Author: Michael Patten
Data is an increasingly valuable and powerful asset for online businesses—most particularly, the data captured from user behaviors when they interact with your product or service.
However, data privacy regulations (along with the significant penalties that come with violating them) present a huge challenge for most digital marketers, analysts, and website owners. Without possessing a perfect mix of legal qualifications, technical abilities, and extensive platform knowledge, running the most basic tracking on your website can feel like a confusing and stressful order.
After guiding hundreds of businesses over the years to become ‘cookie compliant,’ I have condensed my key learnings below to help you strike the balance between abiding by the regulations whilst also maintaining a healthy volume of actionable business data.
Table of contents:
How privacy regulation impacts your user data
Advanced analytics are no longer solely reserved for the Unilevers and the HSBCs of the world. Now that machine learning is woven into the core functions of most popular analytics and digital ads platforms, data literacy is also the key to intelligent business decisions for family-run bakeries, hand car washes, and online caricature artists alike.
On that note, it’s easy to forget that data is no longer reserved for us humans. Feeding accurate, consistent data to ad platforms not only aids the return on your advertising investment (via smart bidding solutions), but also helps you reach the right prospective customers (through predictive audiences). There isn’t a single, successful growth strategy that I’ve led in the past five years that doesn’t reflect this at its core.
However, you can no longer track everyone who visits and everything they do on your website by simply slapping a code snippet on every page. Increasing privacy regulation around the world emphasizes the rights of the end user over:
The information that can be stored on their device
The types of communications that can be sent to them
How their personal information is stored on company databases
Ignoring these regulations (and user preferences) can lead to platform suspensions, legal action, and rather hefty financial penalties—whether you’re an enterprise or ‘just a small business.’
More and more digital marketers feel that there is an aspect of ethics to consider as well. If a user declares they do not want you to track them, then you should honor their preference regardless of how strict the regulations govern this. After all, behind every businessperson leveraging user data is a person with personal data to protect as well.
Not everything is GDPR, but a lot of it is
If you operate from (or for) a European territory, you are likely aware of GDPR: the General Data Protection Regulation. If you are in a state or country that has alternative privacy regulations, chances are that GDPR was a reference point for its foundations.
‘GDPR’ has become shorthand, like Jacuzzi to hot tubs, Kleenex to tissues, or Google to search engines. And, there are a variety of different, significant privacy regulations within the European territories as well (i.e., the ePrivacy Directive, the Digital Services Act, and Digital Markets Act). Admittedly, ‘GDPR’ is a lot faster to say, so it gets used quite loosely.
These laws and guidelines cover more than just tracking pixels and browser cookies—these are far-reaching requirements that span many areas of your business as well as the information in your customer base.
To give a very top-level (perhaps even oversimplified) view, I’ve summed up the distinctions between these regulations that pertain to website tracking:
GDPR — The General Data Protection Regulation, enforced since 2018.
Articles 4, 7, and 21:
Defines what ‘consent’ is in exact terms
The demonstration that valid consent has been obtained from the user
Clear presentation of the purposes and means of processing user data
Providing the right to object and withdraw consent
ePD — The ePrivacy Directive, enforced as ‘the cookie law’ since 2020.
Article 5(3):
Consent must be obtained to store information in a user’s device.
Data processing purposes must be clearly defined and presented.
Classification should be given between essential and non-essential functions.
In addition to cookies, this also covers other types of information storage (such as local or session storage).
DSA — The Digital Services Act, enforced since 2024.
A focus on platforms and large online organizations to provide specific levels of transparency and online safety
The outlawing of ‘dark patterns,’ visual trickery employed to manipulate a user’s choice over their own data
DMA — The Digital Markets Act, enforced since 2024.
Introduces the concept of ‘gatekeepers,’ significantly large online entities that process substantial amounts of user data, such as Alphabet (Google), Microsoft, Meta, Amazon, etc.
Gatekeepers are required to uphold stricter standards around privacy protection and user control.
Whereas the GDPR and ePD are geared more towards us marketers, analysts, and website owners in our own practices, the DSA and DMA affect us in an entirely different way—the requirements needed from the ads and analytics platforms we utilize and, by extension, the way they track.
Perhaps the most famous example of this is the requirement for anyone serving Google Ads tracking to users within the European Economic Area (EEA) in the release of Google Consent Mode v2. Whereas v1 provided the option to simply track opted-out users on a cookieless basis, v2 requires that you declare that the user data you send to Google’s servers was collected in a compliant manner. These declarations are processed on every hit sent via various parameters. Failure to integrate this feature can lead to various tracking restrictions, particularly when it comes to re-engaging previous site visitors.
