Cookie Consent Webinar

Learn what’s changing with cookie consent and how to stay compliant without sacrificing user experience or site performance.

• Internet Privacy History
• How Compliance Works
• Risks for Business and Organizations

00:00:00

Andrew Husted: I just wanted to welcome everybody. This is a really interesting topic today. Everybody talks about it. A lot of people don’t know what it means.

00:00:09

Andrew Husted: A lot of people don’t know where it came from. And so the whole idea of cookie privacy and what is required of us as we have content on the internet and we’re leveraging websites, we’re also leveraging data and we make decisions based on that. How to advertise, when to advertise. Are our results improving? are they declining? And how do we pivot? And so that data is a huge topic of conversation. We have people in the audience who are sophisticated from IT firms and will know a lot of this already. We have people who are from nonprofits and are just kind of looking to learn more about it. So I will try and speak to all of the different types of experiences we have today so that everybody can get something I think meaningful to take away. So I’m going to get us going. So today’s agenda we’re going to talk about really four main topics.

00:01:10

Andrew Husted: The first one is just a little bit of a history on internet privacy, where it came from, how it’s evolved, what the future may look like and things like that. And that sets the groundwork for this whole notion of tracking cookies. I’m sure many of us have heard of cookies. If you’re not a technology type person, you probably don’t know what a cookie actually is. So, we’ll kind of go into the background of what cookies are, different types of cookies, and how they work. And then now knowing then what cookies actually do for the internet, we’ll talk about how to actually be compliant with those cookies that we use on the websites that we all provide to our users. And then finally, just a little bit of like well if we don’t ever seriously consider cookie privacy and what that means for us, what really is on the table? What’s at risk? How does it affect our organization? and what do we have to be aware of?

00:02:08

Andrew Husted: So, on this call, hello, I’m Andrew Husted, owner and president CEO of FSM and I’ve been in the agency world a really long time. If I don’t know you, I’d love to connect. And many of you I see in the crowd I do know already. So, that’s great. But run an agency here, FSM, 25 people in downtown Akron. We provide marketing services to help our business and organizational partners grow. That’s what we do. You’ll also see on the call Amy. Go ahead, Amy. Amy Husted: Hey there, I’m Amy Husted. Andrew and I do happen to be married, but we own and operate FSM here together. And my experience is heavy in entrepreneurship. So, I make sure that FSM is running on all cylinders and that we are not just growing ourselves, but that we’re helping all of our clients grow and that we’re doing excellent work for them. Andrew Husted: All right, thanks Amy. So this meeting as a webinar format and I do encourage questions.

00:03:08

Andrew Husted: So as we go, if there’s like something that isn’t super clear or you have more questions, you want to dive deeper on a topic, here’s how you can do that in Google Meets. In the bottom right corner, you’ll see those like nine dots, kind of indicating settings. If you click on that, you’ll see an option for Q&A. And then if you kind of click into that Q&A option, you can ask a question, you can leave your name, you can leave it anonymous, whatever you’d like to do. That’ll feed it through to us and then we can kind of respond to those as they come in. So that’s how you can interact with us. Encourage you to use that as we go. But let’s get going. I’m going to try and keep it brief. The history of internet privacy. But it’s an interesting topic and it’s something that we really ought to know more about if we’re ever going to understand the landscape we’re dealing with today.

00:03:57

Andrew Husted: And so something that, you may or may not know about me, I like to when I’m giving presentations have AI assist with fun graphics. You’ll see those throughout. Here’s an example. But this is just kind of illustrating there have been a number of eras of cookie consent, internet privacy, what that means, and how it’s evolved. And so, we’ll talk through each of these eras really beginning with the 1980s kind of into the ’90s. Generally known as the wild west of data. Really nobody knew what data was going to be collected on the internet. The internet was so new that the use cases were still getting ironed out. Nobody knew any of the dangers or complexities that would come along with collecting massive amounts of user data, who is visiting websites, what order they’re visiting them in, what content they’re seeing, and all that type of stuff. It had many implications that we just weren’t aware of. But in 1995, the European Union kind of took a look at this and was like, we need to get ahead of it.

