Does My Site Need a Cookie Consent Banner?
TL;DR: Yep.
Sure, there’s an outside chance that your site doesn’t collect anything. Maybe it’s pretty bare-bones or you’ve been diligent in using very privacy-conscious tools when building. Chances are though your site is collecting user data even if you’re not aware or didn’t intentionally set it up that way.
Let’s cover some misconceptions first
You might assume that if your company’s website is simple, and not a full-blown social media platform; it isn’t doing anything nefarious with your users’ data.
Maybe you assumed that these laws only apply to sites that utilize retargeting cookies or similar cookie-heavy marketing methods.
Or maybe because you knew that many of these privacy regulations originate from the EU (or at least California), you assumed your site, based elsewhere, is not a concern.
All valid assumptions, but unfortunately each are misconceptions.
Even a simple site based in the US using Google Fonts could find itself in legal trouble and could be subject to fines. Yikes!
Okay, so what are these privacy regulations anyhow?
There’s a few. The Data Protection Directive (1995) was one of the first in the EU and was expanded on by the ePrivacy Directive (2002). There’s also the The California Consumer Privacy Act (2018) which gives California residents more control over how businesses collect, use, and share their personal information.
But the poster-child is certainly the General Data Protection Regulation (2018), otherwise known as GDPR. Most policy changes in the web world are a direct result of GDPR provisions.
In their own words, the GDPR is “the toughest privacy and security law in the world” and its purpose is to preserve “your right to be forgotten”. Much of its focus as it relates to website developers and owners is how users’ data is handled.
Your info
A key term in all of this is personally identifiable information (PII). This includes expected stuff like your name, email address, mailing address, and phone number. But according to GDPR, PII also encompasses your precise location, IP addresses and cookie identifiers.
The long and short of it is: you may not collect, store or send any PII of users without the user’s express consent. Users have the right to know how their data is being used and have the right to opt-out at any time. Additionally, if given consent to gather any of this information, it must be handled securely and must be deleted upon the user’s request.
If you’re still wondering if you’re beholden to these regulations even if your company resides outside of the EU (or California), the answer is likely still yes. If a user who resides in a region in which these regulations are in effect visits your website, and their data is mishandled, you are liable and may be subject to fines.
IP Addresses and cookies
Even if you haven’t included anything on your site with the specific purpose of collecting user data, it is likely still collecting and storing/sending the IP addresses of your users and setting cookies on their devices.
Simply put, if you’re using an external font library, hosting maps, or are gathering any analytics information, then your site is almost certainly non-compliant with GDPR.
Why gather this data?
Well, depending on the service, the provider may require an IP address for different things. In the case of fonts, it needs the user’s IP address to send the font to their machine to be cached. Analytics services use IP addresses and cookies to identify unique users and track their progress through a site, etc.
The most popular solution for many of these commonplace web services, as you may know, is Google. They’re the leading platform for web fonts, analytics, and maps.
Are there methods to make your super-convenient Google services more privacy-focused?
Sure. You can read all about making Google Analytics more compliant in CookieYes’ helpful article: Is Google Analytics GDPR Compliant?
To my knowledge though, it isn’t possible to anonymize or prevent IP addresses from being sent to Google when using their font services, however. You’ll have to self-host your fonts in that case.
And finally, Google Maps is a gray area that depends on a myriad of factors based on which tools and APIs you’re leveraging.
I don’t know about you, but that’s enough warning flags for me to find a “better safe than sorry” solution, which of course is where a consent banner (and a few other things) come into play.
Covering your bases
So, first thing’s first – make sure you’ve got a privacy policy page and a cookie policy page in place. There are plenty of tools and templates out there that can help you get started. Your goal here is to cover what data is being collected, how it’s used, and what rights users have regarding their data. In this case, it’s best to consult a lawyer to make sure you’ve got everything in order.
Next, you should include a consent banner. This usually takes the form of a fixed footer that appears at the bottom of the screen until dismissed. Here you can give a brief description of your privacy and cookie policies (with links to each) in short form for users to opt-in or out of cookies.
This could be simple‘Yes’ and ‘No’ buttons, or you could include checkboxes for various types of cookies. If using checkboxes, it’s important that any PII collecting cookies should not be checked by default. Additionally, closing the banner should be equivalent to opting out entirely.
Consult a lawyer
It likely goes without saying, but we’re developers and designers, not lawyers. We’re here to provide insight and resources as we understand them to hopefully help you get started, but it shouldn’t be taken as authoritative. We recommend talking to a lawyer to get everything sorted properly. And once you do, we can of course help you get the consent banner and appropriate privacy policy and cookie policy pages added to your site.
Sources and additional resources:
