• Share via Twitter (opens in a new tab)
• Share via LinkedIn (opens in a new tab)
• Share via Facebook (opens in a new tab)
• Share via Email (opens in a new tab)

We decided to get rid of our cookie consent banner and third-party tracking cookies from our website. It was easier than we thought.

Over the last decade, online privacy has been eroded. Advertising companies track your every move online through cookies – pieces of code that let websites and third parties see your browsing activity.

The privacy laws changed in the EU a long while back, and we wrote a comprehensive guide about it. It’s still our most viewed blog post, mainly from people asking Google why cookie popups are even a thing given how terrible they made the Internet.

The reason for cookie consent banners is the vast majority of websites install third-party tracking cookies for marketing purposes. EU law specifically states “You can’t set tracking cookies unless the user explicitly consents to it”. These tracking cookies send data to Big Tech and track you online.

This is fine for most people, they just click “I accept” without considering the consequences. But given the state of what Facebook, as an example, is up to at the moment in terms of circumventing the restrictions placed on it by Apple and the EU, perhaps they’d not be so keen to do so. More on that later.

The most common trackers are:

• Google Analytics (so organizations can understand who’s visiting their site, where they came from, and what they did)
• Twitter (so companies can show targeted ads on Twitter to recent website visitors
• Facebook (so Mark Zuckerberg can take over the entire Internet, see everything you’re doing, and give businesses a terrible and crappy ads interface. Oh, AND track visitors and advertise to them, not just on your website but across ALL websites)

So, what’s wrong with that, I hear you ask. Businesses need to get data on their customers and advertise to them. What’s the big deal? Plus, aren’t you in charge of marketing?

I hear you. But look, Silktide is all about helping people make the web better. We’ve been talking about the crappiness of cookie consent popup banners for about ten years now (we even built one and gave it away for free in an exercise in extreme irony).

But cookie consent banners are merely a band-aid over the real problem – the invasion of user privacy online.

If big tech companies weren’t tracking your every move, we wouldn’t need them.

How did we remove our cookie consent banner?

So, the first thing we needed to do was look at which cookies were being set on silktide.com. Silktide’s web governance platform actually does this already, so that was quite straightforward. Here’s the list:

• Google Tag Manager
• Google Analytics
• Twitter pixel
• Facebook pixel
• Intercom (live chat)

Obviously, setting cookies before consent is a massive no, so we use Google Tag Manager to load everything in, but only once the user explicitly accepts cookies in our cookie consent banner (GTM itself is also only loaded once the user accepts cookies).

That’s the correct way to do it, but you’d be surprised by the number of websites that set cookies automatically before asking permission (and you can read about that in an upcoming post).

The marketers in the room are probably thinking “Wait, what about my ads and analytics”.

We don’t retarget on Google, Twitter, or Facebook. In fact, we barely do any paid advertising, save for a few select keywords in Google Ads, and some recruitment ads on Facebook and LinkedIn. But those don’t require any tracking pixels to be set.

So really, for us, there’s no need to have Facebook and Twitter pixels on our site at all. That’s why I took them off a few months ago.

That just leaves Google Analytics and Google Tag Manager.

We use Tag Manager to handle various functionality, like sending conversion events into Google Analytics and some basic funnels for people clicking on our “Request Demo” button to see if they convert and where they came from.

So turning that off presented some problems for me because it would basically break conversion tracking.

That said, given that we’ve removed Google Analytics anyway, it’s a moot point.

Removing Google Analytics

We no longer use Google Analytics on our website. This is, of course, madness from a marketing perspective, because how is a global SaaS company expected to track user activity and report on marketing metrics? Why is the head of marketing suggesting this is even a Good Thing?

Fret not. We simply built our own cookie-free analytics and heatmapping solution. We got a bit tired of the way Google Analytics works, so built something which still allows user behavior tracking without invading privacy.

It doesn’t need a cookie consent banner, because there are no cookies. Nor is any personal data sent outside the EU, and nor is any personally identifiable user data collected or stored.

