Cookie banner yes or no?

Cookies are everywhere on the Internet. And in today's digital world, privacy is a more debated topic than ever.

Strict rules are imposed on Google, Bing, ... but it didn't get any easier for you as a website owner in recent years either. After all, you are obliged to be open towards direction about the tracking on your website and the data you keep. But are you doing it the right way?

One of the most visible aspects of all the new regulations is the cookie banner. But what are cookies and how exactly do they work? And as a website owner, do I really need a cookie banner?

In this blog post, we take a closer look at these questions and try to give you a clear picture of what cookies are, how they work and why you (may) need a cookie banner on your website.

What exactly are cookies?

Cookies are small text files that are stored on a computer or mobile device when someone visits a Web site that uses cookies. They are created by the Web server and contain information about your online activities, such as the pages you visited, the time you spent on the site and your preferences.

Cookies can be very useful because they allow Web sites to personalize and improve your experience. But ... they are also increasingly under fire for privacy concerns.

What types of cookies are there?

Cookies can be classified in different ways. By origin, by duration or by purpose.

Cookies categorized by purpose

1. Strictly necessary cookies or functional cookies: These cookies are essential for users to access your website and use its core functions (e.g. account login). While no consent is required to implement such cookies, you are required to explain what they do and why they are needed.
2. Functional cookies: These are essential to the proper functioning of a Web site. For example, they remember your language preference or the contents of your shopping cart.
3. Analytical/performance cookies: These help website owners gain insight into visitor behavior, such as which pages are most visited. This helps them optimize the website.
4. Marketing Cookies: These track your online behavior across different Web sites, often for advertising purposes. They are usually placed by third parties, such as ad networks.

A good cookie banner will offer the ability to accept or reject cookies based on their purpose, but more on this later.

Cookies classified by origin : First-party vs. third-party cookies

An important distinction is that between first-party and third-party cookies.

1. First-party cookies, which are cookies placed directly by your website on users' devices.
2. Third-party cookies These are cookies placed on users' devices by an integrated third-party service (e.g., analytics or advertising platforms).... Third-party cookies are often focused on tracking and advertising, and it is of course precisely the latter that are more at issue from a privacy perspective.

Cookies categorized by duration

1. Session Cookies: These are temporary cookies that expire as soon as a user's session ends or the browser is closed.
2. Permanent cookies: As the name implies, this category of cookies remains on a user's device for an extended period of time, until they are manually deleted by the user or the expiration date has passed.

Does my website use one or more cookies?

This is the first question you should ask yourself. If your website would not use cookies, then there is no reason to implement a cookie banner at all.

As a website owner, it is not only important whether or not cookies are used, but also which cookies are used on your site. However, you can assume that cookies will always be present. There are virtually no websites anymore where this is not the case.

How do you scan your website for cookies?

There are some tools available online, but we did not become happy from most of them. Many give incomplete results or work at all. Also, they all claim to be free, but you end up with paid versions.

After evaluating many of the scanners, we decided with Fresh Blend to use Cookie Scanner from CookieScript (https://cookie-script.com/cookie-scanner) to use. It scans your website and provides a clear overview of all cookies present. This allows you to make more informed decisions about your cookie policy.

It is important that you run the scan before you have a cookie consent banner installed, otherwise (when everything is compliant) no cookies will be scanned. If you already have cookie consent installed anyway, you must temporarily deactivate it before scanning.

The scan is completely free, but Cookie Script of course tries to sell their own cookie consent banner/integration afterwards.

Why (should I) use a cookie banner?

Without a cookie banner, cookies would be a fairly silent way to track your users' activities online. After all, they are there without the user even realizing it.

Legislators in Europe, as well as elsewhere in the world, did not necessarily want to put an end to the use of cookies, but they did create a legal framework for this with obligations mainly for website owners and their partners (e.g. Google Analytics 4) to better inform users.

Cookies are regulated in two different "legal frameworks."

