What to consider when implementing a consent banner

  • Daniel Bensason

Consent banners are everywhere nowadays and I am here to highlight what is important to consider when implementing yours.

Learn more about our Analytics service.

You might implement a consent banner on your website for a variety of reasons, perhaps it is because you need to adhere to legal restrictions, or because you are collecting sensitive data, or both! No matter the reason, here are a couple of important things to keep in mind when implementing such a banner.

Opt-out or Opt-in

There are two basic principles when it comes to acquiring consent from users on your website.

Opt-out means that when a user comes to your website, data is being collected as a default and only if the user actively denies the collection of cookies, will the data stop being collected. This method of acquiring consent is a good way of collecting as much user data as possible while still giving the user the opportunity to deny the collection of cookies. You could argue that the user is informed - and as many of these banners will state: “by continuing to browse the website - you agree to the collection of cookies”.
Opt-out consent banners are not compliant with GDPR privacy law and that is why many organizations will use an Opt-in mechanism. Opt-in means that the user needs to actively accept the collection of cookies. Banners following an opt-in strategy will offer the user the opportunity to deny or accept the cookies and even if designers make it trivial to deny, these banners are legal under GDPR law. Although you will suffer from less cookie acceptance, our recommendation is to make it easy to decline all trackings - users will appreciate this and make the user experience more enjoyable.

A true Opt-out strategy will definitely not collect data when the user has denied the cookies, but most importantly will also not if the user ignores or closes the banner. It is important to stay true to your strategy and be honest with your users - I see banners all the time that request consent for collecting cookies but if you take a closer look, they are already collecting them anyway.

GDPR law states: "Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place“ and many websites miss this detail entirely. My suggestion is to add a button in your privacy policy to re-open the consent banner.

Third-party consent management platforms (CMPs) or built-in consent

There are many CMPs on the market that promise easy-to-implement and configure banners for your website. Some benefits of using a CMP for your website can include:
Allow users to deny certain types of cookies - and inform them what those cookies are
Be able to remove data collected easily if they request the deletion of their data
Share consent decision across domains - meaning if a user accepts the consent banner on one of your domains, this can be carried over to other domains and allows for a more streamlined user journey
CMPs however can be expensive and are not always easy to integrate with your analytics tracking. Although CMPs might nudge you to be compliant with local data privacy regulations, it is still up to you how it is implemented and your method might very well be illegal.

Another option when it comes to producing banners are the analytics tools with built-in consent banners. A good example of one is offered by Piwik PRO. The banner can be easily designed and controlled from within the tool and you can configure analytics tags to only fire when a specific type of consent is given.

It is also worth mentioning that Google Analytics 4 and Google Tag Manager do have a consent mechanism, although as of writing this, it is still in the beta version and we have not been able to test and use it extensively.

Banner design

Unfortunately, even if your consent banner looks really good, I am afraid it will not get more users to accept the collection of cookies. But when I talk about design I am referring to two different placements of the consent banner. One is the classic banner at the bottom or top of your window and this is unobtrusive in design allowing users to ignore the banner entirely and get on with visiting your website uninterrupted. The downside of this design is that many users might never respond to the request and in an opt-in strategy, much of the user data will not be collected. The amount of traffic data you can expect to lose as a result of an opt-in banner can vary between 50 and 70%. This can be quite devastating to your data collection.

Another design used by some websites goes in a more obtrusive direction. These banners will not allow you to surf the website without making a decision on the cookies collected and honestly, I do not have a strong opinion against these designs. Yes, it kind of taints the user journey from the start but it does inform the user about cookies very clearly and makes the process quick and painless.
Both have different implications for your users and will impact the amount of traffic data you can collect and can both can be compliant with GDPR law.

Consent preferences

In the most basic installations, consent banners allow users to either accept the collection of cookies or deny them. If your website however is collecting cookies for different purposes, say one to send to Meta for retargeting campaigns and one for A/B testing - you might find it beneficial to allow users to decide on which cookies they accept. Moreover, your users will be completely informed on which cookies are being collected and for which purpose - this is a great step towards gaining your users' trust but also in terms of compliance towards data privacy laws. GDPR highlights four different cookie classifications that can make it easier for you users to understand what they are consenting to: strictly necessary cookies, preference cookies, statistics cookies, and marketing cookies. Find the list here: https://gdpr.eu/cookies/
Honestly, I do not think this is easy for users to understand because many websites either do not follow the guidelines at all or do, but categorize their cookies incorrectly. This creates a lot of confusion, and website builders might take advantage of users by making it so complicated to deselect cookies that they just select all so that they can actually use the website.

My tip here is, to be descriptive and call it like it is. If you collect third-party cookies and send them to Google Ads - I would say that is not essential. So call it marketing or retargeting or whatever - but just be clear about which tools fall under that category and perhaps the type of cookie you are collecting.

I hope this blog post helps you when you start implementing your new consent banner or perhaps if you are thinking to adapt your existing banner. We have gathered a lot of experience over the years implementing different banners and would be happy to support you get yours up and running!

Bonus section

Below is one of my favourite banners I have stumbled upon recently:

Link: Graubünden Tourism I really like it because it is very unique, catches your attention, and even links to some of their advertisement campaigns. It is important to note however that this banner is not compliant with privacy laws such as GDPR or CNIL.

Tell us what you think