You may have noticed a new addition to some of your favorite sites: the little box at the bottom stating “this site uses cookies” and prompting you to accept or decline. 

What are cookies? Exploring Website Cookies, Cookie Privacy and Cookie Consent - Google's Cookies Message: "Google uses cookies to deliver its services, to personalize ads, and to analyze traffic. You can adjust your privacy controls anytime in your Google settings."

If you don’t know about cookies, this box can feel a little scary. You might feel that by accepting cookies, you’re putting yourself at risk. Most modern websites use cookies, they’re just not telling you. If a site uses cookies, they are viewable through your browser at any time — so they’re not really a secret, just not obvious.  When you see a cookie notification, you’re probably on a responsible site, because clearly that site feels obligated to let you know. 

Let’s snack on some cookie info and clear up some of the stigma associated with them by explaining what they are and how they’re used. Then you can make more of an educated decision about whether to accept or decline the cookie and choose how to handle them on your own website.

So, what are cookies?

No, unfortunately I’m not talking about little sugary nuggets of baked goodness. The cookies in question are internet or web cookies. They are a type of message that’s given to a web browser by a web server allowing websites to store information on your machine.  They were developed in 1994 by Netscape to make shopping carts for e-commerce stores possible.

Persistent vs. Session Cookies

There are different types of cookies.  You could have a bottomless basket of cookies for example, those would be persistent cookies.  These types stay valid until they reach an expiration date, like asking a site to remember your login information.  There are also session cookies, these go away at the end of your session, or visit, on a website.

First and Third Party Cookies

There are first party cookies and third party cookies.  First party is for things like ecommerce allowing people do to things like buy multiple items at once (without cookies you’d be forced to buy each item separately)…Third party cookies are mainly used by advertisers to target advertising, like when you shop for rainboots on a website and then suddenly you see those boots on every site you visit, those are cookies in action.

Why do they even exist?

Cookies are used for three main reasons — to: 

1. Create a more convenient user experience.

Some cookies bring joy. In this way web cookies are a kin to their baked namesakes. They make websites better for users.  They can customize a web page to your preferences by adjusting layouts, regional information and more. Cookies enable ecommerce, allowing you to add and keep items in your shopping cart even if you leave a site.  Using cookies, you can save your login information on a specific computer so you don’t have to re-enter it every time you go to login to a frequently-visited site.

2. Track user behavior.

A website doesn’t necessarily need cookies to track what you’re doing on the site, but cookies make tracking easier and more accurate for sites that use them. Tracking user behavior through platforms like Google Analytics allows the website owner to better understand how people use their website.  Using this information, they learn how to improve the website for users and gauge the success of their marketing endeavors. These are usually session cookies, meaning they’re only active while you’re on the site.

3. Target marketing audiences.

Those third party cookies, generally also persistent, stick around for a while and allow marketers to serve ads on other websites based on your interests.  For example, you could show an ad to people on Facebook because they visited your website. This style of targeting varies based on the ad platform you use, it’s usually called remarketing or retargeting.  It can be a pretty effective way to drive traffic back to your site because you’re talking to people who already found you on their own. It can be annoying, though, if the advertiser has their campaign set up aggressively. Some people object to the way ad platforms are utilizing the information gathered by this type of cookie, which I’ll discuss in just a bit.

Are they safe?

Cookies are pretty safe. They don’t run code or deliver a virus.  The nature of a cookie isn’t to access your personal information. They are limited to one website and one machine so they’re not available for consumption by others.  For example, if you add things to your shopping cart on Old Navy, those items don’t show up in your Amazon cart. And if you save your login on Facebook on your laptop, you’re not automatically logged in on your desktop computer or mobile device.  

Again, cookies don’t share your personal information with a website, you make that decision.  Facebook knows who you are because you gave that information when you signed up. The same goes for other sites you frequent.  That information isn’t stored in a cookie. It’s stored in a database attached to the website.  

So what’s the big deal?

