Solved

Cookies banner - not compliant with ePrivacy and GDPR?


Hi,

When I compare our current cookie banner which holds the options “Accept” and “Cookie Settings”, it looks like we are missing the “easy way for your user to decline cookies” option that is required. I’ve read through the “Custom Cookie” article by @Julian but I am not able to find a solution that can put our current community website in compliance with ePrivacy and GDPR. What are other customers doing, and can anyone help? Much appreciated, thanks in advance

 

 

icon

Best answer by Blastoise186 15 July 2021, 20:30

View original

10 replies

Badge

Howdy!

As far as I’m aware, the default one that inSided offers should be pretty compliant right out of the box, without needing custom third-party tools. While it might not be totally one-click per se, it’s more or less in line with what 95% of the internet does in that it’s fairly easy to decline. Admittedly, with inSided it’s three clicks rather than one click, but at least it’s extremely clear and doesn’t try to be sneaky.

In my personal view, as long as you don’t make the user go to excessive lengths to accept or decline, it should be good enough. :)

Don’t forget you can always customise the text on the default one too, if you feel that might help with compliance.

Hi @Blastoise186 

I’m told by our legal team that it is not compliant. Here is an example of a compliant cookie option:

As is seen, it is completely clear and easy for visitors to select lowest cookie level required. With Insided, as you also state, they must go through several clicks to even find the option.

 

Badge

Hmm… Tricky one…

If your legal team is correct, then that would effectively interpret that tons of major websites are non-compliant including ones as big as the BBC, Microsoft and even Google! I’m fairly confident that websites belonging to such huge organisations would have (hopefully!!!) read the rules and implemented compliant solutions… Right?

I forgot to clarify that with inSided, it’s three clicks in total to disable all non-critical cookies. First click is to bring up the options, second click is to choose a level and third click is to save. Apologies if there’s any confusion.

Let me see if I can ask @daniel.boon and @Julian for some help on this one. It’s definitely in-scope for an Idea post as it is possible for the default consent tool to be tweaked if needed. Feel free to suggest this as an idea for enhancement if you’d like to.

Thanks @Blastoise186 

It would be great to hear from Insided about this topic.

Hi @perinbox

I’m bringing this up internally and will be in touch soon. 

I’ve discussed the concerns with our security team, and we reviewed the following considerations:

The cookie banner is compliant because it has direct navigation available to disable the cookies when they are not desired. For convenience, it would be great to have the cookie settings all in the same screen, but that will also affect the complexity of our cookie banner. Though the users are linked to another popup, one option is not more compliant to the other.

Non-compliant to InSided would mean anything not guided by the UI. For example: 

- Not having a link available to disable cookies
- Suggest the user to manually manage their cookies
- Etc

we understand that customers may want to use a different cookie banner than what inSided offers as the default. Our platform does have the capability for customers to create their own custom cookie banner. For more information about custom cookie banners, please review this inSpired article. 

Hi Jeanie,

According to a 2019 verdict by the EJC, “consent obtained through pre-ticked cookie checkboxes is invalid”: https://www.technologylawdispatch.com/2019/10/cookies-tracking-online-behavioral-advertising/compliant-use-of-cookies-in-the-eu-is-still-a-secret-recipe-ecj-decides-on-planet49-but-does-not-provide-clarity/

I don’t see how I can fix this through the article linked in your post above?

Badge

There might actually be a slightly less complicated solution than you think. I don’t know much about the really deep legal side of things, but I can always ask @Jeanie Lee to ping the legal team again for more help there if needed.

To me, the most viable solution I can think of would be to change the default option when you select Cookie Settings from Level 3 to Level 1 - which seems to have become the most recent trend in several places to help with compliance. Alternatively, you could have it so the radio buttons are initially cleared until the user picks one of the options, but that kinda breaks the concept of minimising clicks a bit.

That’s the best I can think of to try and develop a best of both worlds approach which hopefully makes everyone happy.

In theory, a custom Cookie Banner might help, but I prefer find a solution that fixes the default tools rather than simply ignoring them and using something else, since that wouldn’t fix the real problem that may or may not exist in the built-in tools.

Following that ruling to the letter is technically close to impossible to be honest. That would technically mean me asking my visitors to give consent to set temporary session cookies that get destroyed when you quit the browser, because I use LiteSpeed Web Server on my web server and the cookies are required for basic functionality like caching to work as intended but do not track you at all. If you were to block them, my sites will still work, but your experience would genuinely degrade because the server would be unable to use the server-side caching properly.

