Solving the GDPR Cookie Paradox

Solving the GDPR Cookie Paradox

With the imminent implementation of GDPR regulations, marketers are bracing for what could be a bumpy transition. As we learn more about the consequences of GDPR rules—and marketers’ interpretations of those rules—we might have to scramble around a bit to ensure that the impact on the customer experience is as minimal as possible.

One thing I’ve long believed could be a puzzle for marketers under GDPR is what I call the cookie paradox. As you may know, certain web cookies use personal information—such as IP addresses, email addresses, and browsing histories—to help marketers track website visitors across channels and touchpoints, keep users logged in, personalize landing pages, and otherwise enhance the web experience.

Until now, most marketers have used web cookies with impunity, perhaps mentioning their use but not requiring any specific user action. Under GDPR, marketers must present a way for visitors to “opt in” to be tracked with a “cookie”. This is most often done with a pop-up and the following sample jQuery code shows how to check and update the value of a client-side cookie to facilitate the showing (or not-showing) of the cookie disclaimer.

var agreed_to_terms = $.cookie("agreed_to_terms");
if (agreed_to_terms == '0') {
  $('#cookie-consent').click(function (e) {
    $.cookie('agreed_to_terms', '1', {
      path: '/',
      expires: 999999


If a consumer doesn’t opt in for cookies, then cookies can’t be used for that individual out of respect for their privacy. This cookie rejection, however, will likely diminish the user experience, up to and including repeat pop-ups every time a visitor returns to your site. If someone chooses not to be tracked, then the very act of tracking that they can’t be tracked is in fact tracking—and that could be a violation. Thus, the cookie paradox under GDPR:

How can marketers optimize the web experience in a world where personal information is restricted?

The Way the Cookie Crumbles

If you can convince your site visitors to accept cookies, then you are in the clear. Once a consumer opts in, you’re not required to ask them each time they visit your site. However, you do have to make an opt-out mechanism available if they change their minds.

Get Treasure Data blogs, news, use cases, and platform capabilities.

Thank you for subscribing to our blog!

At Treasure Data, we’re looking at different models for how to manage the cookie opt-in process. Here are a few of the things we’re thinking about, to make accepting cookies as easy as possible for our own site visitors:

  • Keep It Simple: Our site uses cookies from a few different tools (Marketo and Google). Rather than overwhelming site visitors with all the different types of cookies we’re using, we’ll ask users to accept all cookies.
  • Message the Value of Cookies in a Straightforward Manner: Our opt-in messaging will explain that the overall site experience will be better if consumers accept cookies. However, we won’t guilt or trick customers into accepting the opt in.
  • Make Browsing the Opt-Out Default: Our cookie pop-up will include a prominent check box for opting in, giving consumers a clear, affirmative action. We’ll also tell users that if they continue browsing without clicking on an “Accept all cookies” button, they are refusing cookies.

So what about the people who don’t accept cookies? How do you know if they want to opt out FOREVER, or if they’re just in a hurry on a given day? Here’s how we’re hoping to convert some of those early opt-outs to ultimate opt-ins:

  • Optimize Timeframes: Because we won’t know why users reject cookies, we’ll want to ask them more than once, without being annoying. We plan to experiment with different time frames, perhaps showing the opt-in window after a few minutes to people lingering on the site, or the next day if they come back to see us.
  • Amp Up the Urgency: When we do present repeat opt-in messaging, we might change the content to acknowledge the previous rejection. This could work especially well for those lingering site visitors. For example, we might say, “Since you’re going to stick around for a while, improve your site experience by accepting cookies.”
  • Create Workarounds for Cross Channel Consumers: The cookie paradox is even more prevalent when users interact with the same website from different devices. For example, be able to take a “forget me” request from a mobile device and then push that request to any other system where the company has PII on that user. It is very valuable to be able to recognize cross channel activity while maintaining people’s right to privacy.

The best advice I can give you is to test and tweak your opt-in tactics for continuous improvement. You’re not alone in this, and the cookie paradox is just the tip of the iceberg. Much more will come to light when GDPR rules actually go into effect and we have real experiences to learn from. For more information on how Treasure Data can help you continue to unify your customer data in a GDPR world, download The GDPR Marketer’s Guide.

Get more info on GDPR in this on-demand webinar “GDPR: A Practical Guide for Marketers“.

Disclaimer: This article is not meant to provide legal advice. Consult with your own legal team and security officer for specific guidance on GDPR compliance.

Erik Archer Smith
Erik Archer Smith
Erik Archer Smith was a data-driven marketing and sales professional at Treasure Data with 10+ years experience helping companies scale during phases of hyper-growth. Erik got involved with tech early and built the first social media site in Japan using open source technology in the early 2000s. When not working, he enjoys spending time at the beach with his wife and dog, and obsessing over character-build stats in whatever RPG currently has him hooked.