It started very simple
In the beginning… All you needed was to inform the users that they would be subjected to “cookies”, just by using your website. That sounds nice… Who doesn’t like cookies? Very simple, and nobody got any wiser.
First of all, most people have no idea what cookies are about or what they are used for, so many websites also informed their users about this technology the same way they informed about the privacy policy, by providing a link to a page on the website dedicated to explaining what cookies are about.
We expect that most people completely ignored it and went on their way. Clicked the “accept” button and continued using the website.
A simple banner with simple mechanics
Most websites quickly adopted the idea of having a cookie-banner displayed on their website, most of them consisting of a headline, a small paragraph, and the call to action button to make the annoying thing go away. Over time, users also got used to having these banners popup and quickly closing them down, like a whack-a-mole game.
Under the hood, the technical requirement also wasn’t that high. A few lines of javascript to set a cookie in the browser so the banner wouldn’t be displayed again after closing it down.
The EU said, let there be GPDR
Along came GDPR and soon to follow its much nerdier cousin, ePrivacy.
Over the past couple of years, the informational requirements of the banner, including the technical functionalities, have become much more advanced. Going from one singular button to multiple buttons, toggles, or checkboxes, and instead of minimal text to now having a legal essay explaining how the website comes in peace and do not wish to harm anyone, but would be very glad to get a like and a thumbs up to the use of cookies… Please do not decline… Pretty please!
Besides just explaining to the users that the website is setting cookies on their device, you actually need to inform them of which exact cookies are AND what their purpose is. This task can either be a walk in the park for a very simple website or a continuous pain in the… You get the point.
The problem is that each external service you’ve ever implemented on your website most likely sets one or more cookies. For example, Google Analytics sets over 3 different types of cookies. The same goes for Facebook Pixel.
You could, of course, manually go through all of the pages of your website, one by one, look in the developer console, write down each cookie and their associated data, research to which service they belong, and finally present a nice table of your findings to your users until the next time you do a major change on your website. You have to do it all over again… BREATH… Sound about as much fun as waiting in line at the airport, just to have your flight canceled at the gate.
Nobody wants to be first-movers
To be honest, becoming completely compliant is not a game that anyone is standing in line to sign up for. It’s a game where everyone is looking at the other guy to see if they move and think if they also should move along until local legislation forces everybody to JUMP!
Each time a legal case all across Europe comes up, the consent popup gets molded just a little bit more to include more. Do more, and each time the website needs to keep up with these legal “trends”. Oh! And did I mention the checkboxes? No, they can NOT be ticked by default. Case closed!
Old & illegal
New & legal