00:04:58

Andrew Husted: We need to start thinking about the implications of having all of this data out there with no control mechanisms in place that anybody could use any way they see fit. And there should be some constraints on that. So what they did was in 1995 established a directive, the EU data protective directive. Key word there is directive. At this point it wasn’t a law. It was just a guideline. But it made some kind of just general best practices for how to handle data such as principles for how to request consent, how to minimize data, like don’t collect stuff you don’t need, make sure it has a purpose, just those kinds of general things. But yeah, it wasn’t a law. It was a directive. So a lot of people looked at it and said okay that’s fine but I’m not going to implement that. But then as the internet grew up really we started to kind of create this world known as big data which wasn’t a thing before but now suddenly becomes possible because of businesses like Google, Facebook, Amazon all of the sudden across many different devices are collecting massive amounts of behavioral data that just kind of as the world evolves went way beyond what the 1995 directive could have even predicted.

00:06:17

Andrew Husted: And so the really the rise of advertising, kind of relying on what’s called third-party cookies. Get more into those in a little bit. It’s just it kind of built this world based on just having these these third-party organizations knowing about where you went, even if you didn’t interact with their content in any way. So, that’s kind of just became this weird thing . all of a sudden all of these other businesses have insight into what we’ve done even though we’ve never interacted with them in a meaningful way. So, it’s becoming difficult now and kind of a real situation that needs to be addressed. So, European Union had their 1995 directive and they said, “Okay, we need to actually step back, evolve this thing and actually really start to ratchet out what compliance with privacy laws really mean and what privacy even should be.” And so they spent about four years this European Commission devoted to building these privacy rules spent four years and finally adopted it in April 2016. The whole thing was meant to replace that 1995 directive.

00:07:29

Andrew Husted: They wanted to give individuals the capability to decide what data was and was not shared with other people on the internet. They wanted to make consistent through the whole European Union nations just make consistent these rules. So there’s not that you don’t get into this like well it applies here it doesn’t apply there it doesn’t apply there. They just kind of wanted to unify it to the best that they could control being Europe and all the countries that are a part of that. And so that came into play and started being enforced May 25th 2018. That’s really when everything changed. I remember we were on a trip in Italy at the time and as soon as I started pulling up websites on my phone, every single website had this thing that I had to read through and then accept at the bottom. From the simplest websites from a little bistro or a coffee shop to business websites, everything was suddenly requiring this weird notification of privacy stuff that really never seen before.

00:08:34

Andrew Husted: So that’s where this came from. I’m sure you’ve all experienced it. That popup that says we collect cookies. Here’s information about what we collect. Do I want to continue or not? Was part of what was required for this new law which was known as GDPR for short. GDPR may be a phrase you’re familiar with. But that’s really what came out of this. One of the things that came along with it really that popup letting people choose the access to different points of data that people could collect. We could choose through that decide for ourselves but also some other things that are really helpful too like if there’s a data breach required by law to notify those people within 72 hours. And that’s just an example of the dangers of collecting big data. If somebody gets a hold of that data who shouldn’t have it, it’s important that people know that. It could be everything from behavioral data to credit card data, things like that.

00:09:34

Andrew Husted: And then it also implemented huge potential fines up to 4% of the business’s global annual revenue, which could be a very high figure. So that went into place and then everybody else in the world started to pay attention. It didn’t just change Europe, it started to change the rest of the world as well. It inspired new laws, CCPA, which was released in California, LGPD, Brazil, PIPEDA, Canada, and others. A lot of folks were like, okay, this is becoming a thing. Europe’s keeping this really hard and fast. That’s where everything’s trending. We should follow along. And so it’s been slowly released to different countries. They all have their own laws that kind of define all of this and they are all nearly a copy and paste of what GDPR put together from the European Union. They were not really inventing anything new. They’re just following along with what was put in place by the EU. Here’s just a quick example that kind of shows how everything started in the EU and it’s very quickly branching out to all areas of the internet.

00:10:42

Andrew Husted: Seeing it everywhere from Australian and New Zealand and China and South Africa Brazil like it’s being rolled out everywhere. Then something I want to point out as the world follows behind skip through this because not everybody cares about the history in this level of detail. But pertains mostly to us since 2023 Oregon, Texas, Delaware, Montana, Tennessee, Florida, and Iowa have all adopted their own rules around cookie privacy compliance. It’s not just something that’s happening out there in the rest of the world. Something that’s very applicable to what’s happening in the United States as well. All right. Something that we want to think about is it’s branching out really quickly. Is there any projections out there for when maybe everywhere may be affected by this? Many of us on this call are based in Ohio. Ohio was not on that list. So what does that mean for us?

