The short of it is yes. Ever since 2011, privacy concerns over the archives of browsing data that third-party tracking cookies were able to collect from unsuspecting visitors prompted EU and US lawmakers to scramble for a way out. It may have taken them a while, but as of May 25, 2018, the EU has introduced the General Data Protection Regulation (GDPR), which requires websites to ask users for consent before using non-essential cookies to track their data.
Initially, cookies were designed so that websites could store stateful information and improve user experience, like to remember carted items in eCommerce stores, language preference, user input information (username, password, payment card numbers), and browsing activity, so the pages could load more quickly and efficiently. These useful cookies are called first-party cookies.
As you can see, cookies were meant to improve the efficacy and ease of browsing for users. Authentication cookies, for instance, which contain our login information, allow us to visit websites at different times without needing to re-enter login details every time we visit that site.
However, there’s also something called third-party tracking cookies which come from a domain different from the one of the visited website. These cookies follow a user’s browsing activities even after they leave the website, compiling archives of their browsing histories. For what purpose, you may ask. It’s always the most obvious answer – advertising. Third-party tracking cookies follow you around to target ads based on your previous search and purchase history. Keep in mind that there are also tracking cookies directly used by websites you visit – like Facebook.
While advertisers can claim all they want that “targeted ads improve user experience,” they also make you spend more on things you don’t need and definitely make you feel like your privacy has been violated – because frankly, it has. Thankfully the authorities have picked up on this, along with additional concerns over the implications of a company holding in its claws archives of unsuspecting users’ browsing histories, and introduced laws that require websites to ask for informed consent by website visitors before storing any non-essential cookies.
Which brings us to the GDPR cookie compliance.
The General Data Protection Regulation (GDPR) requires websites to ask for user consent, i.e. compliance to collect non-essential cookies. The aim of the GDPR is to protect user privacy and allow users to opt out of behavioral advertising (targeted ads). At the same time, it’s meant to hold companies accountable for how they collect, archive, and use visitor data by charging fines for websites that don’t comply.
In other words, GDPR limits visited websites and third-parties to track internet users’ browsing activities without asking for consent first. That’s why there’s that increasing number of popups asking you to decide which cookies you want to accept when visiting websites, so take advantage of this new regulation and give it all a moment of thought before clicking accept all.
Some people do approve of behavioral marketing, i.e. targeted ads. Some people like seeing ads only for things they’re likely to purchase. These people always have the option of allowing websites and third-party domains to track their off-site activity with cookies. Of course, it’s still scary imagining that companies are gathering and storing your data. After all, we can’t really know who ends up buying that data.
The GDPR doesn’t include cookies that remember what items users have placed in shopping carts but does target all cookies that can identify a user based on their device. This includes analytics, advertising, and functional services cookies.
The GDPR has shaped the way that websites and third-party domains through those websites can gather visitor cookies. For websites to be GDPR-compliant, they need to either stop collecting cookies targeted by the GDPR, or they need to ask for legal and explicit user consent when gathering that data.
Here are some old cookie practices that companies can no longer get away with using:
Instead, websites will need to:
You might be thinking that since the GDPR was an EU initiative, it wouldn’t apply to you – if you’re based in the US or any country outside EU borders. However, the internet doesn’t exactly ask people for passports in order to access websites. Most online content is globally available to anyone, from anywhere. This means that the moment an EU-based visitor appears on your website (and that won’t take long), the rules – and the fines – apply to your website and hold you accountable. That’s why every website needs to be GDPR-compliant, including yours.
Next, you’ll need to adjust the appropriate widgets to activate the functionality of cookie consent forms for when users visit your website.
What was that saying, if you can think of something, there’s probably a WordPress plugin for it?
Naturally, there’s a great GDPR Cookie Compliance plugin by the Moove Agency which is completely free and is also compliant with CCPA and PIPEDA, which are additional cookie requirement laws.
The plugin is easy to use, highly customizable, mobile-responsive, and SEO-friendly.
User data is being stored, bought, and sold every day by websites, ISPs, and marketing agencies. Cookie compliance laws such as GDPR are an important step forward in protecting user privacy and emphasizing the importance of user consent when it comes to storing personal information.
In the end, whether someone likes to be the subject of targeted ads or opts to stay out of the marketing game, it should certainly be up to them… even though HTTP cookies are a lot easier to resist than the oatmeal and raisin kind.