Did you notice the lack of a consent popup on this website? That’s because there are no cookies here, because this site doesn’t need them. Conventional wisdom is that you always need tracking and analytics, but if you never use the data, do you really need it? Are you making an informed choice when you interact with the consent popup, or simply clicking it to make it go away?

GDPR was a hot topic in 2017-18, and while we’ve gotten a lot of tools to manage the cookie part it’s still an area where a lot of questions come up. Even when I created my old site, I avoided cookies like the plague. Quite frankly, I didn’t want to have to deal with it. Between then and now, I’ve had a lot of projects, and some time to consider GDPR.

Disclaimer: This is not a “pros and cons of GDPR” post. On the whole, I consider GDPR a step in the right direction despite having some concerns. This is a post about why I decided to build a site using no cookies, and my arguments and thoughts on doing so.

Should I collect?

The regulation, among other things, mandates we keep track of all data we collect. This means a lot of companies were suddenly faced with the question, “What do we collect?” and for some “Why do we collect this?”. When building my new site I was almost certain I still didn’t want any cookies on the site, until I realized I would be writing and sharing posts. The question of analytics and tracking came up, and conventional wisdom is that we always want to add these things, so we can get feedback and find issues. I had several discussions with various people in my network, and I’ve collected some of my takeaways in this post.

Your visitors pay the price

If you collect your data correctly, with as much meta information you can get, your data can become very actionable. While researching this post, I came across many arguments for using analytics. Some of them were:

  • You can see how people find your website.
  • You can track what people do when they’re on your website.
  • It helps you track conversions.
  • It’s free and easy.

All of these are valid arguments, except the free part. Your visitors are paying when they visit your site. You might say “oh, but they can just say no to cookies”, and you’d be entirely right. The question is not if they have the option, but if they understand the options given to them. How often do you say no to cookies? Do you even think about it when you say yes, or just click the annoying thing to make it go away?

Not an informed decision

Making an “informed decision” or providing an “informed choice” is trickier than you might think. It requires knowledge, understanding, and an actual alternative. You also need to be informed in a non-biased way, and when you think about it all websites providing a cookie policy and popup, are biased when informing you. They want to collect as much information as possible, for many more reasons than provided above. Sales and marketing, engagement with the audience, UX improvements, and performance optimization are just some of the reasons I’ve personally been presented with.

People don’t read

Finding out exactly how your data is being used requires extensive reading that most people don’t do. It’s well known that most people don’t even read terms and conditions. Some reports on the subject even state it’s less than 1% who do. So why would anyone think people have read their company’s privacy policy?

Lack of understanding

Grasping the concepts of how cookies work, what data is being collected and how a particular company uses that data is mindbogglingly hard. Especially when you consider that in most cases AI is being applied to the data, and these are proprietary and at best described in broad non-technical terms which do not cover the full extent of the functionality. Pattern recognition is a concept most people understand the basics of, but how does this apply to Shadow Profiles and their use? I’ve worked with IT long enough to know, in this field I understand nothing.

A real alternative

Before GDPR, we were given no choice. A notification about the site using cookies was all the cookie law of 2011 (EU) gave us. Today, we can choose to not accept the cookies, and most websites will continue to operate. However, this doesn’t mean you can browse the internet tracking-free. As mentioned Shadow Profiles are a thing, and the only thing we disable when saying no is profiling, which is used for targeted ads. However, disabling profiling on a single website is not enough, it needs to be done on every major tracking platform to be effective.

I always say No

I like to think I always say no to everything but required cookies, but sometimes it slips, and sometimes I just don’t care enough. When I want to do my best at avoiding tracking, I use incognito mode in my browser and say no to all cookies. You can also block all cookies in your browser, but this also blocks off your ability to log into applications. I keep a version of Firefox with cookies disabled, but I honestly don’t use it much since it’s quite a hassle to switch all the time.

So why do I make the effort to say no most of the time? I simply don’t like the idea of saying yes to something I don’t feel like I understand the implications of. If you think you do, I encourage you to visit the New York Times cookie policy and review all the trackers they use there. Or read the wiki page on Shadow Profiles and the references attached to it.

New York Times cookies example

Sometime in the future, I hope the legislation changes to mandate people have to take an active step to opt-in, rather than to opt-out. The recent addition of a button for opting out of all was a nice improvement, but I feel like this should be an opt-in to all instead. Nobody clicking “accept all” is making an informed decision today, and most people are simply trying to make the annoying thing go away so they can read the content they came for.

Is the site in compliance?

Having reviewed a lot of frameworks, and had a think about what I wanted to achieve with this website, I eventually decided to build a site without cookies. If for no other reason, then to challenge the accepted norm that cookies are mandatory. It doesn’t mean I don’t need a privacy policy, but it does mean I don’t need to implement a consent form for you to be annoyed at.

I honestly don’t think many people will notice, and if they do they will likely ask questions. Is the site in compliance even though it doesn’t have a cookie consent? I think it is, although I have yet to find actual information saying that in cases where no information is collected no consent is needed. I have found multiple guides saying that almost all websites need it, which is why I am writing this post. I don’t think all websites need cookies, and thus they don’t need a consent form. However, I accept there are valid reasons for wanting to make use of these tools.

If you are using tracking cookies on your website, but never actually use them for anything actionable, I would argue you either don’t need them and should eliminate them immediately, or you’re using the tools wrong and should consider getting in touch with an expert, like Ditte Dindorp at BeyondTheCode.