Removing Facebook and Twitter

I mentioned earlier that we’d removed Facebook’s pixel. Even if we retargeted users on Facebook, its effectiveness would have dropped significantly since Apple blocked Facebook’s ability to track iOS users.

Also, Google Chrome is blocking third-party cookies by default in 2023, which means Facebook and Twitter advertising will become even less effective in the future. Google, of course, owns Chrome and so that probably helps it track logged-in users even without cookies.

Given that most advertising data is now in aggregate the future seems clear – closed ecosystems with little transparency. Examples include Facebook’s Conversions API – the most insidious counter to EU law you can imagine.

Unfortunately, even without cookies, it’s still going to be possible for Facebook to track you. In fact, with the Conversion API, they’ll get even more personally identifiable data than before. We wrote a blog about that which you can read here.

What about Intercom?

We use Live Chat on our websites and in our app so our customers can talk to us. There are no Live Chat apps that don’t require data transfer, so the only choice here is to remove Intercom from our main silktide.com website.

We are, however, still using it on our support websites and so we kept a cookie consent banner on there to give people the choice. Intercom won’t load at all until you accept cookies.

It’s a compromise. You can still email us if you’d prefer not to use Intercom.

Putting the cookie consent choice back into users’ hands

Users need a choice on privacy at a time that makes sense to them. They should also not be bombarded with cookie consent banners immediately upon visiting every new website.

It’s possible to have comprehensive analytics that also respects user privacy. You can still monitor conversions, you can still see traffic sources, and you can still report on advertising using standard URL tracking templates.

The difference is that no personally-identifiable user data is collected so you don’t need a cookie consent popup to use it. It’s also fully compliant with privacy laws.

The effectiveness of retargeting on Facebook is massively reduced now anyway, especially since Apple blocked third-party cookies on iOS. When Chrome blocks cookies next year, the problem will get even worse.

To find out more about cookie-free, privacy-focused analytics, click here.

• Share via Twitter (opens in a new tab)
• Share via LinkedIn (opens in a new tab)
• Share via Facebook (opens in a new tab)
• Share via Email (opens in a new tab)

From a certain point of view, Facebook’s solution to having all their advertising cookies blocked is quite elegant. Some would say it’s pure evil. More on the specifics later, but first, some background.

Remember when Apple and Facebook had a bit of a tiff after Apple decided to block third-party tracking cookies in Safari and in iOS 14+?

Well, next year Google will be doing the same, by default, in Chrome. Chrome does of course already have an option to block third-party cookies, but I bet you haven’t switched it on.

By cutting down Facebook’s access to cookie data across the web, their advertising becomes less effective. No longer can they rely on automatic shared data from websites sent via cookies. Instead, they now ‘guesstimate’ retargeting audiences, using a range of anonymized data that groups people with similar interests. They then allow their customers to show ads to these audiences.

The downside, for Facebook, is that they no longer have access to data from specific users either on iOS devices or on browsers where third-party cookies are blocked. This means the retargeting becomes less effective (unless the iOS user has specifically opted into getting personalized ads – which is now off by default since iOS 14).

Facebook wasn’t very happy when Apple did this, even taking out full-page adverts in national newspapers and writing a blog post asking small business owners to speak up against Apple.

“Apple controls an entire ecosystem from device to app store and apps, and uses this power to harm developers and consumers, as well as large platforms like Facebook.”

I mean, there is some level of irony here given that Facebook’s tracking pixel is on most of the websites you visit.

I don’t want to be tracked, so blocking Facebook’s advertising is a good thing, right?

In principle, yes. It won’t be possible to individually target you if you’re using iOS or have third-party cookies blocked elsewhere.

You’ll still get targeted ads, but these might be less effective. Business owners won’t get as much data in their Facebook ads account, as it will use Aggregated Event Measurement (in the case of app install campaigns) to essentially guess what’s happening.

The privacy-conscious among you might welcome this turn of events because now the problem is solved, right? Well, actually, no it’s not.

Things just got a lot worse.

Facebook counters with the Conversions API

When Facebook lost a lot of tracking data through cookies, it came up with a way to still get your customer data to build audiences from. If you’ve spent any time in the Facebook Ads platform recently, you might have come across the Conversions API. 