Again, here is the example of a compliant cookie banner also mentioned earlier (from this website https://kromannreumert.com/en):

The options are clearly visible without further interaction neeeded, browsing without consent is possible, and it only requires one click to opt-in on the minimum requirement.

Seeing that other webpages/CMS can provide this option, I don’t see why Insided’s community solution shouldn’t be able to? Either way, our legal team is very clear the current setup is not compliant, and something must be done.

Badge

I have seen quite a few other cookie banner options out there. I personally prefer the default inSided one over all of the others, because I find it less intrusive to the UI/UX, it feels more integrated as if it's meant to be there and it’s extremely easy to understand. inSided have made it possible to use a 3rd-party tool though if you wish - but you ultimately need to consider which option is the lesser of two evils.

To give you some more context, here’s a great video from Tom Scott where he talked about this subject for his series The Basics. https://www.youtube.com/watch?v=OFRjZtYs3wY It was published in 2020, so it would have been after all the rulings were made. It’s also worth noting that tons of websites don’t use that exact one-click style in your screenshot - in fact even some of the cookie banner vendors would appear to be non-compliant based on that metric. But I could also argue that by clicking Customise Settings on inSided, you are technically declining consent and therefore inSided is asking you for your consent to set an alternative level that you would be more comfortable with.

And in actual fact, most of the regular Website CMS options such as WordPress (the wordpress.org one), Joomla! and Drupal do NOT have built-in cookie banners out of the box, mainly because they don’t really set any cookies by default for anonymous users unless you install additional plugins, extensions or modules. Between those three combined, you’re looking at roughly half the internet.

The main points to consider here are between the options available. I’m only a volunteer, but I will try to make this comparison as fair, unbiased and reasonable as I can.

Default inSided Cookie Banner

Pros

  • Built-in - so absolutely zero-maintenance on your part and you never have to touch it to get it working. It’s right there from the very first day your instance is provisioned and pretty much guaranteed to be configured correctly
  • Price - inSided provide this banner completely free of charge on a complimentary basis as part of the package on all plans. You don’t have to pay specifically for the banner
  • Hands-off - inSided will take responsibility for development, maintenance and general upkeep as needed. So if web standards or regulations changed, inSided would make sure the default cookie banner keeps up with the pace
  • User Experience - as a built-in feature, the default cookie banner is designed to fit in with everything else
  • Expandable - inSided will also happily accept Ideas to help improve the Cookie Banner right here on inSpired.

Cons

  • No further control - you cannot control the behaviour of the default banner, other than changing the text and also tweaking the colour scheme
  • Policy - use of the default banner requires acceptance of the methods inSided chooses to go with
  • Requires three-clicks to fully opt-out - some people may not like this
  • Limited customisation - the design is fixed for the most part
  • Exclusive to inSided - you cannot use the default inSided banner elsewhere

3rd-party cookie banners

Pros

  • Flexible - you can choose one of multiple options that exist to suit your wishes
  • Compatibility - inSided has made commitments to try and make the platform as compatible as possible with as many 3rd-party cookie banners as possible within reason
  • Control - you have more power over how your selected tool behaves
  • User Experience - you can force the user to make a choice before continuing at all if you wish (albeit at the expense of a degraded User Experience)
  • Choice - you can choose the features you want for your own cookie banner

Cons

  • Cost - most of these tools are not free and they’re not exactly cheap either…
  • Implementation - you’ll have to work with inSided Support to get the backend mappings configured, but you will also have to do most of the heavy lifting yourself
  • Responsibility - as a 3rd-party tool, you will not be able to get help from inSided if the 3rd-party tool breaks, unless the issue is something that only inSided can fix for you. If it breaks, you’ll have to fix it yourself
  • User Experience - some 3rd-party tools are really annoying and disruptive to the user, which makes for a poor UI/UX, especially when compared to the inSided platform in general
  • Reliability - inSided cannot guarantee that 3rd-party tools will work properly and there’s nothing inSided can do to fix bugs if they break or fail to manage cookies properly.

The best I can do is offer tips and advice that can help, and I’m more than happy to submit Ideas that might help if you’d prefer not to submit them yourself. But it is ideal if you do, because you can then be credited for them. I have asked Jeannie to see if she can help any further, but I’m not sure there’s much else that can be said beyond what’s already here.

Reply