Cookies are a great tool for improving user experience and managing online advertising. But they can sometimes be a privacy nightmare and cause headaches for users, advertisers, and publishers alike. That's why we've compiled this list of best practices for cookie management strategies that deliver the protection you need.
1. Use a dedicated cookie consent banner
A dedicated cookie consent banner is one of the best practices you can follow to ensure that your users get a clear explanation of how cookies work and an easy way to accept or reject them.
This page must be easy to find—both on mobile devices and desktops—and clear in its messaging. You don't want people to think it's just another ad!
2. Make sure your cookies are GDPR-compliant
If you're going to collect personal data, make sure you are GDPR-compliant.
Under the GDPR, you can only use cookies if they meet certain criteria. Your cookie policy must include instructions on how people can withdraw consent for cookies to be placed on their device (for example, by setting an expiry date).
You also need to tell people what data you're collecting through cookies and why it's important for them (for example: "We use this information so we can show you relevant ads").
3. Include a link to a cookie overview page
When it comes to cookie management, one of the most important things you can do is give your users a clear and transparent view of what cookies are, why you are asking them for consent, and what they are consenting to.
If you're asking for consent, there should be a link on your homepage (or another prominent location) that takes users directly to an overview page where they can see all the cookies currently being used on your site.
This will help them understand why and how cookies work, hopefully leading them down the path of granting consent in the first place—and once they've done so. Well, then you can start using those beautiful, sweet morsels of information!
4. Offer an option to opt-out of non-essential cookies
Cookies are a touchy subject. While some people may be fine with receiving all cookies, others don't want to see a single one on the web. Therefore, you must offer an option for users who wish to opt-out of non-essential cookies.
It is also best practice to offer an option that allows users to opt-in - not just out - of essential cookies (e.g., those used by your shopping cart). This way, if someone changes their mind later on and decides they want particular tracking types, they won't have trouble doing so.
In addition, make sure that these options are easy for the user to understand. A link that says "Manage Cookies" or "Privacy Policy" should take them directly to where they need information about how you will use their data. The text should clearly explain what each setting does, e.g., "Allow third parties" vs. "Allow first parties only."
5. Offer a choice between Accept All Cookies and Customize Cookies
Now that you've got a solid cookie management strategy, it's time to look at the finer details. One of the most important nuances is offering users a choice between two options: Accept All Cookies and Customize Cookies.
Customizing cookies means choosing which cookies are allowed through your site and which aren't. This is often the preferred option for users who want more control over their privacy online.
6. Offer granular controls for users who want to customize their preferences
Finally, you can offer your users a few options to customize their cookie preferences. You could give them the ability to accept or reject all cookies or enable them to specify which types of cookies they'd like to accept or reject.
You can also give them the power to decide how long they want the browser's cookie cache to last.
For instance, if a user wants only essential cookies (such as those needed for logins), they could set his browser's cache duration limit to "one day."
Alternatively, if someone wants more control over what data is stored on their device by third parties, he may choose "never" for his browser's cache duration limit.
7. Allow users to hide the cookie banner after they opt in or out
Some websites hide the cookie banner after a user has opted in or out. This can be a smart move from a usability standpoint, but it's not such a great idea from an opt-in perspective.
It's better to leave the banner visible for users who are still deciding if they want to agree with your cookie policy—it's much easier for them to change their minds than it is for them to go back through all that privacy information again.
After all, once you've clicked "No," there's no going back without deleting cookies or switching browsers entirely!
On the other hand, if you decide that hiding the cookie banner is right for your website, ensure you don't hide it after every single user has opted out of tracking. Otherwise, people might get confused about whether they've opted out (or they may give up and stop using your site altogether).
8. Find a reliable cookie management software
Once you have a cookie management policy, it's time to find a reliable cookie management platform to help you manage your strategy.
To comply with GDPR, the cookie management software must be able to track the cookies set by third parties and their domains and remove them if necessary. It should also be easy for users to use and understand. And finally, it needs to do what it says on the tin: be secure and reliable!
9. Integrate with your back-end systems and keep track of user preferences
To be able to keep track of user preferences, you need to integrate with your back-end systems and keep them up to date. You can do this by using a cookie manager to store user preferences in a central database.
A cookie manager is also useful for generating consent banners. The banner should have all the necessary information about why we need cookies, what kind of cookies, and what it does with them.
10. Don't track users without consent
Did you know that some websites on the internet track your activity, even if you don't want them to?
I'm sure you did! Because it's obvious that tracking a user without their consent is wrong. And yet some people do it anyway.
Suppose a website like this was to ask for permission before it started tracking users. If a visitor clicked "No thanks" on this prompt, would they still be considered a person who has opted in? Probably not.
And yet most browsers still allow third-party cookies by default—meaning any site can track any visitor who hasn't specifically opted out of tracking (if they have cookies enabled).
The biggest takeaway from our list of best practices is that you have to ask for consent.
The biggest takeaway here is that you need to ask for consent. You need to ask the user permission before you start tracking them, and you can't just assume that they want to be tracked.
In addition, we've also seen some bad practices around cookies—don't use pre-ticked checkboxes or make users opt out instead of opt-in for something like this.