If you haven’t heard of it, brace yourself.

In the EU, the GDPR law prevents personal data from being transferred without consent, to either the website owner or third parties connected to the website or any technology a business uses.

This is why cookie popup banners exist. We have an extensive post telling you all about how the ‘cookie law’ works.

In a nutshell, if you set a cookie on your website without permission, in the EU, you broke the law. 

You also need to list all the places you send personally identifiable information (PID) in your cookie and privacy policies.

In practical terms, the GDPR/cookie law is actually very enforceable right now, because you can easily scan a website and find out what cookies it uses and, just as importantly, when they were set.

Now, the Conversions API bypasses the need for third-party cookies entirely and collects far more PID than cookies ever could. And Facebook encourages you to use it.

How does Facebook’s Conversions API collect more PID than cookies?

When you fill in a form on a website or buy something through a checkout, you’re giving your data over to the website owner. That’s fair because without it the website couldn’t process your transaction or inquiry, submit your comment, or whatever.

Third parties don’t get access to this personal information (I’m talking about names, email addresses, form values, etc.). It’s not transferred in cookies.

What Facebook is doing is encouraging business owners to give them this data at the point of transaction, so they can use it to match to a Facebook user.

Their dashboard lists what they consider to be “best practices”, with suggestions as to what data you should collect:

• Phone number
• Email address
• IP address

Yes, you heard that correctly. They’re advocating that the “best practice” when using the Conversion API is to transfer your customer’s email address, IP address, and mobile phone number, at a minimum.

Many more options are available in the API, including gender, country, date of birth, and postcode/ZIP.

They say “Customer information is used to match your events to Facebook account ID so you can use them to attribute your ad performance and show ads to people who are most likely to convert.”

Here’s a link to Facebook’s help article listing the customer information parameters that Facebook accepts.

The best thing about this from Facebook’s point of view, of course, is that the business owner is entirely responsible for where and to whom this data is sent.

The Conversions API page, and elsewhere in the Facebook dashboard, states (emphasis mine):

“Note: Ensure that you have obtained the proper lawful permissions and any necessary consent before you share any information with a third party. We provide general information and links to helpful industry resources in our Consent guide, but ultimately you’ll need to work with your own legal counsel to develop your data sharing compliance plan.”

Thereby absolving themselves from any legal liability for receiving the data you give them. That’s right, the business owner is the one getting sued if they don’t include all this information, along with purposes for its use, in their privacy policy.

The worst part about this from a GDPR enforcement perspective is that all this information transfer is “dark”. Cookies can be detected easily, but this transfer of PID is done on the company server.

Only with access to that server code can anyone see what’s actually going on. The data itself is invisible.

So, even though this behavior is subject to GDPR and other privacy laws around the planet, nobody can know unless the web owner tells you. This means the law will be much harder to enforce.

Secondly, and this is even more concerning to privacy advocates, is that there’s no way to block it. No Adblock, no cookie blocking, nothing.

As a consumer, you should assume that Facebook is getting your data whether you’re on iOS or whether you blocked cookies in your favorite browser, as soon as you buy something from an online store that also has a Facebook ad account.

In fact, you’re MORE dependent now on the company being nice and NOT sending all your data.

It gets worse. Businesses can connect their CRM to Facebook and it can receive all the data in all of your form submissions, without even implementing any code.

Oh, and that’s enabled by default.

A clever design

The clever bit is that the design of this ‘solution’ to cookie blocking will ever so subtly influence the business owner to enable all the options.

Which website owners, especially in eCommerce, wouldn’t want to send all this information across especially given that without proper tracking Facebook ads have reduced ROAS by up to 30%.

Remember the wording in the Facebook ad account from earlier?

“Best practices – Selecting the right parameters can help improve your event match quality score and event deduplication, which can lead to better ad performance,” and “make sure you’ve configured the best parameter setup.”

Everything is written to encourage you to hand over as much information as possible.

So, what do we think about all this?

Making the web a better place is in our DNA. But what Facebook is doing here is making it much, much worse, especially in terms of privacy.

