Picture of a privacy icon and cookie on a purple computer screen

Tracking with consent: what you need to know about cookie pop-ups

Cookie consent pop-ups are fast becoming ubiquitous – even for sites that aren’t technically obliged to carry them. But how do you respect users' right to privacy while still collecting valuable data to improve the customer experience?

Sarah Crooke.Headshot

By Sarah Crooke, 4 February 20246 minute read

Since the passing of the EU ePrivacy Directive – otherwise known as ‘the Cookie Law’ – in 2002, cookie consent pop-ups (also known as consent pop-ups) have proliferated throughout the web. The purpose of the ePrivacy Directive, which supplements the GDPR, was to protect website users' privacy by requiring websites to obtain consent to use cookies. Many other jurisdictions have since followed suit and enacted their own legislation to regulate the use of cookies, for example, the California Consumer Privacy Act (CCPA). 

Do Australian sites need cookie consent pop-ups?

Australian data protection laws do not require organisations to obtain express consent to use cookies, unless the website collects sensitive personal information such as data related to health, race, criminal record, or sexual orientation, or to use or disclose personal information for a purpose other than the purpose it was collected for. (Read more on the Australian Privacy Principles.) 

This means that for sites of Australian-based companies with no overseas presence and that don’t sell to or deal with people in other jurisdictions, it isn't usually necessary to get explicit consent from visitors to use cookies. 

For now.

However, all of this could be about to change. In response to a spate of high-profile data breaches, late last year, it was announced that Australia’s Privacy Act – focusing particularly on the way organisations handle personal information – is likely to be subject to review in the near future.

If your company operates in the EU, you must legally provide cookie consent management to your end users. Failure to do so can result in a fine of up to 20 million Euros or, in the case of an undertaking, up to four percent of your total global turnover of the preceding fiscal year, whichever is higher.

Also, remember that the cookie consent pop-up is only one small part of complying with GDPR or other countries' privacy laws. You should always check with your legal team on your requirements.

The benefits of implementing cookie consent pop-ups

While consent pop-ups are vital for compliance with data privacy laws like GDPR and CCPA, informing users about collected data and offering them control over their personal information can also have other advantages. By clearly outlining the use of cookies for analytics and offering opt-in or opt-out choices, websites can maintain transparency and build trust with their audience. This approach meets legal requirements and enhances user engagement by respecting privacy preferences, making cookie pop-ups a key element in a privacy-focused analytics set-up. Setting up cookie consent management early also means that you will be on the front foot in the likely event that the law in Australia changes to require them.

Best practices in setting up cookie consent pop-ups

It is not enough to simply display a cookie consent pop-up. If you show a pop-up and are not implementing it correctly, this can present a legal risk for your organisation.

Conversely, it is not the best implementation to stop all tracking until cookies are accepted. There are ways to collect non-personal information without cookies being accepted. 

Our recommended approach is:

  • Use a third-party tool such as OneTrust or GDPR Compliance and ePrivacy CMP Solution – Cookiebot
  • Have a trusted developer implement the third-party tool 
  • Utilise Google Tag Manager to get the details from the third-party tool on what is allowed and not allowed and use Consent Mode to determine which tags can fire
  • Regularly audit the website for cookies that may be stored
  • Have your legal team review your privacy policy, ensuring that it states which cookies are used and why
  • Ensure clear documentation on what tags are allowed under what permissions.

If you require further restrictions, it may be necessary to implement server-side tracking, which can mask users' IP and other details from third parties.

Why use a third-party tool?

Third parties make privacy their business, so if there is an update in different countries, they are likely to know about it. This takes the legal risk off you to stay updated with the latest information on data privacy changes. They also have the data to know what pop-up styles work best and allow for all the different consent types that may be added. When a new consent type is added, a third party tool will automatically add it into the back end, saving you the trouble of adding it manually.

Why use Google Tag Manager Consent Mode?

GTM Consent Mode provides a way to balance data privacy with data-driven insights on your website. Consent Mode receives your users' consent choices from your cookie banner or widget and dynamically adapts the behaviour of Analytics, Ads, and third-party tags that create or read cookies. When visitors deny consent, instead of storing cookies, tags send pings to Google.

What is the benefit of going through Google Tag Manager if tags are not being sent anyway? GTM Consent Mode means some information can still be sent, especially to Google Analytics. However, not all data is collected, and you should not expect the same level of data as without Consent Mode.

How is Consent Mode data different?

  1. Data granularity: With Consent Mode, the granularity of the data can be reduced when users opt out of certain types of tracking. For example, if a user does not consent to the use of performance cookies, GA4 may not collect detailed page timing or specific user interaction data. This results in a more aggregated and less detailed view of user behaviour.
  2. Data availability: Certain types of data, especially those related to user identification and tracking across sessions (e.g. User ID, cross-site tracking data), are significantly impacted. Without consent, these identifiers are not collected, leading to less precise user journey and cross-device analysis.
  3. Conversion tracking: Conversion data may also be affected. While GA4 uses modelling to estimate conversions without full tracking, the direct attribution of conversions to specific marketing channels or campaigns might be less accurate without full user consent. This affects how you assess the effectiveness of your campaigns.
  4. Audience data: The composition and size of remarketing audiences and other audience lists in GA4 may change under Consent Mode. Since some users might not consent to advertising cookies, the data used to build these audiences is limited, potentially making them smaller or less targeted.
  5. Event data: The specifics of event tracking data can change. Events dependent on full tracking or specific cookie consent may not be recorded or might be recorded differently. This could affect the tracking of specific user interactions, such as video views or downloads, depending on how the site has configured consent requirements.
  6. Session data: The way sessions are counted and attributed might also vary. Without certain types of cookies, linking multiple interactions to a single user session might be more challenging, potentially affecting session-based metrics like session duration and bounce rate.
  7. Geolocation and demographic data: The accuracy and availability of geolocation and demographic information might be reduced. Since these often rely on specific types of cookies or identifiers that require consent, the absence of such consent can lead to less detailed demographic and location data.

How long will it take to implement GTM Consent Mode?

Depending on privacy requirements, it would usually take a developer one to several days' worth of effort to migrate, test, and document consent tracking in Google Tag Manager (web version). If you are looking at implementing server side tracking, the scope of the work will depend on your particular requirements and we recommend that you seek a quote from a trusted digital advisor.

Want to tap into the expertise of an agency that’s been in operation since 1999?

Get in touch

Keep Reading

Want more? Here are some other blog posts you might be interested in.