Website Cookies and Tracking: A Cautionary Tale

Website Cookies and Tracking: A Cautionary Tale

From junior marketers to CIOs and general counsels, anyone with even the smallest responsibility for web content is bound to be aware of the General Data Protection Regulation, or GDPR.

For some people, those four letters conjure images of arcane rules to be meticulously followed on pain of unimaginable fines. For others the regulations can seem like pointless bureaucracy; something to pay lip service to while largely ignoring. The reality, for most of the brands we work with, is somewhere in the middle. They are usually very conscious of the importance of complying with GDPR, are keen to obey the rules, and in a lot of cases honestly believe they already do comply. So they are often surprised to learn that, despite their best efforts, they are actually non-compliant in significant ways. 

The issue is that GDPR prevents you from processing any personal data without a lawful reason. That covers information contained in cookies, as well as the individually-identifying data sent to a server in response to a tracking pixel. To be blunt, if the cookies or pixel requests didn’t contain information relating to an identifiable individual, there would be little point in using them. But, because they do, they’re covered by GDPR and have to be used with care. 

The regulation provides six possible lawful reasons for processing this information, but few of these apply to private companies processing data for marketing or user-tracking purposes. Instead, the lawful reason relied on in most cases is where the subject has given their consent to data processing. This is why providing meaningful opportunities to give properly-informed consent, and acting properly when consent is withdrawn or not given, is essential if you want to be GDPR-compliant. 

It’s worth bearing in mind that businesses in the US, where specific opt-ins are generally less mandatory, are still required to comply with GDPR when supplying services to users based in the EU. That means that brands need to either apply the most stringent rules universally, to all customers, or else identify users accessing their site from the EU and present them with properly working consents. Whichever route brands choose, we can help to properly implement them, check they are working and compliant, and apply ongoing governance methods. 


GDPR Demystified

To begin with, it’s helpful to understand what GDPR really means, and what it says. It’s often confused in people’s minds with the so-called ‘cookie law’ or ‘cookie consent’ regulations that came into force in the UK in 2011. There is some overlap — GDPR definitely impacts how you use cookies — but GDPR came into force later, in 2018, and has more far-reaching provisions. 

GDPR applies to anyone who controls, collects or processes personal data – meaning ‘information that relates to an identified or identifiable individual’. This covers everything from patient data held by the NHS to a single shop with a CCTV camera recording people’s faces. However, where many brands we speak to run into trouble is with cookies, tracking pixels, web beacons and other tools that collect personal data, usually in the service of a marketing or site customisation goal.  


Compliance fundamentals

In other words, there’s more to GDPR compliance than simply having a cookie policy, privacy policy or terms and conditions on your site. And catch-all statements that, by using your service, users accept whatever data capture and processing you’re doing are rarely sufficient unless the data capture is genuinely the absolute minimum needed to deliver the service. 

Instead, brands need to give users information about all the different ways their data is being processed when they use your site and, crucially, give them the opportunity to opt out of each one individually before it is processed. In most cases, that means users must opt-in to having personal information collected, including via cookies, and can’t be blocked from using a service if they don’t opt in.

It also, to state an obvious point that nevertheless catches many brands out, means that when users choose to decline some or all cookies, that choice must be reflected in reality and no cookies placed on their device. 

Many brands have complex web real estate that includes multiple websites, microsites and applications, each populated by dozens of cookies and pixels from different advertisers, third parties, and embedded apps. That means it can be a full-time job to maintain meaningful data processing opt-ins that are properly connected to the scripts and pixels they relate to, and truly control whether they are triggered or not. 


Failing is easier than you think

GDPR is a huge topic and unfortunately there are a number of different areas where brands can fall foul of the regulations. One of the biggest reasons you could run into problems is through treating compliance as a one-off job, and not an ongoing effort. That means you may well have been compliant at the time you launched a website or rolled out a new piece of cookie-management software, but over time your website has changed, been updated and fallen out of compliance.  

A lot of organisations, for example, use tag management tools such as Cookiepro to implement scripts and marketing trackers for campaigns. And large websites often have multiple teams working on them in relative isolation, each with privileged access granted through a content management system. As a result, it’s not uncommon for us to discover that your well-intentioned marketing or content team has used their CMS access to directly add scripts, trackers or beacons to the website. 

The consequences of that seemingly innocuous action can be serious as not only are the resulting scripts not tracked and managed in the official tool, but it’s likely that the opt-in toggles generated by the tool do not control the scripts placed directly into the site. So users who have clearly chosen not to be tracked are in fact being tracked without their knowledge; a serious breach of their trust, and of GDPR.


Compliance. Who cares?  

It’s all fine 

Perhaps the most obvious answer is that GDPR provides states with the ability to levy very large fines on people who breach the regulations. The maximum fines are the greater of €20 million, or 4% of the company’s annual worldwide turnover from the previous year. While few offenders receive fines of that size in practice, and many are simply issued advice or warnings, some enormous fines have been dished out.

Amazon, for example, was fined €746 million in 2021. The reasons are not public, but are believed to be to do with failing to get proper cookie consent from users - precisely the kind of problem experienced by many of the brands we talk to. 

In the UK, household name brands like British Airways and Marriot Hotels have been fined by the Information Commissioner’s Office (ICO) for data breaches in circumstances where they were held to be partly at fault for failing to prevent or detect the breach.  


Your customers really care 

Fines are certainly a major incentive, but increasingly we also find that consumers are very aware of what GDPR permits and does not permit, and very quick to form judgements about brands based on how transparent and trustworthy they are. The last few years have seen high-profile campaigns and viral messaging about poorly-implemented cookie banners, so-called ‘dark patterns’ in sign-ups and check-outs, and data breaches by small and medium companies. Users may not immediately realise whether you have placed cookies on their device without permission, but they’re very sensitive to that sort of breach of trust and, if they do become aware, it can have a disastrous impact on how they perceive you. 

Above all, customers like to think that brands want to do the right thing in protecting their users’ privacy and respecting their rights. It may not always be the most convenient option, and it certainly hampers the ability of marketers and advertisers, but long-term it builds trust in your organisation and makes customers far more likely to voluntarily hand over limited amounts of their data in order to buy or receive messaging from you.  


A 3-stage process for peace of mind  

We’ve work with brands to review websites they believe to be compliant, and help them identify and remedy these hidden issues.  
We follow a three stage process of, first, auditing the website. This is done by our in-house data scientists and analysts to make sure we have identified all the possible compliance problems, small and large. We’ll then move to remediation, working with you to prioritise the issues and tackle them. As a full-service digital agency, we have staff on-hand to deal with whatever remedial steps are needed, whether it’s web development, re-designing forms and opt-ins, or re-implementing tracking tools.  

Of course, fixing problems isn’t a one-off, so our final step is governance, where we ensure we’ve left you with the tools you need to maintain compliance long-term. We’ve developed continuous controls monitoring (CCM) tools and processes to help ensure that issues don’t creep back in over time.  

Share this article

Nick Williams

Demand Generation Director

Nick heads up the award winning demand division of 7DOTS, which offers a full range of SEO and demand marketing services.