If you use Google products (i.e. Google Analytics or Adwords) then it’s likely that you’ve received an email from them about Google Consent Mode (v2) and instructing you to implement it.
I work with websites every day and to be honest, I’m still confused about what it is that website owners actually need to do, and what the GDPR guidelines are. And more to the point – how far should we bend to meet the new rules if no one else is likely to bother?
TL;DR
Google’s Consent Mode system is a mechanism for your website visitors to actively give their consent for the website to use certain cookies to track their activity. This is, I think, in response to the GDPR best practice requirements which is that users should opt-in to providing their consent, rather than asking them to opt-out, or not giving them a choice at all. You should be mindful of what the new Consent Mode requirements are, but I wouldn’t necessarily be in a rush to implement them just yet.
What are cookies?
As per the ICO website: ‘A cookie is a small file of letters and numbers that is downloaded on to your computer when you visit a website. Cookies are used by many websites and can do a number of things, eg remembering your preferences, recording what you have put in your shopping basket, and counting the number of people looking at a website.’
In the case of a WordPress site, you’d have WordPress cookies set to remember that you are logged in to the site, to remember whether the site has displayed a modal window, to keep track of items in your WooCommerce basket. You’ll also likely have Google Analytics cookies installed as well.
How do I know which cookies my sites uses?
That’s the million-dollar question because it most likely uses a lot of them and it’s very hard to know what they all are and what they do. Most are benign ones that are vital to your site’s functionality, but the cookies can vary page-to-page across your site and they constantly change as you add new WordPress plugins or add features to your site like virtual chat systems.
If you embed a YouTube video into one of your web pages for example, then that will come with a whole bunch of cookies. Some vital functionality, some advertising ones. There is a ‘privacy enhanced mode’ option when you embed YouTube videos, but it’s not the default option when you use the standard WordPress YouTube block – which is what 99% of website editors are likely to use.
In order for users to give consent to allowing or disallowing certain cookies, you have to do some kind of audit of every page on your site so you know what those cookies are in the first place, then it’s up to you do decide how to split them up in terms of what’s strictly necessary vs nice-to-have marketing ones. This isn’t an easy or straightforward task, despite what the Google Certified Consent Mode Partners will tell you before they take your money!
As an example, here’s just some of the cookies that the Cancer Research site uses. They’re probably using Facebook, Linkedin, TikTok and Google Adwords and want a way of measuring the conversion rates of the ads. But as you can see, it’s virtually impossible to tell what a cookie is and what it does just by looking at its name.
On the other end of the scale, if your website doesn’t use third-party trackers but just Google Analytics then your job is a lot simpler
What’s happening from March 2024 onwards?
This is what Google’s site says: If you are using Analytics data with a Google service, such as Google Ads, Play, Display & Video 360 or others, and you take no action, only end users outside the EEA will be included in audiences used by your linked advertising products starting early March, 2024.
(Source: https://support.google.com/analytics/answer/14275483?hl=en&utm_id=ad)
I assume this means that unless you have proved that your users have consented to the use of the remarketing cookies, the data from users in the EEA and UK will be stripped out when it comes to your Adwords reports. So it will make your Adwords (i.e. Google Grant) stats a lot less reliable. It won’t stop them working though.
Cookie consent – the two approaches up until now.
The most common setup is a kind of implied consent situation where you maybe have something in your privacy policy or a little pop-up banner which basically says ‘This site uses cookies, so you can like it or lump it’. Or often in more polite terms ‘This site uses cookies, by continuing to use the site you agree to our Privacy policy…’ These are the least intrusive and easiest to implement, but they are not giving users the chance to consent or not.
At the other end of the spectrum is the fully GDPR compliant but annoying, expensive and confusing setup whereby as soon as the user lands on your site they are presented with a pop-up box asking them to approve the use of cookies. They may give the user some granular options about whether they want to accept ‘all’, ‘site-functionality’ or ‘customise’. You know those pop-ups – they’re so pervasive on shopping and blogging sites that you subconsciously just click any button to clear them so you can get on with reading the web page.