This is not the first time cookies have been under scrutiny.  When they first came about, all browsers used them, without the ability to disable them.  A debate sprung in 1996 that resulted in the Internet Engineering Task Force (IETF) creating requirements for users to opt-in to cookies.  Unfortunately, not everyone followed those specifications, which is likely why it’s still being sorted through today.

As I’m writing this in January 2020, there are three initiatives pushing for opt-in cookie compliance (among other things). The EU, General Data Protection Regulation (GDPR), and E Privacy Regulation, as well as the California Consumer Privacy Act (CCPA) based in the state of California. All three classify web cookies as unique identifiers considered to be personal information. While a cookie doesn’t share your actual personal information, it does track how you use a website, which helps marketers and business owners place users into groups and identify common behavior patterns.

What are cookies? Exploring Website Cookies, Cookie Privacy and Cookie Consent - HTTP cookies

While most cookies are only site-specific, major ad platforms like DoubleClick, Google Search Network, and Facebook Audience Network have cookies on lots of websites.  And because they serve ads all over the web they can track users behaviors across many sites. As they combine those user patterns they can develop very rich user profiles about visitors. Some folks are creeped out about this. I believe this could be a big push behind the recent privacy initiatives.

While these companies may be asking or even requiring websites using their services to disclose cookie use, they are not holding people accountable.  According to CNBC, Google is planning an update in February that will require websites to label use of third-party cookies (ones that can be used on other sites).  How they’ll track that, I’m not altogether sure. Heck, I run retargeting ads for my clients, and every website we build uses Google Analytics. I knew the systems used cookies and felt I needed to start talking with my clients about how to keep their sites compliant, but I didn’t know disclosing the use of cookies is also REQUIRED based on the Analytics Terms of Service until I started researching how we should start implementing notifications. I guess what I’m trying to point out is, if someone like me who sleeps and breathes websites doesn’t know, how will the business owner who just has ONE website be informed and held accountable?

Before we completely freak out about the injustice of all this, I think we need to take a moment to put it in perspective. Advertisers have been doing this in one form or another for pretty much forever. When you place an ad in a magazine or newspaper they’re giving you access to their users. When you buy a mailing list, where do you think that information comes from?  You guessed it, other businesses who are willing to sell the information. And let me tell you, if you donate to a non-profit who uses a telemarketing service, you will never shake those folks. Those telemarketers will relentlessly call you on behalf of other non-profits who subscribe to the same service. They call me like 4 times a day because I donated $20 over a year ago.  (OMG, is this a scam? Someone tell me how to make it stop!!!)

Some of these traditional examples feel OK, just like some cookies feel OK, others are disruptive and downright stalkerish.  And that’s the gray area we’re working with here. Do we know the terms of service for all those directory websites our businesses are listed in?  What are they doing with the information they collect?  

How do you manage your cookies?

Cookie consent — some websites allow you to choose to opt-out of cookies — that’s one obvious way to manage it.  But that doesn’t really solve the whole problem, because not everyone has adopted this technology on their own sites. And to be clear, many people are just telling you, “This site uses cookies.” They’re not really giving you an option to opt-out; it’s just a mandate, not a choice.  Well, I guess you do have a choice… After all, you can just leave the site. 

Good thing you have a second option — your choice of browser. 

A cookie is a conversation between your browser and a server, right?  Unfortunately, you don’t have any control over where the websites you visit are hosted (the server), but you can choose your own browser.  Whichever you choose, make sure it’s up to date; older versions don’t offer the same cookie control!

  • Apple Safari includes a tool called Intelligent Tracking Prevention (ITP) to reduce cross-site tracking and narrows the tracking window for first party cookies to 24 hours.   
  • Mozilla Firefox is feeling pretty serious about privacy these days.  It blocks third party cookies by default as of September 2019. It claims to even block Facebook trackers.
  • Microsoft Edge (Gag me with a spoon… This would actually sound awesome if I wasn’t so scarred from developing sites through the 90s for Internet Explorer, may it rest in peace.) boasts more privacy starting with its January 2020 release.  You can adjust your settings to control how you’re tracked on the web.  
  • Chrome, to my eternal dismay (but not surprise), is really the least progressive. It enables users to clear all cookies, while not affecting single domain cookies, which preserve things like logins and settings. But the browser announced in January 2020 they don’t plan to block third party cookies by default, and they’re waiting on other major advertisers in the industry to come to an agreement on how things should change before making any major changes. You can block them in the browser settings, or you may just have to make peace with the spammy ads to keep your beloved Chrome.

