The General Data Protection Regulation (GDPR) and ePrivacy Directive (ePR) affect how website owners must obtain and store cookie consents from their visitors from the EU. When users open a webpage and the banner that pops up says “this website uses cookies”, it’s because sites use cookies to personalize content and ads, provide social media features, and analyze the traffic.
This article deep dives into cookies and Cookie Consent, how it works and why it is important for ecommerce businesses to always be compliant with the GDPR and ePR.
What are cookies?
A cookie is a small file that is stored in the user’s device (computer, smartphone, tablet, etc.), with information that may be necessary about the navigation on the Internet. It is a text file with small pieces of data that are used to identify the user’s computer as he uses a computer network.
Data stored in a cookie is created by the server once the user connects. This data is labeled with an ID unique to every person, session and device. When the cookie is exchanged between the browser and the network server, the server reads the ID and knows what information to specifically serve the user.
Cookies are essential to the workings of the Internet, enabling the providing of several interactive services, facilitating the navigation and usability of the website. In general, it allows websites to offer better navigation and an online experience to their customers based on their data.
What is Cookie Consent?
Now let’s look at it from the shopper’s perspective. Simply put, it’s the way websites ensure legal processing of personal data from their users. Through cookies, the website owner shares information about users’ navigation on its site with social media, advertising and analytics partners who may combine it with other information that were provided to them or that were collected from the use of their services.
Sometimes we encounter the misconception that GDPR only applies to the European territory or European companies, when in fact, it protects EU citizens’ data regardless of where they are in the world.
Why do we need these cookies?
As a necessary part of web browsing, HTTP cookies help web developers give users more personal, convenient website visits. Cookies let websites remember visitors, their website logins, shopping carts, and more. In no condition could cookies cause any harm to their devices and to their data. For example, VTEX uses two types of cookies: proprietary cookies, those sent to the user’s browser from our servers from which we provide our service; and third-party cookies, which are sent to users’ browsers from servers that are not managed by VTEX, but by partners of ours.
Third-party cookies are small lines of text code that are saved in users’ browsers for different purposes, including remembering a page that has already been visited or an item that has been added to the shopping cart. Third-party cookies are used so that this information is shared, with certain limits, to understand the previous navigation performed by the user on different websites.
How does it help shoppers navigate ecommerce websites?
Let’s assume two people somewhere in Europe are navigating the same website at the exact same time. When the GDPR banner appears, one person accepts while the other declines. The person who accepted cookies will have a better user experience, while the one who declined could encounter some data gaps that may potentially interfere with the use of the website.
On ecommerce, for example, cookies enable the website to keep track of all of the items that the shoppers have placed in the cart while they continue to browse. If a buyer disabled cookies on the browser while online shopping, for every click on a new link, the items in the shopping cart would disappear.
This would make online shopping virtually impossible and browsing the website completely impractical. This is one example of cookies being a necessity on certain sites. Some users like accepting cookies for the sole purpose of saving the username and password logins for certain websites.
How do GDPR laws affect a business?
For website owners, the two primary aspects to be aware of are: how to manage and store personal data, and the cookies and tracking in use on the website. To meet the requirements, make sure to have a thorough and compliant setup for getting and securely storing the consents to the cookies on the website. It’s recommended to complete an overview of how the business currently stores and collects data, focusing on the consent given. This is especially important if the company uses marketing methods abroad.
Make sure to configure and present the cookie banner from a shopper’s perspective, where the message to them is simplified. Make it easy to read and understand. The good thing about GDPR is that it provides maximum importance to consumer consent. Companies are required to get explicit consent about the type of data that they will collect as well as how they will process it.
What is the connection between Cookie Consent, GDPR and ecommerce?
From an ecommerce perspective, there are different levels of control websites can give the shopper, and based on that, it can impact the business both positively and negatively. Whenever that window pops up asking about Cookies, users can choose to accept all, none, or manually pick them. The logic behind that is: there’s a minimum needed for the site to function properly, but the company would like to do more with their permission, which will allow the personalization of the experience.
In some cases, if the pop-up is not well configured, it might cause customers to not go further than the first page of the website, resulting in a higher bounce rate. No ecommerce business wants that, so make sure that you, as a website owner, get your cookie consent through a straight yes or no answer, avoiding pre-checked boxes and neutral x buttons.
For example, Motorola reported a high cookie rejection rate because of the cookie acceptance banner, which was ambiguously configured—an issue resembling the one stated above. After looking into what determined the shopper to react negatively to the banner, Motorola and VTEX teams understood that, the wording was too technical and that by closing the banner through the x button, the user is neither accepting nor declining cookies. Shortly after changing the wording to “we use cookies” (assuming acceptance in the back end) and the “reject” button to “option”, changing its size and color, the cookie rejection rate decreased from 55% to 6%, shifting the bounce rate back to its normal parameters.
Do those rules differ by region?
In short, yes, they do, as every region has its own legislation. However, in real life, there’s a bit more to it. For example, a US-based company that has customers from the EU still has to comply with the GDPR. That is so because GDPR applies not to a specific region, but to its citizens, regardless of where they are.
If a company is from outside the EU and it doesn’t have any rules in place regarding data privacy, it should get its cookies in order pretty soon or a fat fine might be around the corner; if the country or state does have well-defined rules for data privacy, they are the ones that must be followed.
Besides the GDPR and cookies, that are specific to the EU, there is also the California Consumer Privacy Act (CCPA), which is California’s newest privacy law aimed at enhancing consumer privacy rights for residents of California, United States. The two differ in many ways, but the most important difference is that while GDPR protects data subjects, defined as “an identified or identifiable natural person,” whereas the CCPA gives certain rights to consumers, defined as “a natural person who is a California resident.”
Therefore, if the company is aiming for a global set of customers, it should consider accounting for all of them. Make sure the research is vast and accurate.