Why non-EU businesses should care about user consent
All too often I hear, ‘We don’t need to care about the cookie law because we’re not in the EU,’ or similarly, ‘We don’t need to worry because we are a small business—only corporations are at risk of fines.’
For the most part, it’s not about where your business operates, but the location of the users that can access your site (and therefore be tracked by it). By competing globally online, you are also responsible for catering to your global audience’s privacy preferences.
And while the majority of cases making headlines are about large multinational companies, smaller businesses are not invisible to the eye of the authorities. And, bear in mind that companies, such as Google, are obliged to restrict, suspend, and outright remove the tracking and accounts of any website detected to be in breach of privacy regulations—which, in my experience, is a more likely and frequent outcome.
How to ensure your cookie banner is GDPR compliant
Fortunately, when it comes to user tracking and the methods in which this is handled, there are many observable similarities between regulations. Below, I’ve grouped the main tenets for consideration:
User control over what they consent to
Categorize cookies by essential and non-essential functions, but also by purpose: analytics, marketing, optional site functionality, etc.
Provide separate levers to opt-in and opt-out of these categories.
The definition of ‘giving consent,’ at least under GDPR, is when it is given freely, is specific, informed and unambiguous in relation to the user’s wishes, and given via clear, affirmative action.
Consent can no longer be assumed; cookie banners that state ‘by browsing this site, you automatically agree to have cookies set,’ no longer comply.
For territories with stricter regulations (e.g., the EU), non-essential cookies cannot be set on landing for a new user until they have accepted them (referred to as an ‘opt-in’ model).
Users should also be able to change their preferences whenever they desire, typically via a link or button that re-summons the cookie banner.
This concept extends further than just cookies; for instance, a user should be able to explicitly express whether they would like to be included in marketing communications.
Information clarity
Cookies set within a user’s browser, both essential and non-essential, should be listed on your cookie policy page (or failing that, your privacy policy page) with details around their purpose, lifespan, domain, etc.
Details should be clearly viewable before a user has given consent (typically provided as a link to the privacy and/or cookie policy via the cookie banner itself).
Take accessibility into account when presenting information, as per the rest of your website. E.g., even if your company brand colors are a mix of neon green-on-lime green, when presenting matters of user data privacy, you need to ensure that everyone (including those with vision impairments) are able to receive this information.
Trickery and manipulation
The language you use to outline any and all aspects of your user privacy policy should be clear, plain, and easy to understand.
Avoid ‘dark patterns’ (tactics that mask or disguise unintentional actions) when you design your site. For example, covering the ‘opt-out’ button with a site popup or coloring the button to obscure it in the background is unacceptable. Likewise, adding tens of unnecessary options that make the user feel that opting-out of non-essential cookies is too much hard work is also unacceptable.
Do not force users to opt-in to non-essential functions in order to perform core functions. For example, not allowing a user to buy a product unless they agree to be tracked via marketing cookies that have no bearing on the site’s checkout process itself.
However, using a banner overlay that interrupts the user from interacting with the website until they have expressed their levels of consent generally appears to be acceptable.
It is simply not enough to appear as if you are performing these aspects. The onus is on you to ensure that, if indeed you are presenting the user with a comprehensive and compliant cookie banner, that the controls given do exactly that—control.
Too many past clients that I onboarded arrived with a cookie management platform (CMP) that appeared to be compliant, but failed immediately in core functionality.
To put it metaphorically, the clients were under the impression that they had a fully fledged house alarm system, only to discover that what they were sold was a small box on the side of their home with a blinking LED light inside it.
Whilst I was able to help some clients before their non-compliance was detected, others suffered a more challenging process. For the latter, Google issued them a non-compliance notice that declared they must improve before a very short and strict deadline.
Even those that quickly mobilized their developers and overhauled their tracking logic were not guaranteed to carry on as normal, as Google often did not detect the consent-focused changes before the deadline came. The result was not only that their ads tracking was suspended (leading to no conversion visibility or ability to remarket), but a manual review process with Google’s GDPR team followed, and that spanned many weeks. This proved to be the only way to get tracking reinstated, all the while conversion volumes dwindled and cost-per-acquisition rose to an unsustainable level.
