Is a free cookie banner enough?
A free cookie banner can be a useful technical building block, but it is rarely enough as a complete consent solution.
Many free solutions and open-source libraries can help show a dialog, store the visitor’s choice in the browser and give developers ways to condition the loading of certain scripts against consent. That can be useful.
But if consent is used, the website owner also needs to be able to show that consent has been given. This is where many simpler solutions become limited.
Storing a choice locally in the visitor’s browser is not always the same thing as being able to show which consent was given, when it was given and which information applied at the time.
What a free cookie banner can often help with
A free cookie banner can often handle the visible part of the consent flow.
This can include, for example:
- showing a cookie dialog
- dividing cookies into categories
- allowing the visitor to accept or reject
- storing the choice in the browser
- giving developers events or callbacks
- conditioning the loading of certain scripts based on the visitor’s choice
This can be a good foundation for the technical implementation. But it does not mean that the full consent process is solved.
Provable consent is essential
When consent is used, the website owner needs to be able to show that consent has been given.
This means that the solution should support documentation of consent. This may include which choice was made, when the choice was made, which categories the consent covered and which information applied at the time.
If consent is only stored in a cookie, localStorage or another form of local storage in the visitor’s browser, it can be difficult to show the consent later.
That is not necessarily a problem for remembering the visitor’s choice on the website. But it is a weakness if the website owner needs to show that consent has actually been given.
The categories need to be considered carefully
A cookie banner does not always need to have many choices. But if the website uses cookies for different purposes, the visitor needs to be able to understand and take a position on those purposes.
That is why it is rarely enough to only have one general choice for all cookies, such as “Accept” or “OK”. Cookies used for necessary purposes, functional cookies, statistics or marketing must not be treated as if they were the same thing. Not everything that is useful for the website owner is necessary for the visitor.
The website owner needs to decide which categories should be used, which cookies belong in each category and which consent is required for different scripts.
It is also important that the categories do not only exist in the banner. They need to be connected to the technical implementation. A script used for marketing should be conditioned against the right consent category, not only described in the right category in the text.
Scripts need to be conditioned correctly
A cookie banner is not very useful if scripts that require consent still run immediately.
Scripts used for statistics, analytics, marketing or other tracking need to be conditioned against the right consent category. This means that the script should not be loaded until the visitor has given consent that covers the relevant purpose.
This applies, for example, to analytics tools, advertising pixels, heatmaps, chat tools and other third-party services that use cookies or other browser storage for purposes that require consent.
Free solutions can often provide technical ways to condition scripts. But the website owner still needs to make sure that the implementation is correct across the whole website.
This also applies to scripts that are added later through the CMS, Google Tag Manager, plugins, campaigns or external providers.
The cookie list needs to be followed up
A cookie list needs to reflect the cookies the website actually uses.
It is not enough to inventory cookies once and then assume that the information will continue to be correct. New cookies can appear when the website changes, for example through new forms, embedded services, marketing tools, analytics tools or third-party scripts.
Automatic scanning can help detect cookies, but it does not replace the website owner’s responsibility to review and complete the information.
The website may also use other forms of browser storage, such as localStorage, sessionStorage or IndexedDB. Such storage needs to be handled through technical review, script control and clear routines.
If a free cookie banner does not help with inventory, follow-up or documentation, the website owner needs to have another routine for that.
Withdrawal needs to work in practice
The visitor must be able to change or withdraw consent.
This means that the cookie dialog needs to be possible to open again, for example through a link in the footer. When the visitor changes their choice, the website also needs to adapt to the new choice.
In practice, this mainly means stopping future scripts and processing that require consent. Cookies that the website can delete should be deleted where technically possible.
Third-party cookies and some other forms of storage cannot always be deleted by the website. The visitor therefore needs clear information about how such cookies can be removed in the browser.
When can a free cookie banner be a reasonable building block?
A free cookie banner can be a reasonable building block if you have technical competence, few third-party services and clear routines for everything the solution does not handle itself.
This means that you need to be able to make sure that:
- consent can be documented and shown later
- the solution supports categories where needed
- the categories are considered carefully and described correctly
- cookies are placed in the right category
- scripts that require consent are conditioned against the right consent category
- the visitor can reject, change and withdraw consent
- the cookie list is followed up and completed when needed
- new scripts and third-party services are reviewed over time
- other forms of browser storage are handled in a controlled way
Without these parts, it is usually only the banner part that is solved.
Free is not wrong, but the responsibility remains
There is nothing wrong with using a free tool or an open-source library. For the right organization, it can be a good technical component.
But it is important to see the tool for what it is. It often helps with the dialog and parts of script control. It does not automatically replace a complete process for consent management.
The website owner still needs to make sure that consent can be documented, that the categories are considered carefully, that the information is correct and that the website’s scripts follow the visitor’s choice.
Summary
A free cookie banner can be a good building block, but it is rarely enough as a complete consent solution.
It can help show a dialog, store choices in the browser and provide technical ways to condition the loading of scripts. But if consent is used, the website owner also needs to be able to show that consent has been given.
The key question is therefore not only whether the banner is shown.
The question is whether the solution helps you:
- document consent
- show consent later
- decide on the right categories
- describe the categories clearly
- condition scripts against the right consent category
- handle changed choices
- keep cookie information up to date
- follow up new scripts and third-party services
- handle other forms of browser storage in a controlled way
Free cookie banners can often solve the dialog. They do not automatically solve the burden of proof or the full work around consent.
More about free tools and consent
Do you need help reviewing your cookie banner?
CookieTractor helps you handle the cookie dialog, consent, cookie list, documentation and follow-up.
If you are unsure whether your current solution is enough for the requirements you need to consider in the EU or EEA, we can help you review how cookies, consent and scripts work on your website.
Feel free to contact us at info@cookietractor.com.