Cookies bar and web implementation
Introduction
In recent years, cookie bars have become a standard feature of websites around the world. Not only do they inform users about the use of cookies on the site, but they also ensure compliance with data protection legislation.
In this article, we'll look at what cookies actually are, who needs to have a cookie bar and why, what categories of cookies exist, and how you can implement a cookie bar using open source solution.
What are cookies 🍪
Cookies are small text files that websites store in your browser when you visit them. These files contain information that can then be used for a variety of purposes, such as tracking user activity, storing preferences or authenticating the user. Cookies can be temporary (session cookies), which are deleted when you close your browser, or persistent (persistent cookies), which remain stored for a longer period of time.
Technical window
Let's take a look at the basic communication between the browser and the server when cookies are used.
- HTTP GET request: The browser visits a website (e.g. the
/home.phppage). - HTTP response +
Set-Cookies: The server returns a response along with aSet-Cookiesheader that contains information about the cookies to be stored in the browser. For example,SessionID. - Next HTTP GET request with Cookie: The next time you browse the web (e.g.
/cart.php), the browser will automatically add the stored cookies to the request header so the server can associate the browser with its actions on the web. - HTTP response: The server uses the received cookies (e.g. for personalization or user tracking) and returns a response.
Web extension
To read cookies in the browser, I recommend the Cookie editor browser add-on.
Who needs to have a cookie bar on the web and why
The European Union, through the ePrivacy Directive and the General Data Protection Regulation (GDPR), has set strict requirements for the use of cookies. These regulations require websites to inform users about the use of cookies and obtain their consent before cookies are stored on their device. This measure applies to all websites that target users in the EU, regardless of where the website itself is located.
A cookie bar is therefore necessary to comply with this legislation. Not only does it protect users' privacy, but it also ensures that websites are compliant with the legislation, avoiding potential fines.
Do I need to have a cookie bar even if I am not tracking the user?
No, and I will use a quote from the Data Protection Authority website to answer:
If you only use technical cookies, you may not have a cookie bar. However, if personal data is processed in the context of technical cookies, the information obligation must be fulfilled in another appropriate way, accessible on the website where such processing takes place.
What are the cookie categories
Cookies can be divided into several categories, each of which serves a different purpose:
Necessary cookies
These cookies are essential for basic site functions such as user login or shopping cart. Without these cookies, the website would not function properly. We do not need user consent for this category.
Preference cookies
Allow a site to remember information that changes the look or behavior of the site, such as preferred language or region.
Statistical cookies
Help site owners understand how visitors interact with the site by collecting and reporting information anonymously.
Marketing cookies
These are used to track visitors to the website. Their aim is to serve ads that are relevant and interesting to the individual user, and thus more valuable to publishers and third-party advertisers.
The most common mistakes when implementing cookies
1️⃣ Making it harder to reject cookies than to accept them
Another common mistake is making it harder to reject cookies versus accepting them. Often banners only offer the option "accept all cookies " or a hidden option "set more detailed ", which forces users to put more effort into rejecting cookies. Under GDPR, it should be as easy to reject cookies as it is to accept them. This means that if there is an "accept all " button on the banner, there should also be a "reject all " button next to it, both easily accessible and visible, so that users can quickly and easily express their choice.
Example of a flawed cookie bar implementation:
2️⃣ Insufficient consent
Some sites resort to practices such as pre-ticking a box or informing the user that by continuing to use the site they automatically consent to cookies. However, these methods are in breach of the GDPR, which requires active, specific and informed consent from the user.
Consent must be given after clear information has been provided about the purposes of the cookies and must be the user's free choice. Passive or unconscious consent is not acceptable and website operators should ensure that the process of obtaining consent is transparent and user-friendly.
3️⃣ Processing cookies without consent
Many websites automatically store cookies on a user's device without their informed consent, which is in breach of the GDPR and ePrivacy Directive. This approach, known as "opt-out", has been illegal since 1 January 2022 when the "opt-in " regime was introduced. This means that website operators must first identify non-technical cookies and obtain the user's prior consent to use them. Ignoring the user's choice, where cookies are stored despite not having permission, is a serious breach of the law and can lead to hefty fines.
4️⃣ Bad categorization of cookies
One of the common mistakes is not categorising cookies according to their purpose. Some sites still only offer the option to "accept all cookies " or "reject all cookies", which does not take into account the different consent needs for different types of cookies. The ideal solution involves dividing cookies into categories such as strictly necessary, analytical and advertising cookies, allowing the user to choose which purposes they consent to. This ensures that users' rights are respected while complying with legal requirements.
5️⃣ Inability to withdraw consent once given
Another common error is not allowing users to withdraw consent once given. Consent must be revocable at any time to be considered free. Website operators often forget to offer an easy way for the user to change their preferences regarding cookies. The optimal solution is to place a link to change cookie settings in the footer of the site or use a graphical icon that is always visible and allows users quick access to modify their preferences. This ensures that consent is fully GDPR compliant and users are in control of their personal data.
