Lots of blogs are showing cookie consent notices on their blog since the GDPR. But, is it actually a legal requirement?
You might have noticed that a lot of websites are throwing up annoying notices about browser cookies.
Something that has been normal since pretty much forever - browser cookies - and now suddenly we're forced to get popups to confirm we're OK with it.
Stuff like this...
They come in many forms. But, they're all equally annoying. Take all the annoyances of old-school pop-up optin forms and now you're doing it because of legal requirements!
Is this really a legal requirement?
Are we supposed to put these kinds of legal notices on our sites now, even if it worsens the user experience?
Let's take a look. I promise, it is relatively painless. 😉
It Started With GDPR
Let's be real...
The internet has been pretty much a "wild wild west" when it comes to user privacy. Almost any goes. And the European Union set out to do something about it. Their answer was the General Data Protection Regulation, or GDPR.
There was a lot of noise - and confusion - surrounding GDPR. You may remember it.
The funny thing is that the cookie law out of the EU pre-dated GDPR. In fact, it started as an EU directive in 2011. But, people were sort of ignoring it (willingly or out of ignorance) until the introduction of the GDPR in 2018 sort of scared everybody.
The ironic thing, too, is that GDPR really didn't have anything to do with cookies. It just sort of scared everybody.
To make matters even murkier, the so-called "Cookie Law" in the EU isn't even really a law. An EU Directive is more like a "mandatory suggestion". It still leaves room for interpretation of how to enforce it to the various member states.
But, irregardless to the legal confusion about cookies, the hype surrounding GDPR scared people and suddenly cookie consent notices were springing up everywhere.
And then it snowballs...
You have other sites doing it just because they see other sites doing it. They're just assuming that the other guys know something they don't, so just play it safe and throw up a cookie notice. It becomes a big case of the blind leading the blind.
So, let's get down to specifics...
What Does The Cookie Law Say?
In short, if your site targets EU customers, or if the person is located in the EU, you're subject to the Cookie Law. This says that you:
- Explain what data is tracked using cookies.
But, that issue of being a EU-based directive introduces confusion (like a lot of things EU, to be frank). Namely...
If You're Not Based In The EU, Do You Need A Cookie Notice?
What sent everybody crazy about the GDPR was that it applies to any website that targets customers in the EU. And it came with a threat of stiff penalties. Suddenly, websites here in the United States were freaked out. Since they had visitors from Europe, they thought they better comply with GDPR or else face fines.
Well, it isn't that simple.
The EU Cookie Law was mandated on the member states in the EU - and then the member states in turn set up some variation of it for themselves. Enforcement of the law would vary depending on what country you live in.
If you live outside the EU, your website is hosted outside of the EU, and are targeting visitors anywhere other than the EU, then you don't need a cookie notice.
Yes, that means that if you run a standard blog here in the United States (or anywhere in the world outside of the EU), your site is not hosted in Europe, and you're not going out of your way to specifically target European customers, you can safely skip the cookie notices on your blog. An EU member state just doesn't have legal jurisdiction in the United States, and there is no legal precedent yet here in the US on whether a US court would enforce an EU fine or ruling like this.
On the other hand, if you are running a site that IS based in the EU and you work with EU customers, you need to serve a cookie notice.
One thing to bear in mind, though...
Obviously, if your site serves no browser cookies, you don't need to worry about it at all. Thing is...
Almost all sites do.
Do you run any advertising? Do you have social media sharing buttons? Do you have a site where people log in? Then, your site is setting cookies. This is normal.
Now, there is one little caveat here...
Even if you're in the EU and determined you're subject to the EU cookie law, there are two different kinds of cookies in question here:
- Session cookies. These are cookies specific to the functionality of the website they're on. They are used for site functionality such as search, shopping carts, user authentication, etc.
- Persistent cookies. These are the cookies which stay in place even after the visitors has left the site and are used to track user behavior. Any cookies by an ad network, by analytics tracking software... these are persistent.
You only need the cookie notice if you're setting persistent cookies. If your site only sets cookies for internal purposes, you don't need the cookie notice.
But, keep in mind, in most cases, you're probably setting persistent cookies whether you know it or not. Do you have any of the following on your site?
- Analytics scripts like Google Analytics?
- Single sign on (like being able to log in using Google or Facebook)
- Any ads from any third-party network?
Most likely, you are using persistent cookies.
Even If I Am Subject To Cookie Law, What Happens If I Just Ignore It?
Honestly, probably nothing.
Technically, you could get in trouble. However, it isn't as if the EU is out there checking out every little website or blog. Chances are, you'll never be noticed. And most end users don't really care all that much.
Unless your site is really popular, is abusing user data, or inspires somebody to complain and make a big deal out of it, there's a really good chance nothing will ever happen.
It is also pretty easy to comply, so this is one of those things where you might as well just comply and avoid the hassle.
How Do I Set Up A Cookie Notice?
Compliance is actually really easy. Especially if you are using WordPress.
The most popular seems to be the GDPR Cookie Consent plugin.
The weird thing is... a lot of the cookie notices you see out there are a bunch of BS. Some sites set cookies anyway, not waiting for consent first. Others just hammer the end user with cookies notices, leading to "consent fatigue" where people are just blindly smacking the "Accept" button without actually looking at anything.
Word is there's even a redo of the EU Cookie Law in the works because everybody knows most people don't even read those cookie notices.
But, hey, that's what happens with governments and lawyers get in on things. When's the last time you actually read the terms of service before smacking that "Agree" button? 😉
So, If I'm Not Based In The EU, I Can Forget This?
Pretty much, yes.
Now, keep in mind, there's also just the element of being upfront and, well... cool. 😉
I have seen cookie notices on sites that I'm fairly sure are under no legal requirement to do so. Now, it could be they are just following others blindly. It could be just an effort to "play it safe". But, let's not forget...
There is nothing wrong with being overtly proactive in respecting the privacy of your site visitors. In fact, that's just a good thing to do.
If you want to just be sure, but annoy as few people as possible, you could always geo-target your cookie notices by showing it only to visitors who are residing in the EU while ignoring visitors who are not in the EU.
Keep in mind, however...
GDPR and the EU Directive are likely precursors. Here in the US, elections do matter. Given the right political conditions, I wouldn't be surprised one bit to see a GDPR-style law passed here in the United States eventually.
So, once again, you could just get out ahead of it. It may very well become a legal requirement at some point anyway. You never know. California already has a law with many similarities to GDPR in the form of the California Consumer Privacy Act (CCPA). Don't be surprised if something like this becomes national law in the United States at some point.
In The End, Here's The Summary...
If you and your website are based in the EU, it's a good idea to install a free plugin for WordPress and start displaying cookie consent notices (if you're not already).
If you're not based in the EU and don't specifically go out of your way to attract EU citizens, you can skip the cookie notices and nothing will happen. It will be a good idea to keep an eye out for any legal precedent on this that would apply specifically to the US, however. Things could change.
That doesn't mean, however, that you might not choose to show cookie notices anyway just for the sake of being upfront and honest with your visitors.
In the end, there is a growing hoopla over user privacy on the Internet. And rightly so, I might add. And there's nothing wrong with respecting that even if not legally required. It goes to the values you portray as a site owner and business.
It is a fine line, though, before you make the user experience suffer. So, something to keep in mind if you're not based in the EU.