Cookie banners on Wix
For Wix site owners, once you add a cookie banner to your site, non-essential cookies and scripts are automatically disabled until your visitor consents, helping to ensure that you stay on the right side of compliance.
Within your Wix cookie consent banner, you can also add a link to your privacy policy so visitors understand all the ways your site collects, uses, discloses, and manages their data.
Alternatively, you can also manage your cookies and privacy settings with an app like Cookiebot for Wix.
Work around what you can’t track and understand what you could never track anyway
Giving users control over how their interactions with your site get tracked means that you’re unable to obtain a ‘full picture’ of user activity. When the ‘cookie law’ was getting implemented, many digital marketers needed to learn how to navigate the sudden and significant loss of reported traffic as soon as cookie management was activated. This was completely understandable, but there are some important factors to consider with regards to the ‘missing’ data:
User type | Description | Impact on your reporting |
Segment one | The proportion of users who opt-in to tracking in the traditional way. | These are the users generating the reporting data that you still have access to. |
Segment two | The proportion of users that land on the site only to leave without interacting with the cookie banner. | These users will no longer show in reports, which, frankly, is no great loss. While this will make overall traffic seem smaller, these users do not bring value to your data (or your ability to make smart decisions from that data). |
Segment three | The proportion of users that explicitly and consciously opt-out of non-essential tracking on your site. | These users also no longer show in reports, which is perhaps more concerning up-front. These users may be interacting with your site in a meaningful way, although according to Google, at a much lower rate than those who opt-in. |
If you receive reports on the proportion of users who purposefully opt-out (which some consent management platforms offer), you can use this figure to model the ‘lost’ activity against users who opted-in, or against the number of sales/leads received in your CRM vs. the reported totals. This presents an inconvenience, but not a catastrophe.
You may also track users via newer, cookieless methods. Marketers who subscribe to the ‘no means no’ mentality deem cookieless tracking to also be unethical, perhaps even in technical contradiction to existing laws and regulations. Nevertheless, solutions such as the advanced flavor of Google Consent Mode, server-side tracking, and various per-platform conversion APIs (cAPIs) are available to help you ‘regain’ this reporting visibility, either via machine learning-assisted activity estimations or by sending information about on-site activity to a separate, dedicated data processing server. It’s worth noting that such solutions require advanced expertise to set up, and many come with an additional running cost.
Segment four | The proportion of users who, even before user privacy regulations, were not trackable. | Whilst privacy-centric browsers such as Brave have become more common in recent years, blocking cookie-serving tracking scripts is not a new concept, with many browser extensions serving that purpose for years. Even before then, with knowledge, a user could disable scripts through the browser’s developer console. |
This fourth and final segment is an important reminder for those with rose-tinted glasses:
Even in the days gone by, reporting never represented 100% of user activity. Whilst we’re so used to obsessing over quantity (be it number of sessions, users, and pageviews), the most important questions are answered by those providing the highest quality of actionable data—the users that actively opt in and meaningfully interact with your product or service.
Cookie banner and CMP implementation mistakes to avoid
There will always be a level of ‘managed’ or ‘known’ data discrepancies to accommodate when first becoming cookie compliant, because (as mentioned before) those who immediately bounce or opt-out of tracking will be missing from the reports you typically see them in.
However, imagine the distress of loading up your analytics platform only to find that, not only has traffic dropped overnight, but now everything is completely misattributed to ‘direct.’ Imagine weeks later learning that your remarketing audiences no longer perform, as the list stopped populating with new users from the date your CMP was activated. Perhaps, the other end of the scale is true: sessions and users have skyrocketed but reported conversion rate severely dropped as a result.
Unfortunately, this is far too common and signals a rushed or incomplete CMP integration. Symptoms of this include:
Cookies set for the user upon landing, only to be hastily deleted as the CMP loads on the page, only to reset the cookies again once they are accepted. This is a typical cause of user and session inflation, as two user and session IDs are assigned during the same page load sequence.
Cookies accepted by the user, but do not set until the second page view in their journey. Not only is attribution information now lost at the point that your analytics platform springs to life, but those who only view one page in their session are not recorded. This is a typical cause of user and session suppression, along with attribution issues.
Autoblocking functions (which are a common feature offered by many CMP providers) operating at an overzealous level and blocking website features unrelated to non-essential cookies. This is a common cause of a whole host of website issues that can potentially disrupt the entire user journey to conversion.
