There are few additions to a website so begrudgingly added as a cookie consent popup. Given the impact they have on experience, aesthetic and conversions this is hardly surprising, but they are a necessity for any publisher monetizing traffic from regions such as Europe. Considering how unloved these nagging notices are, it is perhaps surprising how many publishers add them to their websites in ways that bring all the drawbacks but don’t actually do what they promise.

How consent pop-ups are supposed to work

Many international laws, such as GDPR in Europe, set down the requirement that private information cannot be stored without consent from the user. This includes setting cookies for any purpose that isn’t strictly “necessary”. 

A simplified version of the logic for this would be something like this:

1. Check whether user preference is already saved
2. If not, ask for consent 
3. If no consent, save no cookies
4. Set cookies that we have consent for

Simple, right? It seems not and many websites have implemented methods that break this logic. 

How many websites go wrong

There are two common bad implementations we see where publishers get this wrong.  The first we’ll call the “Premature action”. This looks like this:

1. Set cookies
2. Check whether user preference is already saved
3. If not, ask for consent

With this set-up the website has already saved the cookie before consent is even checked for. Whatever answer the end-user provides for the consent request has no impact, as the action has already been taken.

The other common bad implementation we see is what we’ll call the “Do it anyway approach”:

1. Check whether user preference is already saved
2. If not, ask for consent
3. Set cookies

With this set-up the website is running the steps in the right order, but the outcome of the consent request has no impact on the action the website then takes.

Why these mistakes happen

Modern websites will have numerous different scripts that have the potential to set and update cookies on the end-user’s system. For any consent flow to work properly, every one of those scripts (outside of what is defined as “necessary”) needs to run based on whether or not consent has been provided for the relevant use. 

Even when a website has been set-up correctly at launch, new scripts are often added later. If multiple people have access to either the CMS or tag management system then it can be difficult to keep track of what scripts are running and what cookies are being used. This can lead to website owners unwittingly breaking serious privacy laws in many territories. 

How can I check my cookie flow?

Chrome users can install an extension such as Check My Cookies to see what cookies are being set when any website loads. The best way to use this is to change the extension settings to allow it to run when Chrome is in incognito mode. Using incognito mode allows you to view what cookies are being set for a first-time visitor. 

With the extension installed, open a new incognito tab and open your website. When the cookie consent pops-up don’t click it. Instead click the icon to run the Check My Cookies extension. What you will see is a list of cookies that have been set already. If all is well, these should only be strictly functional cookies, not anything to do with marketing, personal information, advertising or similar. 

You can also repeat the test by declining non-essential cookies and see which are fired in that situation. 

Non-Chrome users needn’t feel left out either. Similar extensions are available for most browsers, although the names may differ. More technical readers can also achieve the same in the browser console.

How to fix the problem

These problems aren’t usually too difficult to fix, but do almost always require developer involvement. 

Identify the purpose of each cookie

The first step to resolving any issues is to identify what cookies are being used and what each one does. The test above is good for testing a particular page, but it can be worth using a service that crawls the website looking for cookie use if the site is complex. Services like Cookiebot.com and Cookieyes.com can help both with crawling the site and identifying the purpose of common cookies. 

Map each cookie to the consent choices you offer

The choices of consent options offered vary between consent solutions. The simplest offer just a choice of “Essential” and “Optional” whereas others go to more granular details (advertising, analytics, personalization etc). List each cookie used and which category it belongs to.

Have your developer tie the cookie to the consent option

Armed with an understanding of what each cookie does, and how the solutions should work (you can share this article with them for that), your website developers should be able to delay non-essential cookies from being set until appropriate consent has been obtained.

Isn’t there just a plugin for this?

Site owners often expect to be able to resolve issues like this with a CMS plugin, but that is unlikely for modern, extendible CMSs. Take WordPress for example: Most WordPress sites have been extended with their own unique mix of themes, plugins and customizations. There is not common set of cookies in use and they can differ significantly from site to site. This makes it impossible for a plugin to automatically map functionality to consent purpose and delay cookie setting accordingly. 

Unfortunately, this does mean that it will usually take a developer to resolve on most websites.