Are Cookies Really Dead? How Cookie Consent Affects Your Marketing

Arno Schmittel

These days, browsing the internet feels a lot like wading through quicksand. Almost all web applications first ask users for consent on an unmanageable amount of usage scenarios.

The reason behind this: honorable intention of global politics – and the European Union in particular – to return data sovereignty to users after decades of unnoticed data collection by countless service providers.

In 2018, the European Union enacted a new legislation to protect its citizens’ personal data, potentially affecting every consumer brand worldwide: the General Data Protection Regulation (GDPR). Unlike its predecessor, Directive 95/46/EG, which had to be transposed into national law by EU member states, the GDPR has been directly applicable in all EU member states since May 25, 2018.


Why does the GDPR implicate cookie policies?

The GDPR was created to enshrine Article 8 of the European Charter of Human Rights,which aims to regulate personal data stored or used by a business. The GDPR is applicable on all matters of personal data and not limited to the internet and electronic communication.

Although cookies are only mentioned once in the GDPR, cookie consent is a cornerstone of websites compliance with EU users, as they are among the most common methods of collecting and sharing data online.

Cookies are text files that contain small amounts of information. They are downloaded to a user’s device while visiting a website/app. Cookies are then sent back to the data endpoint of the original website/app or to another website that recognizes that cookie on each subsequent visit.

Cookies are useful because they allow a website or app to easily recognize a user’s device. They do lots of different jobs, like letting users navigate between pages efficiently, remembering their preferences, and generally improving the user experience. Cookies also help with advertisement personalization.

A brief history of cookie consent  

The approach of protecting online privacy by educating consumers on data collection and offering an opt-out is nothing new. It started as an EU directive in 2002 that was adopted by all EU countries in 2011. With a changing digital landscape and emerging data driven technologies, the Directive on Privacy and Electronic Communications (Directive 2002/58/EC) was in strong need of an update.

The first draft of the new  E-Privacy Regulation was presented in January 2017 by the European Commission with the expectation that it would pass quickly and would apply as direct law from May 25, 2018 – together with the GDPR. However, more than three years after the original proposal was published, EU Member States have not yet been able to agree to the E-Privacy Regulation.

Despite the E-Privacy Regulation still being incomplete, we saw the Court of Justice of the European Union ruling in the Planet49 case on October 1st 2019, followed by the Guidelines of the European Data Protection Board (EDPB) in May 2020. Meanwhile, more and more countries have adapted their data protection rules according to the E-Privacy Regulation.

All businesses serving websites and apps are now required to implement cookie consent functionalities on their websites/apps. Disregarding the regulation means facing painful fines and penalties from data protection authorities!

By now, other countries have started to push the privacy policy topic. The state of California stated the California Consumer Privacy Act (CCPA), which affects all companies that process personal data of Californian consumers. Their approach is quite similar to the European Data Protection Board (EDPB) guidelines.


GDPR-Compliant Cookie Policy
What you need for valid cookie consent:
The definition of personal data

The GDPR defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”


What to avoid

Having to ask for permission for your cookie policy before you may measure your visitors’ interactions clearly has an impact on your business practices. Trying to strictly comply with the legal requirements for GDPR-compliant cookie consent without fully understanding the legal background is a common problem.

Bad impact on SEO traffic?

Placements in SERPs (Search Engine Result Pages) depend indirectly on factors that are influenced by cookie consent. Among others, these are:

The math is quite simple here: poorer rankings = less traffic = fewer new customers = less revenue. Here you can see clearly how legal requirements and court rulings have a direct impact on conversion.

More data protection – less traffic?

Declining search engine rankings will cause a drop in visitors. But that’s not the only cause. Cookie banners increase the abandonment rate. This also applies to visitors who access your applications via social networks, partner sites, or direct entries.

Many companies then place significantly more ads to compensate for the losses. It is becoming increasingly apparent that small companies need to spend more on data protection than larger companies. This is the flip side of improved consumer rights.

Online marketing in blind flight!

Studies have shown that in some cases, only a small fraction of users agree to all cookies if the associated banner has been implemented 100% according to the consent rules.

Marketing teams know less and less about:

With a legal and clever consent management implementation, the worst drop can possibly be avoided!


Want to learn how to best implement Cookie Consent Management?
Check out my blog post: Cookie Consent Done Right. 


Author: Arno Schmittel, Sr. Strategic Data Consultant at Mapp