It’s an uneasy situation to find yourself in, particularly if you invested significant time and/or money in getting your website compliant, only to then need expert help in order to get your data back in balance.
What you can do to ensure cookie compliance—even if you’re not a developer
Whether you have yet to begin your journey to cookie compliance or already have a fully fledged CMP in place, there are some simple checks you can perform and some handy free-to-use tools available to make it easy—even if you have no experience with front-end web development or tracking code.
Data is an increasingly valuable and powerful asset, after all, so ensuring you can use it to its fullest may well be the difference between business success and failure.
Get familiar with your browser’s developer tools console. Here you can not only see the cookies set by the website, but also the hits that are sent from your website to third-party providers.
Clear your browser cookies or open a new ‘guest’ window (this is not the same as an ‘incognito’ window that can still reference previous browser storage). Go to your website and observe the cookies that are set before you interact with anything by opening up your browser’s development tools window. Does anything surprise you? Some common, non-essential cookie names to keep an eye out for include:
Cookies starting with ga almost always relate to GA4, along with those that start with gcl typically relating to Google Conversion Linking functions for Google Ads.
Cookies that begin with _hj likely belong to user experience tool Hotjar, used for visualizing how users interact with your site via engagement tracking.
fbp is a cookie that relates to Facebook Ads/Meta, whilst those starting with tt relate to TikTok Ads. These are used for tracking the success of marketing activity and audience list generation.
Similarly, those starting with _pin likely relate to Pinterest Ads.
There are some cookies that aren’t so easy to spot in relation to the name of the platform that set them. You can use Cookiepedia to find more information on some of the lesser-known platforms that are integrated with your website. Though this resource isn’t the most complete or up-to-date record of cookie information, at the very least it will point you to other websites that have been detected as also serving that type of cookie. The more reputable sites on the list should provide more info via their own comprehensive cookie policy pages.
Familiarize yourself with how to view the network hits going from your site to third-party servers. To make this process a lot easier (especially for Chrome users), I recommend an extension such as David Vallejo’s Analytics Debugger as well as Omnibug by omnibug.io.
Using the tools mentioned above, you can view all the information getting sent off-site much more easily. Many analytics and ads platforms will assign a user a unique session or user ID. Can you spot any of these IDs changing between your first and second page view on your site? To break this particular process down, let’s use GA4 as an example:
Google’s support pages for GA4 state that the ga cookie is used to distinguish users, and the ga_<container-id> cookie is used for identifying sessions.
Either using a browser extension or by viewing the cookie values within the developer console, both the Session ID (used to tie interactions to a single browsing session) and Client ID (used as an effective user ID to tie interactions to a single device) are viewable.
Start browsing your site from a fresh ‘guest’ window. Observe the IDs immediately after accepting analytics cookies, and then again after clicking an internal link to another page.
If the IDs change between any of these steps, this may indicate that non-essential cookies are able to set for a split-second when they have not been permitted to do so. It is likely that your CMP is not correctly set up and your analytics data will be skewed.
These tools can also show whether consent declaration parameters, such as those required via Google Consent Mode v2, are applying correctly and in accordance to user preferences.
Use a VPN that allows you to spoof your location to view your site through the lens of a new user in different territories around the world. Does your cookie banner still hold up?
In addition to auditing active technical issues, ensure that you follow best practices on how to present consent controls and related information on your website:
Ensure your cookie banner meets current standards. Referencing the main principles contained in this article, ensure that your cookie banner is active, functional, and gives the user the correct level of choice and control over their consent preferences.
Do not use trickery and manipulation to artificially influence a user’s choice over their data.
Present detailed information about the cookies you use, their purpose, and their attributes on your privacy policy or cookie policy page.
Provide the user with information about what they can do to amend or revoke their consent choices at any time during their visit. Ideally, provide a way to re-summon your cookie controls.
Consumer privacy is here to stay
Moving forwards, privacy laws are not going to disappear—in fact, they are almost certain to continue to grow and evolve (and quite rightly so). Growing and evolving your own skill sets in parallel is not just a requirement, but also presents a fantastic opportunity to expand your capabilities in your role. And, if you’re already ‘wearing too many hats,’ rest assured that there are a range of data privacy experts out there to lend a hand.
Michael is a multi-disciplinary data expert with over ten years of agency-side experience in paid media and analytics. He has a passion for problem solving and skill for demystifying data, which he uses to help businesses of all shapes and sizes create enhanced, actionable insights. Linkedin