Visit the ICO site to see an example of a fully compliant cookie consent setup. With all these systems, you can’t interact with the website at all until you have clicked to give/deny/customise your consent. Imagine if you have to do that for every single website you ever visit – that would get really annoying and ruin people’s experience of using the world wide web. That’s why I’m sure that there will be another solution or a clearer guideline coming not too far in the future.
How do I audit which cookies my site uses?
Google has some accredited Consent Mode partners that will help you do that. These are third-party companies who you pay to regularly scan your site and discover all the cookies they use. They will be first to tell you that you need to do this otherwise you are breaking the GDPR rules – but they have a vested interest in taking your money, so I wouldn’t be too perturbed by their warnings.
Google became the most powerful company on the internet by having a really clean and simple website and they have the world’s most talented software engineers working for them – yet they manage to make this whole Consent Mode thing really complicated and confusing. As we’ll see later, I think that’s because they’ve been told by the EU to tell you to implement it, but at heart they don’t really want you to!
How much does it cost?
About £100 – £150 a year for a license from somewhere like Cookiebot or CookieYes, plus costs for someone to help implement all of this and likely manage it for you on an ongoing basis. That could easily cost hundreds of pounds a year.
What’s involved?
Unfortunately this isn’t a ‘set it and forget it’ thing that you can just purchase and switch on. These third-party services will periodically remotely scan every page of your website to find out which cookies are on each one. But beyond the popular ones like Google Analytics, Facebook etc – they won’t necessarily know what each cookie is/does. So it’s still up to you to find out what they are and to classify them as to whether are vital functionality, analytics or whatever categories you have set up.
We’ve had experience of using Cookiebot on a client site, and wouldn’t really recommend it. Plus it messed up with their Google Analytics reports by sending a massive spike of visits once a year (and once Google Analytics records visits, you annoyingly can’t delete or dismiss them – they’re stuck in your stats forever more).
I use Google Analytics, doesn’t that comply with Google Consent Mode?
Yes and no. Officially these days you are not supposed to load Google Analytics tracking cookies until the user has actively given their consent. This isn’t how 99% of sites work at the moment – they just automatically load the Google Analytics tracking when the page loads. If you’re using Google’s official WordPress plugin (called Site Kit) then this is how this works – it adds the tracking on page load. Just to reinforce that point – Google’s own official Analytics WordPress plugin does not wait for the users’ consent before loading the Google Analytics tracking cookies.
Why would Google’s own Analytics plugin not be compliant with its own Consent Mode system out of the box?
Google Analytics is used on tens of millions of websites, and it is one of Google’s most popular tools. As we’ve seen, properly implementing Consent Mode is quite tricky and usually involves an additional expense. Whilst many high traffic sites have the resources to do all this properly, 99% of Google Analytics users won’t. And bear in mind that it’s kind of cutting off its nose to spite its face.
Giving users the chance to not load Google Analytics massively reduces the accuracy and usefulness of the stats that Analytics collects. So Google’s consent mode actually undermines the efficacy of its other services like Analytics and Adwords. As soon as you implement it and give people the chance to withhold their consent, your Google Analytics reports will show a marked decrease in traffic because it will only be counting the people who actively opted-in.
What’s the GDPR connection?
In terms of the GDPR enforcement and what the ICO and EU care about, it’s really the massive data harvesters like Google, Facebook and Amazon that they’re likely to go after. Not blogs, mom and pop stores and small charity websites. So I think the EU is saying to Google that they need to implement the GDPR rules more robustly and then Google is (reluctantly) saying to its customers ‘hey guys we have to do it like this now’.
But it’s just lip service because it’s a massive pain to do all this Consent Mode stuff properly and it is positively bad for their business. That’s why they tell you to do it and send you some incoherent instructions rather than just change the way that Analytics works so that these millions of site users don’t have to jump through all these hoops.
This is a long blog post and you still haven’t told me what I need to do / should do…
In an ideal world
You should cough up and jump through all these hoops and annoy your visitors with one of those pop-ups (even though you very rarely see them on charity websites).
