Cookie consent in museums and theatres: 5 things we’ve learned
Using a cookie consent manager is no longer a matter of choice. As we explained in our intro to cookie consent it’s a legislative must (see PECR and GDPR), Google requires it in their T&Cs, and it’s how you do right by your website visitors.
If you’re completely new to cookies you should check out our Cookies 101: What cultural organisations need to know article.
Over the past couple of years, we’ve worked with organisations like the British Museum, National Portrait Gallery, Tate and the Victoria & Albert Museum on their cookie consent setups. We’ve learned a lot about how to go about it the right way.
Here are five of the lessons we’ve learned.
1. It’s a lot easier with Google Tag Manager
Google Tag Manager (GTM) makes it easier to manage the various bits of code that analytics and advertising tools want you to add to your website. It’s long since become a standard part of the digital marketing toolkit and, thankfully, most of the clients that we work with are using it on their websites.
It also makes it easier to work with cookie consent tools.
GTM does two useful things:
The cookie consent banner itself can be deployed via GTM (although if you find it appears too slowly then it might be better to add it to the page directly), and
GTM can check whether a user has opted into tracking before firing any analytics or advertising tags.
If you’re not using GTM and instead have tags and pixels (for Google Analytics, Meta, Google Ads, TikTok, and so on) embedded directly on your site, then proper handling of cookie consent can be complicated.
So if you’re using more than one or two analytics/advertising tools and you aren’t using GTM yet, then it’s worth getting started.
2. Don’t cut corners if you’re serious about digital marketing and user experience
The simplest way to go about cookie consent is to use a tool that will either load or block an entire GTM container (and therefore all tags inside it) depending on whether people opt to accept or reject cookies.
We don’t recommend this approach.
Firstly, by offering a stark choice between opting in or out, you’ll inevitably end up with a lot less data than you would if you offered a more granular choice. You’ll have a harder time knowing what’s working and what’s not. If you’re spending a lot of money on website development and digital ads then that’s not going to be great.
GDPR also stipulates that you should give people granular control over the data they’re providing. If your cookie consent tool is only able to allow or block all analytics and advertising tools then it’s not delivering full compliance. Although, to be fair, you’re unlikely to get any complaints about that.
Also, at some point you might want to use GTM to deploy tools that don’t involve cookies or tracking, such as pop-up surveys or notification banners. If you’re using a blanket ‘GTM on or off’ method then that won’t be possible.
Finally, not all advertising and analytics tags will live within Google Tag Manager (see point 5 below). We’ve seen some instances of people thinking that this quick fix is a complete solution when it’s not.
You’re unlikely to get into trouble with such a blunt approach, but we certainly don’t recommend it.
3. The design of the cookie consent pop-up matters
The cookie consent pop-up is the first thing that people will interact with when they come to your site. You should make that first impression count.
As a creative organisation, you could inject some personality into your cookie banner to make it more consistent with your brand, as long as the essential messaging remains clear.
Here’s an example of how you don’t want your banner to look…
Were you even able to see where you’d need to click on that thing?
Here’s a more creative example from Ecologi, whose messaging and design are clear and on-brand:
Contrary to what you might think, a cookie consent notification absolutely should not be subtle. Making it optional to engage with runs the risk of visitors ignoring it entirely, especially if it’s small and unobtrusive. This can have two knock-on effects:
Visitors might interact with the site without ever making a choice about cookies. This means they won’t be recorded at all.
if visitors only opt-in after visiting several pages, it’ll be too late to record their traffic source. This will result in a chunk of engaged traffic showing up in GA as ‘direct’ - which is equivalent to a big shrug.
The old mantra of “don’t make me think!” doesn’t apply to cookie consent. You have to stop people in their tracks and get them to make a decision, ideally upon first arrival.
Timing also matters when it comes to compliance. GTM tags should be set to fire only after someone sets their cookie preferences, not on initial page load. Some cookie consent managers force a reload of the page after a user sets their preferences, which will again result in traffic being unnecessarily attributed as ‘direct’.
4. Auto-block features should be handled with care
Some cookie consent tools come with smart ‘auto-block’ functionality. The idea is to make the cookie consent process easier for you by scanning and categorising your tags, before mapping them to your visitor’s preferences.
Although it sounds like an attractive option, in our experience auto-block isn’t 100% reliable and can have unintended consequences, requiring repeated testing to make sure it’s remaining compliant. This can take just as long as configuring the tags manually.
Given a choice between the two options, we recommend managing your tags manually so you know exactly what’s going on on your site.
5. Don’t forget cookies dropped by third-party embedded services
It’s not just the tags in Google Tag Manager that are dropping cookies. If you’re embedding any third-party media from YouTube, Soundcloud or Vimeo you could be overlooking another source of cookie-setting analytics and advertising tools.
Each of these will also use cookies (or similar) and will track users’ interactions with those embeds (counting views, listens, and so on). The complication is that you are still the responsible party because the visitor is primarily on your website, not YouTube’s.
Some services might have a privacy-enhanced mode, but don’t assume these solve the issue. YouTube’s privacy-enhanced ‘nocookie’ mode technically complies with regulations but it still stores data via other means, which might be against your visitors’ wishes.
How best, then, to serve up third-party media on your site? Your developers can make sure that multimedia content complies with your cookie consent approach. For example, by only loading embeds after cookie consent has been provided, either site-wide or on specific embeds. If the user opts out of all cookies on your site, then embeds should also be hidden and replaced with a holding image (and perhaps the option to opt-in to tracking).
How One Further can help
We’ve worked on cookie consent projects for some leading cultural organisations. We have lots of experience with Google Tag Manager and know the ins and outs of trusted cookie consent tools.
If you’d like a hand with this and would like to speak to our analytics and marketing experts, please do get in touch.