Cookie consent banner for the SMB

There’s been quite some cookie talk lately on this blog and one reason why is that I have as CEO of my little startup been looking for a cookie consent banner which costs nothing for my website.

So why only now. Well, I did only have essential cookies on my website until recently which didn’t require cookie consent. I had inserted a banner and notice. However, I started adding YouTube videos and Chat, which came packaged with an analytics engine, Zoho SalesIQ.

So when one of my Linkedin Connections was kind enough to point this out, I responded without thinking, that only essential cookies are used…… I was feeling just a bit little stupid when I realised that I’d been so deep in getting my business out to market, that I’d actually missed the privacy thing, which is not good, after all my business is about GDPR compliance!

So I was on a mission, install a cookie consent banner with a preference centre on my website, catch was that I had not budget for this. I am after all a small business, and all these small costs add up to something more. And not all small business have funding for extra overheads. I wanted to find something which I could recommend to my customers/partners, many are SMBs, so they have (1) a free option, and (2) paying option.

Criteria for SMB as I see it is:

  1. There must be a free option
  2. It must work on all websites, e.g. even OneSpace, Wix,
  3. It must be easy to setup without too much technical know-how.

Most cookie banner solutions cost money, and you can expect to pay circa €9 per month. However, there are some free ones out there, with restrictions such as a single domain. But this is good enough for most of my customers.

On a technical level it needs to work on all types of websites, e.g. mine is hosted on, and some which I came across and tested didn’t work because they required that I install code in the Header html, and I don’t have access to this. I can only insert code within the page/footer).

Ease of setup, was not great. I spent 2 days looking/testing suitable cookie consent banner. Of those I found, I tested 8, and became extremely frustrated because IMHO this should be EASY, but it was most certainly not. I am not technophobia, and do have a decent level of competence to make this work. But it required javascript, and of all I tested only 2 came close, and only one met the technical criteria for the SMB and the cost criteria. That was Termly.

Now, I still say there is no excuse for how the Guardian’s banner was configured, they have money to pay techie to do this work, but for a small business, setting up a cookie consent banner is not reasonable. If 2 days work is required to find/test and install one. That is why I have written this blogpost. If you’re an SMB you don’t need to waste time looking. Carry on reading for an alternative to Termly later on….

It doesn’t stop here. I then checked this blog to look at cookies. This blog was originally setup by myself in 2007, and cookies weren’t a big thing then. Even since, I haven’t given a thought to my musings on this blog, and that a cookie consent banner is necessary, because I wanted to believe that Article 2 applied, household exception. However, now we are many Authors, and unfortunately WordPress downloads over 80 cookies! Even though this is a personal blog, now for many, we needed to fix this -now that I’m on a cookie kill drive, and starting to hate these little blighters!

Now if your business website is using WordPress you must upgrade to Business to get the Plugin for free, and this should be easy to install, although I haven’t tried yet, because this is a personal blog, and I don’t intend to upgrade at a monthly subscription of €35 just to get my hands on a cookie consent banner. I checked some other cookie banner options. I received a tip on Metomic from a privacy Connection, and I liked it, wish I’d found before. But when it scanned this virtualshadows blog it reported there were no cookies, which is a lie. It could be that it is a not on its own domain. But Metomic looks easy to use, is free, and could be worth testing as an alternative to Termly. I may even replace Termly with Metomic, but it does require some code in the website Header, not sure if this is required or optional.

As it looks now, unless I find a free cookie banner, this blog will be migrated to another platform. Criteria, it must be free of cost, and free of cookies.

My takeaway from the last 3 days…. is that the cookie consent banner has pulled me -a single-man resource in my business- from product development and from revenue generating activities. GDPR has in practice blocked innovation and growth. I became angry and frustrated, not only by the activity, but at the thought that every small business out there which requires a cookie consent banner will find it just too difficult to fix, and they don’t have budget to pay someone else to do this as the larger organisations have.

Let’s get creative with cookie banners! I’m sure it’s fine?

I am seeing more and more the new type cookie banner, which basically informs you of non-essential cookies, i.e. it is not required for the essential ones which is great, however…. there is some creative engineering active which is not compliant with GDPR. I am accepting non-essential cookies, for whatever the reason on my side, but this is because on the cookie side, opt-out is not set as a default. Let’s take a single example.