What happens when you block cookies?

  • You lose some of the goodness, personalization and convenience we talked about earlier.  
  • On some websites, stuff just won’t work right.
  • You stop some of the spammy-feeling ads.
  • You do not allow website owners to track your browsing data on their sites.
  • You limit ad revenue and opportunity for businesses advertising through third party cookies.

Do you need a cookie notification on your site?

How do you know if your site uses cookies?

Here are some tell-tale signs your site uses cookies. 

If…

  • You have a WordPress site, which is like 35% of the web if your website was professionally built in the last 10 years, it’s likely on WordPress.  Not sure? Go to BuiltWith.com — it’ll tell you.  
  • You use Google Analytics to track visitor behavior. 
  • You do remarketing and have a Google Ads or Facebook racking pixel installed.
  • You display ads on your website from Google Ads, Facebook Audience Network, or another display advertiser.
  • You allow users to save their login information.
  • You have a shopping cart on your website.
  • You allow people to adjust the layout of your pages, for example, from a grid to a list-style layout.

Still not sure how if your site uses cookies?  Run a test.

Do a manual check using your browser.  

It’s way easier than I thought it would be. Open an incognito window in Chrome (Ctrl + Shift + N for your shortcut lovers out there) and go to your website.

You’ll need to open up the developer tools (DevTools).  Just hit Ctrl + Shift + I, press your F12 key, or navigate to the right and locate “More Tools” and then “Developer tools” in your browser menu. 

Once developer tools are open, click on the Applications tab.  Then, click the cookies link on the left — it will list the cookies used on your website. 

What are cookies? Exploring Website Cookies, Cookie Privacy and Cookie Consent - Access Developer Tools by going to your browser menu in Chrome, hovering over "More tools" and selecting "Developer tools". You can also press Control + Shift + I.
What are cookies? Exploring Website Cookies, Cookie Privacy and Cookie Consent - List of cookies used on our website

The cookies with the domain listed as your own, in my example “.mayecreate.com”, are first party cookies.  Those listed with other domains, such as “.doubleclick.net”, are third party cookies.

Use and online test like CookieMetrix.com.

This is the one I found that didn’t require me to sign up for a free trial or give my email to get the results.  It confirms the same cookies displayed on my browser developers tab but has a less techy and more user-friendly interface.

Okay.  So your site uses cookies.  Now what?

Do you need to comply?

Any site receiving traffic from Europe or California is supposed to follow their rules. Which believe it or not, even though I’m nestled in the good ol’ Midwest US of A, every website I monitor has traffic from those locations.  EVERY SITE. Don’t kid yourself by thinking because you’re located in Iowa, you’re all good. The World Wide Web really is world-wide, and people from all over find websites for the darndest reasons.

Currently, you still have options.  

You could do nothing.  Not sure how long that would fly, but for now, you can do nothing.  It’s not going to comply with the GDPR, E privacy regulation, or CCPA, or Google.  But maybe you just don’t care. Also, who knows how long it will be before search engines start penalizing people for not doing so? They could be doing it right now, and we just don’t know it… or it could be years.

You could disregard cookie notifications and just block traffic from Europe and California, ‘cause you don’t care about those folks anyway.

Or, just an idea, maybe a good place to start is by telling people.  And when you’re explaining the cookies, do it in a way that anyone can understand, techno-babble is scary. Not the musical kind of techno. Not sure if that kind of techno-babble is scary…

You can tell people about your cookie usage and post your privacy policy.  While it feels like this would cover all your bases, just telling people doesn’t make you 100% compliant.  The key is people get to CHOOSE if you track their information. So just telling people, “Hey, we’re tracking you, and if you’re on our site, you agree to let us do it,” doesn’t feel like much of a choice.  It’s not like, “Eat your veggies and you’ll get ice cream.” It’s like, “Eat your veggies or don’t eat.”

