted, now would be a good time to revisit what you did and make sure their websites are still in compliance.

Just make sure that your client is safely handling visitor data and protecting their privacy before providing any sort of privacy consent statement. Those statements and their acceptance of them are worthless if the business isn’t actually fulfilling its promise.

Once that part of the compliance piece is in place, here’s what you need to do about cookies:

1. Understand How Cookies Work

Websites allow businesses to gather lots of data from visitors. Contact forms collect info on leads. eCommerce gateways accept methods of payment. And then there are cookies:

Cookies are pieces of data, normally stored in text files, that websites place on visitors' computers to store a range of information, usually specific to that visitor — or rather the device they are using to view the site — like the browser or mobile phone.

There are some that collect bare-bones details that are necessary to provide visitors with the best experience. Like preserving a logged-in session as visitors move from page to page. Or not displaying a pop-up after a visitor dismissed it on a recent visit.

There are other cookies, usually from third-party tracking services, that pry deeper. These are the ones that track and later target visitors for the purposes of marketing and advertising.

Regardless of where the cookies come from or what purpose they serve, the fact of the matter is, consumers are being tracked. And, until recently, websites didn’t have to inform them when that took place or how much of their data was stored.

2. Don’t Use Cookies That Are Irrelevant

There’s no getting around the usage of cookies. Without them, you wouldn’t have access to analytics that tell you who’s visiting your website, where they come from and what they’re doing while they’re there. You also wouldn’t be able to serve up personalized content or notifications to keep their experience with the site feeling fresh.

That said, do you even know what kinds of cookies your website uses right now?

Before you go implementing your own cookie consent notice for visitors, make sure you understand what exactly it is you’re collecting from them.

Go to the CookiePro website and run a free scan on your client’s site:

CookiePro website privacy scan
CookiePro offers a free website privacy scan. (Source: CookiePro) (Large preview)

After you enter your URL and start the scan, you’ll be asked to provide just a few details about yourself and the company. The scan will start and you’ll receive a notice that says you’ll receive your free report within 24 hours.

Just to give you an idea of what you might see, here are the report results I received:

CookiePro scan
CookiePro runs a scan on all data collection elements and trackers. (Source: Cookie Consent) (Large preview)

As you can see, CookiePro does more than just tell me how many or which cookies my website has. It also includes forms that are gathering data from visitors as well as tags.

Be sure to review your report carefully. If you’re tracking data that’s completely unnecessary and unjustified for a website of this nature to get ahold of, that needs to change ASAP. Why put your clients’ business at risk and compromise visitor trust if you’re gathering data that has no reason to be in their hands?

CookiePro scan results
CookiePro’s cookies report tells you what purpose they serve and where they come from. (Source: Cookie Consent) (Large preview)

Note: if you sign up for an account with CookiePro, you can run your own cookie audit from within the tool (which is part of the next step).

GDPR isn’t trying to discourage businesses from using cookies on their websites or other marketing channels. What it’s doing, instead, is encouraging them to be transparent about what’s happening with data and then be responsible with it once they have it.

So, once you know what sort of cookies you’re using and data you’re handling, it’s time to inform your visitors about this cookie usage.

Keep in mind that this shouldn’t just be served to EU-based visitors. While those are the only ones protected under the regulation, what could it hurt to let everyone know that their data and identity are protected when they’re on your website? The rest of the world will (hopefully) follow, so why not be proactive and get consent from everyone now?

To provide transparency, a simple entry notice is all you need to display to visitors.

For example, here is one from Debenhams:

Debenhams cookies notice
This is an example of a cookies notice found on the Debenhams website. (Source: Debenhams) (Large preview)

As you can see, it’s not as simple as asking visitors to “Accept” or “Reject” cookies. They’re also given the option to manage them.

To add your own cookies entry banner and advanced options, use CookiePro’s Cookie Consent tool.

Signup is easy — if you start with the free plan, it takes just a few seconds to sign up. Within an hour, you’ll receive your login credentials to get started.

Cookie Consent dashboard
A peek inside the CookiePro Cookie Consent Dashboard. (Source: Cookie Consent) (Large preview)

Before you can create your cookie consent banner, though, you must add your website to the tool and run a scan on it. (You may have already completed that in the prior step).

When the scan is complete, you can start creating your cookie banner:

Create banner with Cookie Consent
Creating a cookie banner within the Cookie Consent tool. (Source: Cookie Consent) (Large preview)

By publishing a cookie consent banner to your website, you’re taking the first big step to ensuring that visitors know that their data and identity is being protected.

Don’t stop at simply adding a cookie banner to your website. As Vitaly Friedman explained:

In our research, the vast majority of users willingly provide consent without reading the cookie notice at all. The reason is obvious and understandable: many customers expect that a website ‘probably wouldn’t work or the content wouldn’t be accessible otherwise.’ Of course, that’s not necessarily true, but users can’t know for sure unless they try it out. In reality, though, nobody wants to play ping-pong with the cookie consent prompt and so they click the consent away by choosing the most obvious option: ‘OK.’

While ePR will eventually rid of us of this issue, you can do something about it now — and that’s to design your cookie consent form to stand out.

A word of caution: be careful with using pop-ups on a mobile website. Although consent forms are one of the exceptions to Google’s penalty against entry pop-ups, you still don’t want to compromise the visitor experience all for the sake of being GDPR compliant.

As such, you might be better off using a cookie banner at the top or bottom of the site and then designing it really stand out.

What’s nice about CookiePro is that you can customize everything, so it really is yours to do with as you like. For example, here is one I designed:

Cookie Consent preview
A preview of a cookie consent banner built with Cookie Consent. (Source: Cookie Consent) (Large preview)

You can change:

  • Text color
  • Button color
  • Background color.

You can write your own copy for each element:

  • Header
  • Message
  • Cookie policy note
  • Cookie policy settings
  • Accept button.

And you get to decide how the banner will function if or when visitors engage with it.

5. Educate Visitors on Cookies

In addition to giving your cookie consent banner a unique look, use it as a tool to educate visitors on what cookies are and why you’re even using them. That’s what the Cookie Settings area is for.

With Cookie Consent, you can inform visitors about the different types of cookies that are used on the website. They then have the choice to toggle different ones on or off based on their comfort level.

That’s what’s so nice about CookiePro taking care of the cookie scan for you. That way, you know what kinds of cookies you actually have in place. All you have to do, then, is go to your Cookie List and choose which descriptions you want to display to visitors:

Cookie List feature in CookiePro
CookiePro lets you educate visitors about cookies used on the site. (Source: Cookie Consent) (Large preview)

Just make sure you explain the importance of the most basic of cookies (“strictly necessary” and “performance) and why you recommend they leave them on. The rest you can provide explanations for in the hopes that their response will be, “Okay, yeah, I’d definitely like a personalized experience on this site.” If not, the choice is theirs to toggle off/on which kinds of cookies they want to be shown. And the Cookie Consent tool can help.

In other words, a cookie consent bar is not some superficial attempt to get consent. You’re trying to help them understand what cookies do and give them the power to influence their on-site experience.

Wrapping Up

There’s a lot we have to be thankful for with the Internet. It closes geographic gaps. It presents new opportunities for doing business. It enables consumers to buy pretty much anything they want with just a few clicks.

But as the Internet matures, the ways in which we build and use websites become more complex. And not just complex, but risky too.

GDPR and ePR have been a long time coming. As websites gather more data on consumers that can then be used by third parties or to follow them to other websites, web developers need to take a more active role in abiding by the new regulations while also putting visitors’ minds at ease. Starting with a cookie consent banner.

Smashing Editorial (ms, yk, il)