I was visiting the Guardian newspaper this morning and it got me thinking again about cookies. Privacy by design as a default is about ensuring that the user needs to do nothing to protect his/her privacy, data protection by default in the GDPR is based on this concept. However, what I found on the Guardian website, was most definitely not opt-in, it was opt-out, and the Guardian newspaper is British, still part of the EU?

What I observed was a very interesting technique to discourage the visitor to opt-out. When I first arrived on the Guardian newspaper website the following notice pops up on the Cookie Banner, which looks good.

We and our partners use your information – collected through cookies and similar technologies – to improve your experience on our site, analyse how you use it and show you personalised advertising.

But then it continues with the following. The default I’m OK with that is not what I would expect unless by default all cookies are in opt-out mode. But at this stage I really have no idea. My expectation as a privacy guy is that opt-out is the default setting.

However, when clicking on Options, the following message is displayed, and it still is not clear if cookies are loaded onto the visitors device as a default or not, the Off booleans are not selected, nothing is.

I went to the cookie notice and found that in fact the default was that cookies are downloaded as a default, and it is necessary to go through to another site to configure.

And this is what got me thinking. Non essential cookies as a default should be switched off, i.e. opt-out. And it should not be more difficult to opt-out than to opt-in.

What is a ‘cookie wall’?

Given the recent Post by Konstantin I thought it made sense to write a brief Post on what a cookie wall actually is… after all it really is not obvious, or is it?

Just in case it is not here we go. A cookie wall makes it impossible for visitors to browse a website without agreeing to all cookies irrespective of whether they are absolutely necessary for functioning of the website. An example are cookies used to track visitor browsing habits.

In order to be compliant with GDPR, the visitor does not need to consent to essential cookies (i.e. the website will not function correctly without them), but they should have the choice to consent to non-essential cookies.

What’s more is that cookies, whether essential or not should have an expiry date on them unless they are something called session cookies. Session cookies are the best because they are automatically deleted following termination of a browsing session. Cookies which are not session cookies should have an expiry date which is aligned to a specific purpose and a legal basis.

An interesting twist in the ‘cookie walls’ saga.

France’s Council of State has ordered the CNIL (French data protection watchdog) to cancel parts of its guidelines on cookies as the ban on cookies walls was not valid. The court explained that the CNIL exceeded its specific mandate under an act called “flexible law” which refers to instruments, such as regulatory authorities’ guidelines, which do not create a legal right or obligation.

Although a recent update of the EDPB Guidelines on consent invalidated ‘cookie walls’, our patient may still be very much alive. There potentially might be similar court decisions in some other Member States.

Recently, the BfDI (German watchdog) said that “cookie-walls are permitted if a comparable service is also offered without tracking, for example, as a paid service”. This happened right after the update of the EDPB Guidelines on consent came out.

Original text of the decision is in French:

Cookie walls are not GDPR compliant

This clarification on the use of consent came out last week, and provides no surprises for those working daily with GDPR compliance. What is noteworthy though is the mention on the use of “cookie walls”.

What is a cookie wall then?

One of the principle factors that one should keep returning to when thinking about compliance with GDPR is a single word CHOICE. Those who have attended any training I’ve delivered will hear my voice in their head now… CHOICE IS A HUMAN RIGHT. Now if there is no choice, then it is not compliant with GDPR, and the use of cookie walls is a good example.

A cookie wall is whereby it is impossible to use a website without accepting ALL cookies. In fact the website will not work unless all cookies are downloaded. There must be a choice. Take a look at UK’s .ICO website for an example, and here you can even find the toolkit to make this possible on your website!

opt-in > opt-out discussions continue….

I just love this quote from Kimon Zorbas, the vice president of the Interactive Advertising Bureau Europe “most Europeans were not troubled by behavioural advertising” and “Customer profiling is a basic to any business, not just online business” then in response to the opt-in clause in the EU cookie directive “if that were to happen, I am afraid it would kill a significant part of the industry.” Read more at The New York Times.

Is it not more to do with re-thinking how they do this? Come-on these advertisers have been creative in coming up with the cookie thing, and not even given the consumer a choice, they eat cookies whether they like it or not. Zorbas also said that those that didn’t want cookies “could simply block them through the industry’s Web site”.

Sure, and then we come to those zombie cookies, they are pretty creative. They never go away. I write a post on this not long ago.

