What to do about the ICO cookie ruling

Here at Numiko cookies get us through the day. We find the sugar hit around 3pm helps perk us right up after several hours of building websites! But that’s not the kind of cookies you’re interested in.

Web cookies are small blocks of data created by a web server that are placed on the user's device via their browser. They exist to pass packages of information back from browsers to servers.

Cookies can be divided into first-party and third-party cookies. First-party cookies are stored on the user’s web browser and are used for a wide range of roles, such as language preferences, remembering login details, enabling persistent shopping baskets, and analytics. They are useful for the user and usually don’t represent a privacy threat.

Third-party cookies are used for marketing and remarketing. These are the cookies that help advertisers personalise the ads you see across the websites you visit, leading to that probably all-too-familiar scenario of clicking on an ad once and then seeing that product follow you around the web for the next couple of weeks. Third-party cookies can infringe on users’ privacy and are therefore being phased out by browsers. Unfortunately, the legislation affects all cookies, not just the problematic ones. So even though your cookies might not threaten anyone’s privacy, you’ll still need to let users reject them.

The ICO has required websites to get their users’ consent to use cookies for several years, which is why you see pop-ups when visiting a new website asking you to accept cookies. Many websites designed this pop-up banner to try to get most users to accept cookies, as they need the cookies for their analytics. A typical approach was to have a prominent ‘accept all’ button, and an additional step to manage cookie permissions. This made accepting all cookies the fastest way to dismiss the banner, whereas rejecting cookies would take several clicks.

In response to this, the ICO has recently issued new guidance that requires publishers to display a ‘reject all cookies’ button that is as easy to select as the ‘accept all’ option. The ICO wrote to the top 100 websites in the UK to inform them of this change and warned them of significant fines if they refused to comply. See below an example of a non-compliant cookie banner, from page 32 of the ICO's guideance on the use of cookies.

Complying with the ICO’s updated guidance is straightforward - you just need your cookie banner to offer a ‘reject all’ cookies button that’s given equal prominence to the ‘accept all’ button. So far, the ICO has only been enforcing this on the largest websites, but you don’t want to risk a fine. Fines for the worst offenders can be up to £17.5 million or 4% of total worldwide turnover. That’s a worst-case scenario but it shows how seriously the ICO take the issue.

The issue with this change is that many consumers don’t really know what cookies do. They might have heard they compromise your privacy, so they want to be able to easily reject them. We find around 50-60% of users will reject all cookies when presented with the option. Cookies are what analytics tools use to track users on your site, so if you don’t put in steps to mitigate this loss of data, you’ll find your analytics showing your website’s traffic decline by half or more, as suddenly most of your users aren’t being tracked. It will also impact conversion tracking for platforms like Meta Ads or Google Ads, potentially reducing the impact of your PPC campaigns.

This leaves website managers stuck between a rock and a hard place. On the one hand, you’ve got to comply with the regulator, there’s no getting around that. On the other, losing the ability to measure and understand over half your website’s users is a big problem, especially if you use your website traffic data to show your organisation’s impact. But there are steps you can take to mitigate this and get a considerable amount of this data back.

You need data to know how users are interacting with your site. So, what can you do to get this data without cookies?

Google is on the case. They’ve created ‘consent mode’ which is a way for websites to inform Google about their users’ choices regarding cookies or app permissions. It’s effectively a standardised way of reporting permission levels back to Google, so they can see if a user has opted to allow analytics cookies, but not allow advertising cookies for example.

This unlocks a new analytics option Google calls ‘advanced consent mode’, where Google Analytics can access these anonymous pings from the server to establish how many users are coming to your website. You won’t get exactly the same information, for example, geolocation data will be absent or less accurate. But it does let you fill in the picture of what users are doing on your site. Google uses machine learning to stitch together the user journeys of these anonymous users by building statistical models based on the behaviour of users who have allowed cookies. Because no identifying personal data of the users is being shared and cookies are not being used, it does not pose any kind of privacy issue for the users.

We’ve been implementing advanced consent mode for many of our clients to help them reclaim much of the analytics data lost to users declining all cookies. The exact rates will vary from site to site, but on average we find we’re able to restore around 50% of the lost data.

You won’t see your missing data come flooding back straight away. For the first week, you’ll likely see little to no improvement as the data model is being trained and configured. After about 30 days, you’ll see the data return. We’ve implemented this solution for many of our clients, including the University of London and the Science Museum Group. Although the exact percentage of lost traffic recovered varies, we’re always able to drastically increase the accuracy of their analytics without impacting the privacy of users.

If you want to reclaim a large chunk of your lost analytics data, our performance analyst Harry is on hand to help to review your cookies banner and analytics set-up to see how we can help you.