You have to hand it to them for coming up with a solution that:

• Enables them to solve the problem of blocked cookies for advertising effectiveness
• Allows them to collect even more data than before
• Removes all liability under GDPR and places it on the website owner

Morally, though, we’d have to disagree with this approach. Internet privacy is a fundamental right, and changes like this threaten it.

The truth is, nobody reads privacy policies, and probably the average consumer doesn’t even care. They’re sharing all their data with Facebook directly anyway, so what’s the big problem?

The problem is that, for the consumer, there is no choice. No way to block or opt out of this behavior, and no way to know it’s happening (without reading through the privacy policy of every website and assuming that businesses disclose all this information transfer as they should do).

We’re taking a stand.

A couple of months ago I removed Facebook and Twitter’s tracking pixels from the Silktide website, along with others.

Our long-term goal is to remove all third-party tracking from Silktide.com in the EU, including Google Analytics.

The result of this is that finally, we’ll be able to get rid of our cookie banner – the bane of the existence of everyone who’s ever visited a website.

Given that I’m a marketing professional, you’re probably asking yourself “Why is the head of marketing at a global tech company removing their web analytics,” and the answer is simple.

We’ve built our own cookie-free analytics solution that’s privacy-focused and works effectively without tracking or storing individual user data.

A problem with most analytics providers, like Google, is that for them to work a cookie must be set. I mentioned before that under GDPR, a business is not allowed to set any cookies until the visitor explicitly clicks “I Accept” in the cookie banner.

This means that anyone who doesn’t accept cookies simply won’t be tracked in your analytics, because Google cannot know about them unless that cookie is accepted.

Silktide Analytics is entirely GDPR compliant and suits organizations in any regulated industry that must adhere to local cookie and privacy laws. Because of that, it can give you analytics data for every visitor, as there’s no need to opt in to cookies (there are none).

Who knows, it might even be the beginning of the end of the cookie banner.

Footnote: Hey fellow Star Wars fans! Yes, we know, this headline isn’t quite canon. But would you rather have Facebook portrayed by Obi-Wan?

• Share via Twitter (opens in a new tab)
• Share via LinkedIn (opens in a new tab)
• Share via Facebook (opens in a new tab)
• Share via Email (opens in a new tab)

Not that long ago some well-meaning-but-dumb laws required that websites ask for permission to set cookies.

Since then we have all grown used to a crappier Internet, where users routinely dismiss popups without reading them. The result has been wasted time, smaller screens, and precisely zero improvements to privacy.

Now the UK body responsible for policing these laws has published new guidelines on how we must comply. In short: we’ve been doing it all wrong.

What’s new?

It’s all about things that you can’t do:

1. No non-essential cookies until you ask first

This means no Google Analytics, no Facebook buttons, no comment boxes, no social plugins, and no tracking pixels unless the user has explicitly chosen to enable them first. To give you a compliant example, the ICO uses this cookie sidebar:

Note how their option for analytics is turned off by default, which is also a requirement:

In practical terms, this makes analytics worthless in the UK, as almost no-one is going to opt in, and you won’t know what percentage of your visitors did.

2. No emphasizing “Accept” over “Reject”

Nearly every cookie solution ever emphasizes accepting over denying cookies. The ICO explicitly says this is not allowed: “A consent mechanism that emphasizes ‘agree’ or ‘allow’ over ‘reject’ or ‘block’ represents a non-compliant approach”.

3. No denying access just because you don’t accept cookies

Many websites block access until a user accepts their cookies. Under the new guidance, this is expressly forbidden. You must provide access to your service without cookies, unless the cookies are technically required for it to function (e.g. for login, or a checkout).

Together these changes should help privacy, but they’re going to be an absolute nightmare for website owners, and we’re sceptical how they’ll work in real life.

The way that you make websites, and the way you ask for cookies will have to change completely. Let’s break it down.

How everyone used to comply and why that won’t work

The big change here is you absolutely cannot set non-essential cookies when a user loads a page. This is pretty much what everyone on the Internet does now, and changing this is a serious challenge.

