No, you don't need a cookie popup on your site
TL;DR: No, you don't need a cookie popup on your site. Yes, you do need to comply with the GDPR and the ePrivacy Directive.
A frequent question for people starting a website these days is: "Don't I need a cookie popup?"
With cookie consent notifications seemingly everywhere, it's a reasonable question. But just because other websites use cookie popups, doesn't mean yours has to.
When I was building PodQueue, I wanted to be extremely sensitive to user privacy. I even wrote up a post about how to use Rails without setting session cookies. As it turns out though, as long as you're willing to exclusively use certain kinds of first-party cookies, you do not need a cookie popup.
Don't just take my word for it, though. Look at the regulations, the explanations, and the ongoing enforcement of cookie consent policies. GDPR.eu has a very good explainer article here, and the most important point for you if you want to avoid using a cookie popup is this:
Receive users’ consent before you use any cookies except strictly necessary cookies.
If you're only using strictly necessary cookies, you don't need a cookie popup. So, what are "strictly necessary cookies"?
Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies.
The linked article then goes on to contrast these with other types of cookies (preferences, statistics, and marketing), but the important takeaway is as long as you only use first-party session cookies, you don't need a cookie popup.
Yes, this means you need to read up on the other kinds of cookies and ensure you're not using them. Yes, this may have technical implications for how you design your website. But the payoffs—respecting your users' privacy and avoiding annoying popups—are well worth the investment.
This post is also posted here on the PodQueue Blog.
Disclaimer: I am not a lawyer, and nothing in this post should be taken as legal advice.
Amen! https://www.updog.marketing doesn't have any cookie popups and never will. In fact, I don't think I'm ever going to include one in any of my future projects.
Such a quality of life improvement to be free from these horrid popups.
Thanks for pointing this out. It's really annoying! I have been in web development for 17 years, I have been using cookies all of that time, and this whole privacy hype is ridiculous now. Bureaucrats simply invented some bitter rules (for the benefit of large corporations) but they littered the entire internet.
Cookie popups literally broke down the internet and took creators' freedom away. What's the point of Internet if there's no more liberty in there? In some cases those popups don't even work or they are not optimised for mobile and turn the visitors away.
And I'm also concerned about what this "I consent" button is doing to human psyche... Imagine if you click on "I consent" 20 times a day, every day. What kind of effect it has on your thinking patterns in real life? Isn't this programming to be a slave by developing a habit of agreeing to everything?
Okay, rant over. You will probably think I'm mad :) No, I'm not. It's just sad to see how the new "normal" broke the internet.
So, basically, if you are planning on running ads on any kind of social media, you probably should have it, right?
There has to be a way to make those more UX friendly, I can't think of any way right now, but it could be a great thing if anyone figures it out.
Well, it depends. There's nothing preventing you from running ads on various social media platforms. Where you would need a cookie consent popup is if you want to use cookies, especially third-party cookies, for ad attribution. Though whether that's something that's worthwhile is debatable itself.
So, essentially, you do need them if you want to gather actual data from the ad campaigns to see if something is working...😅 Unless you track everything locally; do you know of any wp that might be good to track user behaviour within the page?
It's also worth noting that US users don't need to accept a cookie agreement at all. GDPR only applies to EU users. Not to encourage third-party cookies, but the cookie acceptance popups are basically spam that people usually agree to regardless of the terms.
I've always thought it would be funny to bury crazy things in the terms of service, like, your first born child must be named Jeff. Lawyers say that's a bad idea though. They're no fun : (
But what about CCPA
I built my first site the year before GDPR/CCPA was introduced (https://sewellstephens.com)
CCPA doesn't require opt-in for any kind of cookies. It just requires that you disclose what data is collected and how it's used. That can be put in an informational page rather than needing affirmative user consent.
Ok, I see.