6️⃣ Lack of user awareness
The last common mistake when implementing a cookie bar is not informing users enough about what cookies are used and for what purpose. Many websites only provide basic information that is not detailed enough for users to make an informed decision. Under the GDPR, users must be clearly and understandably informed about the types of cookies a site uses, the purpose of their processing, and who will have access to that data. In addition, users should be given the opportunity to obtain more information by following links to a detailed cookie policy or privacy policy.
Easy to implement cookie bar on the web
I've prepared two open-source solutions that will make working with the cookie bar much easier. Both tools are free, easily configurable, and compliant with GDPR (if you properly contextualize and link them to your cookies policy).
📦 Solution #1 - OrestBida/cookieconsent
A proven, functional and visually great cookie bar that also meets legal requirements. Before you start implementing it, you can see a sample from the author.
Where you can try to easily modify and customize it, at the same time you can generate a configuration json on this page which you can use later during installation.
Step 1 Embed CSS and Javascript into the site.
<script type="module" src="cookieconsent-config.js"></script>
<link rel="stylesheet" href="https://cdn.jsdelivr.net/gh/orestbida/cookieconsent@3.0.1/dist/cookieconsent.css">
Step 2 Mark javascript blocks on the page with categories and switch their type to text/plain
<script
type="text/plain"
data-category="analytics"
data-service="Google Analytics"
>
<!-- Google analytics code -->
<!-- ... -->
</script>
Step 3 Download and insert cookieconsent-config.js from playground and edit the text
Step 4 Paste the change cookie settings link into the footer
<button type="button" data-cc="show-preferencesModal">View Preferences Modal</button>
Pro Tip: More experienced developers will use install using NPM, or the ability to integrate with many frameworks like vue js, react, angular and so on.
📦 Solution #2 - Osano/cookieconsent
- First, embed the CookieConsent library into your site. You can find it on GitHubu or use the CDN.
<script src="
https://cdn.jsdelivr.net/npm/cookieconsent@3.1.1/build/cookieconsent.min.js
"></script>
<link href="
https://cdn.jsdelivr.net/npm/cookieconsent@3.1.1/build/cookieconsent.min.css
" rel="stylesheet">
- Customize the look and feel
window.addEventListener("load", function() {
window.cookieconsent.initialise({
palette: {
popup: { background: "#000" },
button: { background: "#f1d600" }
},
theme: "classic",
content: {
message: "This website uses cookies to ensure you get the best experience.",
dismiss: "I understand!",
link: "Find out more",
href: "/privacy-policy"
}
});
});
window.addEventListener("load", function() {
window.cookieconsent.initialise({
palette: {
popup: {
background: "#edeff5",
text: "#838391"
},
button: {
background: "#4b81e8"
}
},
theme: "edgeless",
type: "opt-in",
content: {
message: 'This website uses cookies to give you the best experience',
allow: "Allow cookies",
deny: "Disable",
link: "Learn more",
href: "/privacy-policy"
},
onInitialise: function (status) {
var type = this.options.type;
var didConsent = this.hasConsented();
if (type == 'opt-in' && didConsent) {
// enable cookies
}
if (type == 'opt-out' && !didConsent) {
// disable cookies
}
},
onStatusChange: function(status, chosenBefore) {
var type = this.options.type;
var didConsent = this.hasConsented();
if (type == 'opt-in' && didConsent) {
// enable cookies
}
if (type == 'opt-out' && !didConsent) {
// disable cookies
}
},
onRevokeChoice: function() {
var type = this.options.type;
if (type == 'opt-in') {
// disable cookies
}
if (type == 'opt-out') {
// enable cookies
}
}
});
});
Checklist for cookie bar implementation
I've put together a simple checklist to help you ensure that your cookie bar complies with legal requirements:
Checklist
- ⏹️ User consent is obtained before non-technical cookies are stored.
- ⏹️ The cookie bar allows easy access to the cookie policy or privacy policy.
- ⏹️ The "Accept All " and "Reject All " buttons are equally easily accessible.
- ⏹️ Users have the possibility to set their cookie preferences in detail (e.g. by category).
- ⏹️ The cookie bar does not interfere with site navigation, but is also easily visible.
- ⏹️ An icon or link for changing the cookie settings is always accessible (e.g. in the footer of the website).
- ⏹️ The cookie bar is fully functional on mobile devices and different browsers.
- ⏹️ Categories of cookies are rightly marked and separated according to purpose (necessary, preferential, statistical, marketing).
- ⏹️ Users are able to revoke their consent or change their preferences at any time.
- ⏹️ When withdrawing consent, cookies are rightfully removed or deactivated.
- ⏹️ Users are not manipulated by preset options (e.g. pre-ticked boxes).
- ⏹️ Users are not forced to accept cookies to access basic site features.
- ⏹️ A detailed description of all cookies used is part of the cookie policy.
Conclusion
The cookie bar is an important element of a website that ensures compliance with data protection legislation. Implementing a cookie bar requires careful planning and adherence to the principles of transparency, information and respect for user privacy. Thanks to open source solutions, you can easily and efficiently implement a cookie bar on your website to ensure that you are compliant with the legislation and protect yourself from potential fines and legal issues.