What are cookies - Exploring Website Cookies, Cookie Privacy and Cookie Consent - Cookie Notification Example: Title: "Update to privacy poly and how we use cookies" Text: "Per our updated privacy policy, we use cookies to track your browsing behavior on our site and provide you with ads or other offers that may be relevant to you. To view our privacy policy in full, click here. By using our site, you agree to these terms." Button: "Accept"
What are cookies - Exploring Website Cookies, Cookie Privacy and Cookie Consent - Cookie Notification Example: "This website uses 'cookies' to give you the best, most relevant experience. Using this website means you're agree with us. Find out more about 'cookies' in our Privacy Policy.

Maybe use correct grammar on your notification, though… 😏

To truly comply, you have to give people a choice.

That’s why it’s described as “OPT-IN”, because people have an OPTION.  You notify visitors of cookie usage, post your privacy policy, and delay cookie implementation until visitors opt-in.  And if they choose to use your site after opting out, they use your site without cookies, flaws and all.

Gaining visitor agreement is all in the formatting.  And there are sooo many ways to format. Here’s one way I think would result in less opt outs, because visitors have to click and go to another page to control their settings:

What are cookies - Exploring Website Cookies, Cookie Privacy and Cookie Consent - Cookie Notification Example: "We use cookies on our website to give you the best possible experience. By continuing to browse this site, you agree to accept them. Learn more or opt out here."

Here’s a robust example giving people an option right away:

What are cookies - Exploring Website Cookies, Cookie Privacy and Cookie Consent - Cookie Notification Example: Title: "This website uses cookies" Text: "We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you've provided to them or that they've collected from your use of their services." Button Options: 1. "Allow selection" 2. "Allow all cookies" Checkbox Options: 1. "Necessary" 2. "Preferences" 3. "Statistics" 4. "Marketing" Dropdown Menu: "Show details"

This is a prime example of great user experience, but what about self preservation?  I’m very torn on what’s ethical as far as how these notifications should be formatted.  Fortunately, the decision isn’t up to me! It’s up to you. I’m just here to give you ideas with which you can make an educated decision that’s right for you.

There are businesses you can pay who’ll take care of this stuff for you.

Even if you choose an all-in-one solution service, you’ll still need to implement it.  You don’t just sign up and have it magically appear on your site. Your site and the service have to talk to one another, and someone has to make that happen.  The services are billed monthly or annually. I haven’t used any — I am a total DIY lady unless I can’t find a way to handle it myself, but I did come across these quite a few times in my searches:

You can do it yourself.

DIY is always tricky at first, and you’ll need to make sure to set up and test each of these options diligently to make sure you meet compliance (EZIGDPR and CookieMetrix offer free scans).  We use WordPress to power all of our websites, so we’ll handle the functionality through a plugin.  The plugins we’re in the process of testing in particular order are:

So there you have it.

Cookies are secure ways for browsers and servers to talk back and forth. They are used to adjust your user experience, track user behaviors, and target ads. Like any other baked treat, a little bit of cookie is super tasty, but too many cookies can make your tummy hurt. 

You don’t have to be scared of the cookie pop-up anymore. The choice is in your hand, quite literally, with the click of a mouse.  You can choose to accept cookies and go about business as you always have, or you can choose to decline them and use sites anonymously without the benefits (or shortcomings) cookies can offer. So grab a plate of chocolate chippers and enjoy. 

Other great resources to research the topic yourself:

More about the Author

Alternative Text

Monica Pitts

Monica is the creative force and founder of MayeCreate. She has a Bachelor of Science in Agriculture with an emphasis in Economics, Education and Plant Science from the University of Missouri. Monica possesses a rare combination of design savvy and technological know-how. Her clients know this quite well. Her passion for making friends and helping businesses grow gives her the skills she needs to make sure that each client, or friend, gets the attention and service he or she deserves.

© MayeCreate Design 2020 | 573-447-1836 | [email protected] | 700 Cherry St. Suite C, Columbia, MO 65201