Previously most websites ‘solved’ the cookie law by adding some standard JavaScript that displays a banner or popup when a page is first loaded. Typically they say something like “By continuing to use our website you accept our use of cookies”.

Secretly though the website itself was never changed. It still used cookies. Adding a banner or popup is relatively cheap and easy, but modifying your website to not use non-essential cookies without consent is much harder.

The problem is down to the way webpages work. There’s no copy-and-paste plugin someone can add to their website which blocks cookies. In most cases, you’ll need code on your server, which means your website and your CMS will need to be modified by a programmer.

Programmers cost a lot more than copying-and-pasting a plugin.

Say your website uses Google Analytics and Facebook Share buttons. Because they are non-essential, these plugins will need to be removed until the user has chosen to enable them. This means parts of your pages will need to work with and without these features, and will need new interfaces to enable those features.

Because Google Analytics and Facebook exist for separate reasons, the user is now required to choose to enable one and not the other. This means users will need to see a list of these providers and approve them individually. Options can’t be pre-checked, and must be freely given, so your current “Accept recommended cookies” splash screen won’t cut it.

Asking your users to check a lot of separate, optional settings upfront is never going to work. We can see a better way, although it probably won’t happen.

How this could work, in an unlikely but delightful utopia

Websites could copy how our phones work.

If you use a mobile app, and it needs permission to do something, it asks you once, like this:

Your choice is remembered and you can review it later if you like. You’re given total control and crucially this request is made only when consent is needed, not up front.

Of course an app could ask you for permission up front, but most apps aren’t that stupid: they know if they harass users without good reason, the user will say no.

Websites could do the same. If I want to leave a comment on a blog post, it could ask me for permission to use cookies to do just this. I understand my choice, and the website creates a clear rationale for why I should consent based on my action.

In time, if this approach became commonplace, we could see browsers implement it as a standard, and give users controls to accept and review their privacy across all of their websites. This would save web developers time and enforce privacy for everyone on a technical level.

Yeah, we probably won’t be this lucky.

How cruel, cold reality will probably work

At first, nothing happens. This is a nerdy clarification of an existing law, how many people will even notice? It’ll likely take heavy fines before people will care to go through the whole process of “cookie-lawing” and “GDPR-ing” their websites again.

However detecting people who don’t comply will be very easy. Do you use Google Analytics when we load your page? You’re breaking the law. Expect a whole tonne of automatic spam email along these lines.

When the fines do arrive, organizations will scramble to patch technology that doesn’t currently allow them to comply. You think your website is old? Your bank’s website is running on Windows 1892 Coal-Powered-Edition.

The quickest, dirtiest solution will be to direct users to a static splash page where they must accept all cookies to continue. This isn’t really compliant, but it will pass automated checks and is technically feasible for mass distribution, which in reality is what usually wins.

The result will be anyone requesting a webpage will likely get a splash screen. They’ll be asked to either leave or accept all cookies because “It is not technically feasible for us to offer more granular controls at this time”. These screens will be slow, expensive, inhibit sales, and make many technical actions more complex (e.g. crawling, SEO, sharing links). Cookie banners apparently cost the EU €2 billion a year; these will cost many times more.

Facebook, Google are so essential to so many people that they’ll be able to persuade their users to accept anything. New companies, looking to compete with them, will not.

Meanwhile the average user still doesn’t know what a cookie is, and blindly clicks on the Accept button.

Conclusion

The ICO has just handed out two fines for £99m and £183m. Those are stand-up-and-take-notice figures which show they’re prepared to enforce GDPR seriously. Their head of technology policy just said “Cookie compliance will be an increasing regulatory priority for the ICO in the future”.

The intent of the law was to protect privacy, which is a Good Thing. In an era where Mark’s Zuckerberg’s nanobots are hiding in your bathroom mirror [citation needed] we could all use more control over our privacy.

Let’s just hope they figure out a practical solution that works this time. So far we fear the only people benefitting from this law are those being paid to implement it.

Footnote

Silktide is helping large organizations build a better, more accessible, web. Click here to see how it works in our online demo.