Why website privacy is bigger than cookie banners
In terms of website privacy, cookies have somewhat stolen the limelight. Maybe it’s because they’ve got a cute name*, who knows? The thing people worry about if they own a website is "do we need a cookie banner?" And when visiting websites, the wretched banners are in your face every five minutes, asking you to select exactly how many tracking scripts you’d like to be subject to.
However, in the bigger picture of internet privacy, cookies are almost a red herring. In a way, they’re just harmless little text files. What we’re actually concerned about here is the unauthorised movement of personal information (strictly speaking: Personally Identifiable Data, or PII). And cookies are just one of the ways that PII gets moved around.
The headline of internet privacy and GDPR is not “thou shalt not set cookies”. It’s “thou shalt not process PII without a lawful basis”. And that includes every feature and form and script on your website, not just ones that set cookies.
In order to cover this intelligently in sites that we build, and hopefully make good recommendations to customers, we have settled upon the following defaults.
- If a website processes PII sitewide or immediately on arrival (for example, if Google Analytics is in use, and therefore a cookie containing PII is immediately set), a privacy banner is required to request consent. Opting out must be as easy as opting in.
- Until consent is given, features requiring PII will not work, or compliant fallbacks will be used.
- If PII processing is only localised to certain features (for example video embeds, where data is typically passed to a third-party video platform such as YouTube), consent should be requested when that interaction is triggered.
- All websites we build have data management implemented to enable regular and permanent deletion of PII which is stored (for example contact form responses).
- We avoid reliance on third-party services where possible – for example self-hosting fonts rather than using third-party font libraries.
- We check that, at the point of launch, websites have an up-to-date privacy notice that accurately reflects use of PII in the site.
*Footnote: why are cookies called cookies?
There’s a few theories around this. One is that it evolved from “magic cookies” in the UNIX OS, which were named after fortune cookies, the connection being the message contained inside. An alternative option is that it’s a reference to Hansel and Gretel dropping cookie crumbs to see where they’d been. Although I’m sure when I was small Hansel and Gretel dropped breadcrumbs: weren’t they poor carpenter’s children? There’s even a somewhat more far-fetched (but not totally implausible) story about a programmer who - just for fun! - came up with a way of creating a pop-up window on people’s screens saying “Give me a cookie”, which no-one could get rid of, short of typing the word “cookie” every time it showed up.