GDPR and cookie optimization for Magento 2

With the introduction of GDPR, it is important to correctly apply the basic principles of user consent to existing and new websites and webshops. In principle, a Belgian webshop should have a cookie policy that is fully compliant with the latest (stricter) rules of Europe.

Do you want help setting up a cookie policy and cookie banner for Magento in compliance with GDPR rules? Feel free to read on!

Before we dive into cookies, we need to define exactly what a cookie is. Cookies are small text files that a website places on your computer, tablet, cell phone or virtually any device with a browser. These files store information about your session, for example. This saves you from having to log in every time you refresh the page. Or, cookies can be used to track user behavior and clicks, for analytical or marketing purposes.

You see, there are different types of cookies. You will find different classifications and categories on many websites. We classify them as follows:

Functional cookies

These are necessary to ensure a pleasant experience of the website or the web shop. Think of remembering a session after logging in. Or linking a shopping cart to your session. Without this type of cookies, a website or e-commerce platform can be difficult or not work correctly.

Analytical cookies

The operators of websites and web shops also like to know how people interact with their website. They can do this using analytical tools such as Google Analytics or Hotjar. These tools place cookies to track a session and send data correctly to their servers. With that data, a webmaster or digital marketer can see in an anonymous way how the website is being used and formulate adjustments or improvements.

Marketing cookies

Why is it that after visiting a product on a web shop, you suddenly see this product appear on Facebook or your favorite news website? Because of marketing cookies, among other things. They keep data - and share it with marketing tools like Google Ads - about your surfing behavior. With that data, they start trying to advertise very personally. For example, you get to see shoes everywhere after you just visited an e-commerce platform with sneakers.

Note: Not all cookies have the same purpose. And so with the introduction of GDPR and stricter rules around privacy, it's important to separate them out and ask permission from the user - meaning you - whether they can be placed or not.

The non-functional cookies, analytical and marketing cookies, are not necessary for web shops on Magento to work properly. They are redundant in that respect and they are often used to collect data about the user. And that is why it is required that the website administrator ask permission to place them. The idea here is also that the visitor is more aware of the information being collected from him or her.

You only have to give the consent once, basically. Unless you delete the functional cookie that stores consent. This cookie usually has an extended lifespan indicated in the cookie policy.

Just like the functional cookie for your consent, the administrator of the website or webshop must also indicate what he/she will do with that data. There are also strict rules around this and the user must be informed of the consequences of accepting the cookies.

MAGENTO AND COOKIES. BASIC SETUP, ROOM FOR OPTIMIZATIONS.

We have a lot of experience with Magento and we find that the way Magento handles cookies meets the requirements of GDPR. However, there is still a lot of room for optimizations: for example, it is not immediately easy to tell per cookie or tool to which group they belong. At PHPro we have set up solutions to make your webshop immediately compliant. Together we look at the tools you want to use, what type they are and we draw up in Magento cookie policy and privacy policy to be fully compliant with the guidelines.

So we make sure your cookies and how they work are clearly displayed to users. We give them the ability to review cookies, give or withdraw permissions and find more explanations about the cookies.

EXPLAIN WHAT YOU DO AND WILL DO

You provide this explanation in the cookie policy. This is a comprehensive document that indicates who is collecting data, what will be done with the data, how it will be done and so on. The goal is to give you as a user the most complete, clear and unambiguous picture of the consent you are or are not giving.

• Identity of the organization
  • Name of the organization (company name)
  • Full, physical address of the organization
  • VAT number
  • Other contact information such as an email address and/or phone number
     
• What cookies do you place?
  • What type of cookie is involved?
  • Why do you place these cookies? (purposes)
  • Who places the cookie? Yourself or a third party? (And refer to that third party's cookie policy as well)
  • What is the lifetime of each cookie?

You have to bring a lot of information and this is a tough exercise, the first time. Get proper guidance, from our experts for example. Once you have the list, then you only need to update it as you make changes.

ASKING PERMISSION. HOW TO DO IT?

There are several ways to ask for permission to use cookies. Which one is best for your website or web shop is up to you. Below we give some good examples for you to consider.

COOKIE WALL

The cookie wall is an overlay that is visible immediately upon loading a website and requires you to make a choice around cookies before you can continue browsing the website. Although this may seem like an “invasive” way of obtaining the necessary permissions, it is certainly not a bad one. It ensures that users immediately know that you are working with cookies and it immediately points them in the right direction for more information.

It is less user-friendly, though, because it stops the user from seeing the content he or she wants to view. It is usually used when a Web site depends on ad revenue and proper permissions are needed. Some websites even go so far as to prevent further use of the website if you use only functional cookies. Our advice? Test well and, above all, think “user experience first.”

COOKIE BAR WITH CLEAR CALL-TO-ACTION

The cookie bar or cookie banner is a more subtle way to ask for cookie permissions. It is often found at the bottom or top of the page, large enough to be visible, but certainly not in the user's way like a cookie wall. The text and buttons should be clear and unambiguous. Just like the buttons you offer: one to accept and one to decline or set preferences.

With this way of doing things, it may happen that the user makes no choice at all, which means you are only allowed to set functional cookies. As a result, you may lose analytical and marketing data. Our advice? It is the most commonly used form and users know what to do by now.

POP-UPS AND SMALL WINDOWS

This third version is a variant of the cookie bar. Suppose the cookie banner and cookie wall don't fit the design, you can also opt for a pop-up or a small window in the corner of the screen. Similar to the cookie banner, it is not disruptive, but clearly visible next to or over part of the content.

Furthermore, we advise the same here as with the cookie banner: make sure you have unambiguous texts and buttons and make sure you give users the choice to choose preferences themselves.

SCROLLING IS CONSENTING? THAT'S NOT HOW YOU DO IT.

We just covered how to ask for consent. And, frankly, that's not that difficult, only the consequences can be unpleasant for marketers and operators of web shops. Namely, they lose a lot of data and fear that their data will not be sufficiently representative.

Many Magento webshops, especially older ones, miss the question for permission, in any form. But, some Web sites are deliberately going to apply “implied consent. That is, without clicking anywhere or just using the website, the user agrees to all cookies. They often display text at the top or bottom of the page, but it disappears as soon as you scroll or are on the website for a certain amount of time.

This is not allowed. And don't do this either. With one exception: if you set only functional cookies.

Since the introduction of GDPR, cookies and privacy are a hot topic for all our clients. We advise them to be sure to follow the legislations and we help with drafting good texts, clear buttons and pleasant designs in order not to scare off users and - on the contrary - convince them to allow cookies. We also know from experience that data loss is a legitimate fear for (digital) marketers and e-commerce managers, but with the right elements and designs you can convince the majority of users to allow analytical and marketing-related cookies anyway.