I have nothing against cookies, after all they are very convenient. What I am against is that I get them without being asked, that I need to opt-out. Opting out is not always so straightforward. There are some websites where I definately do not want cookies from. There should be a button on the main page, right in from of you that states in big letters OPT-IN. And when you have done that it changes to OPT-OUT. Then you feel that you have some control. You, the customer can choose who is tracking everything that you do online.

Zoombie cookies

David S. Misell asked me to share the privacy issues of html5, and I thought that no better place to do this than by creating a post.

Html5 is really about these zoombie cookies, cookies that keep coming back from the dead, even after you’ve deleted them…. scarey or what?

According to Wikipedia “Zombie cookies were first documented at UC Berkeley, where it was noticed that cookies kept coming back after they were deleted over and over again. This was cited as a serious privacy breach. If you delete a cookie, it should remain deleted. Since most users are barely aware of these storage methods, it’s unlikely that users will ever delete all of them. From the Berkeley report, “few websites disclose their use of Flash in privacy policies, and many companies using Flash are privacy certified by TRUSTe.

Ringleader Digital made an effort to keep a persistent user ID even when the user deleted cookies and their HTML5 databases (RLDGUID). The only way to opt out of the tracking was to use the company’s opt-out link which gives no confirmation.”

To read more techie stuff on how this annoying cookie is working go here where ars technia has written an insightful article on this.

Ringleader Digital claim on its privacy page that it only collects “non-personally identifiable information, such as browser identifiers, session information, device type, carrier provider, IP addresses, unique device ID, carrier user ID and web sites visited. Now the question is what happens when you link this information together?

Now according to the UK for example an IP address in isolation is not personal data under the Data Protection Act, according to the Information Commissioner. But an IP address can become personal data when combined with other information or when used to build a profile of an individual, even if that individual’s name is unknown.

And there is significant discussion on this around the world. In Seattle a Federal judge ruled that IP address is not personal information, however in the EU it is understood how easily an IP address can become an element of PII.

As to my personal opinion, it’s simple… I want visibility, i.e. if I delete a cookie on my PC or mobile device, I want it deleted. I don’t want a zoombie. It could be that I like the convenience of having a cookie there, but I want the choice to delete, and when deleted I don’t want any zoombies rooming around on my devices… my devices, yes, they are linked to my very person, and have become a part of my DNA..

Don’t miss the cookie deadline :-P

The deadline for EU member states to implement the new cookie law is today! And not many member states are ready to eat their cookies yet! To date, Denmark and Estonia are the only states to have implemented the amended EU Privacy and Communications Directive, which gives Internet users more control of their data and requires any company with EU customers to comply. This requirement is a provision in an amendment to the E.U.’s Privacy and Electronic Communications Directive, which was adopted in 2009.

One claimed reason for the sluggish implementation of the directive is confusion around its intended purpose, as well as how best to implement it without destroying the businesses that rely on cookie placement to generate revenue, such as online advertising networks. The most visible change is the introduction of an “explicit consent” requirement. Read more at ClickZ.

So how can this be implemented? On a technical level it’s messy because it needs to be added on. It is not a built in privacy functionality so this will result in significant inconvenience for web-users as websites seek explicit consent for cookie placement through pop-ups and other awkward mechanisms. If the privacy function for cookies…. or maybe not cookies…. were an integral function of our PC and of any web-app we happen to be interacting with, perhaps it would be more of a loyalty card function (maybe even shaking hands, representing mutual consent)…used in the physical world for relationship marketing. The customer presents a card each time the approach the checkout. Hence in exchange for sharing personal information the customer should receive certain benefits, and clearly transparency in what is being collected…

Me just brainstorming to myself a little here 🙂

Yes please I would like a cookie :-P

I’ve been posting about this before, the thing on “cookie consent” in the new EU privacy law. Well now there have been some guidelines published by the Information Commissioner’s Office.

Simply advice is as follows:

We advise you to now take the following steps:
1. Check what type of cookies and similar technologies you use
and how you use them.
2. Assess how intrusive your use of cookies is.
3. Decide what solution to obtain consent will be best in your

The main difference in behaviour is often those using cookies to collect your behaviour data used to by default give you the option to opt-out, however now you must consent, i.e. opt-in. This is now aligned to the general collection of personal data in the EU.