1. The EU Cookie Directive (2002)

In contrast, the EU Cookie Directive deals more directly with (not just) cookies, and with similar technologies that store or retrieve information on users' devices. Common examples are pixel tags (e.g., from Meta or Facebook), and ad IDs (e.g., Google Ads but use this), and so on.

Strictly speaking, the EU Cookie Directive has more say than the AVG when it comes to cookie compliance. This is because the directive addresses important aspects about the confidentiality of electronic communications and contains specific rules about cookies and similar technologies, hence the name "EU cookie directive."

The introduction of the directive also saw the widespread (mandatory) use of cookie consent pop-ups, allowing websites to get initial consent from users before offering cookies.

In addition, the Cookie Directive requires website owners to inform users about the type, use and purpose of the cookies they use. This applies to all websites targeting EU users, regardless of their location.

Although the EU Cookie Directive has been in place since 2002, the introduction of the AVG in 2018 has led to a renewed focus on cookie compliance. Websites targeting EU users must now comply with both the Cookie Directive and the AVG to avoid fines and penalties.

• GDPR or also known as AVG (2018)

The AVG (General Data Protection Regulation) is currently the most robust legal framework in the world and as such has managed to cover all the necessary bases to address the protection of personal data and digital privacy in today's world.

The regulation also has a broad scope, as it applies to companies and websites outside the EU as long as they collect personal data from or track users residing in the EU.

Although cookies are mentioned only once in the 99 articles and 173 recitals of the AVG, the implications are significant for websites that use them to observe users' browsing activity.

This is a literal translation into Dutch of the original text from the GDPR, in Article 30:

"Natural persons may be linked to online identifiers provided by their devices, applications, tools and protocols, such as IP addresses, cookie IDs or other identifiers such as RFID tags. This can create traces that, especially when combined with unique identifiers and other information received by the servers, can be used to build profiles of and recognize natural persons."

Essentially, the AVG states that cookies can be used to identify users, and therefore they fall under the definition of personal data. Consequently, websites that use cookies must comply with the principles and requirements of the AVG, including:

1. Obtaining valid consent from users before placing cookies (unless strictly necessary).

2. Providing clear and transparent information about the use of cookies.

3. Giving users the ability to withdraw their consent to cookies.

4. Implementing appropriate technical and organizational measures to protect personal data collected through cookies.

What must a cookie banner comply with?

If we want to respect the EU cookie directive and GDPR legislation, we could consider these as basic requirements for a compliant cookie banner :

1. The notification (banner) must be shown before activating a cookie. (Except for necessary cookies)
2. The banner should offer the option of choosing between "accept" and "reject" (aka "decline").
3. The choice should not be "all or nothing. So a user had to be able to change or accept certain cookies. This is usually under "preferences."
4. The "accept" or "decline" options should be displayed in an equivalent manner. Both buttons should have the same dimensions, fonts, etc. so that there is no user influence.
5. The user's choice should not be permanent. Users should be able to modify a choice after they have made it.
6. The user's choice must be kept safe and must be renewed after 1 year at the latest.
7. Link to a cookie and privacy policy

Tips for an effective cookie banner

1. Be transparent: Clearly explain which cookies you use and why.

2. Give users control: Allow visitors to reject certain cookies without drastically affecting their experience on your site.

3. Don't make it too distracting: Make sure the banner does not disrupt the user experience, for example, by not making it too big or blocking the entire page.

4. Keep it simple: Use clear, understandable language and avoid legal jargon.

Conclusion : A cookie banner for your website? Yes.

Cookies are (still) an important and usually mandatory part of the modern Web, but also bring responsibilities for you as a Web site owner.

By being transparent about your use of cookies, including the distinction between first-party and third-party cookies, and giving your visitors control over their data, you can gain their trust and provide a better user experience.

Scanning your website for cookies and implementing a well-designed cookie banner are essential steps here.