In the real world
My personal take on it is that if you’re just using Google Analytics then you should just carry on as you are. It’s breaking the rules in the same way that sharing your brother’s Netflix account is – it is technically wrong but it’s hardly the crime of the century and everyone just turns a blind eye.
If my small charity website is breaking the rules, will the ICO fine me?
They have bigger fish to fry, and tens of millions of potentially violating websites to investigate – most of which do worse things with people’s data than you do. This is a situation where I think it’s better to abide by the spirit of the GDPR regulations rather than the exact letter of them. If you’re not doing anything nefarious with people’s data and you aren’t tracking their usage of your site so that you or other advertisers can target them once they’ve left your site – then just carry on as you were.
Without being too tinfoil-hat-brigade about it, Google’s Analytics tracking is well anonymised and is fairly benign. It’s very different from the ‘remarketing’ trackers that follow you around the internet (Like when you visit an online shoe shop just once and then wherever you go for the next week you keep seeing banner or Facebook ads for that shop). I think it’s far more reasonable to expect that you should give your users the choice to opt-in to those kind of cookies rather than implement them by default.
Bear in mind though that users also have the power to decide whether to be tracked like this, and there are tools available to them (I use the popular Adguard software for example). I think it’s not entirely clear to what extent the onus is on the website owner or the user when it comes to restricting the use of tracking cookies.
What if I’m using Facebook Pixel or Adwords/Instagram/LinkedIn tags in order to help measure the effectiveness of my Facebook/adwords etc advertising?
I think this is more of a grey area.
If you’re using Adwords (as a Google Grant for example) and your Analytics account is connected to your Adwords one in order to help with the tracking/conversion measurements – then again I would just sit tight and do nothing. Wait and see what happens to that data if/when some of it is turned off – and assess the downside of that versus the cost and hassle of implementing Consent Mode properly.
The Facebook pixel is a bit different. Facebook has an ignoble history of harvesting personal data about people via its Facebook pixel tracking mechanism. Don’t be fooled into thinking it’s just there to help you measure your advertising click-throughs better. They say it de-personalises the data but there’s already been plenty examples of that not being the case.
You could either set up the Consent Mode and jump through all those hoops, or (and this is what I would do) just take out the pixel.
Facebook pixel warning
If your charity site is in any way health related then I would not install the Facebook pixel, despite your Facebook ads account instructing you to do so. Imagine if your site offers advice to people considering terminating a pregnancy or who are looking into the symptoms of HIV – and then suddenly next time those people are on Facebook they see promoted pages or adverts from anti-abortion campaigns or health insurance companies. That’s a very dystopian possibility and Facebook shouldn’t allow it to happen… but their track record in these matters is far from spotless and at the end of the day they make their money by selling your users’ data to advertisers.
Do as I say, or do as I do?
Personally, I’m sticking with the current setup here on the Charity and Biscuits site. It does use Google Analytics but doesn’t do any remarketing or Facebook tracking. Until I see the vast majority of websites implement Consent Mode, or until Google makes it a mandatory part of implementing Analytics, I’m just going to do what 10 million other websites will do – which is nothing.
Is Google gaslighting all of us?
The web should be privacy by default. That’s what the EU is pushing for, it’s what we should all push for. When it was first envisioned, it was never the plan that a few monolithic companies and tech billionaires would own and monetise the internet at our expense. It’s up to Google, Facebook, Twitter etc to switch to a privacy by default system, it shouldn’t be the job of the 100 million websites and the billions of users to try to circumvent the current system.
Ultimately of course, the privacy by default ethos is an existential threat to the likes of Google and Facebook whose entire business model revolves around harvesting our data and selling it to their advertisers. So although they could and should change their systems, they invariably won’t until someone like the EU forces them to. They aren’t going to be the turkeys voting for Christmas.
They are gaslightling us all – making out like all this consent/privacy issue is a problem that we need to fix. But they built the modern internet, the problem is theirs to fix.