00:11:45

Andrew Husted: Projections are showing that right now while obviously most of the internet a large portion of the internet requires this already but it’s really projecting by really the end of 2027 for serious businesses who have a serious online presence it will be functionally unavoidable. You’ll basically have to have this. We’ll get into what functionally unavoidable means from a marketing and analytics perspective that those businesses would rely on. And then it’s anticipated to by the latest 2030 to be affected pretty much globally that it’ll have been adopted by enough places that you just have to participate in privacy compliance. All right, that’s the history. That’s how we got to where we are. I want to talk a little bit about tracking cookies because really cookies is what this is all about. A lot of us don’t know what those are but cookies can track things but what is tracked? What kind of different flavors do these cookies come in? AI kind of put together this little description for us here.

00:12:50

Andrew Husted: You can see that there are different purposes here. We have a session cookie. Looks like it showed up for a party. So it’s there to hang out. We have a tracking cookie there with a Sherlock Holmes hat on and trying to uncover some kind of mystery that’s going on and follow the lead. And then advertising, they’re shouting out their message. They’re trying to get everybody to notice them. There are different types of cookies. They have different purposes, but technically, what are cookies? Cookies are a small text file. It’s as simple as that. It’s stored on your own internet browser when you view a website. Websites when you load them, part of what you’re downloading amongst images and the website code and things like that are cookie files that are required by that website for interactivity from you. It’s really just a text file. They get stored up on your browser.

00:13:44

Andrew Husted: They can be cleared out and removed. There are ways to do that. But within those cookies, they contain bits of data. They might contain login info. They might contain preferences that you’ve selected. They might contain various different tracking IDs that the websites you’re visiting and others will use to remember you and your activity. Okay. The cookie privacy laws have established a number of different types of cookies. We’ll walk through these briefly. Number one, strictly necessary cookies. These are cookies you have to have. Number two, functional cookies. They are useful for getting things done on a website. Number three, performance and analytics. Kind of what’s happening on our website and how are we watching that? And then finally, marketing. How are we using this data to advertise our product or our services etc to others throughout the internet? And this list continues to grow.

00:14:46

Andrew Husted: It seems like every several years there’s more and more refinement that goes into this and a large part of becoming compliant which we’ll get to is cataloging the cookies that we use assigning them to the appropriate category and putting them into our preference window. Just a little bit about strictly necessary, this is really core website functionality. So, if you log into a website, you need a cookie to remember that you’ve actually authenticated with that website and that you’re allowed to see logged in content. So, a cookie is what helps you do that. It’s necessary. You’re not able to use the website if you can’t log into it. So, that would be considered strictly necessary. Sometimes there are cookies for security, network management, accessibility, things like that. Some of the IT folks on the call that may ring more true to them, but like cookies are required for just making sure that you’re a legit browser. You’re not some kind of bot.

00:15:48

Andrew Husted: You don’t have ill intent. You’re not trying to collect certain things. So it’s actually validating you and keeping the website secure. Anyway, those are strictly necessary cookies. Basically you don’t need to ask for consent for those. That’s like table stakes. Like if you want to use the website, this is like basic functionality that makes that possible. And so you don’t as a user get to choose whether or not you accept those, but there’s nothing dangerous about that because that’s not collecting any information about you. Next up, we start to get into the optional types of cookies. The first one being functional cookies. Sometimes they’re called preference cookies. Preference makes it easier to remember because really it’s things you’ve selected on the website that you want the website to remember about you. So it could be multi-language websites. I’ve selected a particular language and when I come back to it the next time I wanted to use that language first.

00:16:42

Andrew Husted: It could be a region you’ve come from. So, maybe you’re doing some online shopping and your targets are showing up nearby and you go to the Target website and it’s like, “Oh, let’s get your location”. So, we can give you the information for the nearest target. That’s an example of a preference cookie is that user location option. And so what’s required for these, consent is required. Basically, it’s not essential for core functionality. So we do have to say provide consent in those areas where it applies, those geographic areas where the laws apply. And so that one starts to get into the realm of we’re watching what you do and keeping track of what you’re doing. Next up, performance and analytics cookies. Sometimes called statistics cookies. This is collecting data, anonymous data but still data that helps people who manage kind of the marketing efforts behind a website understand what pages are people going to how long do they spend on a page?

00:17:47

Andrew Husted: What are the trends and navigation? Are people going where I want them to go on my website? So some examples of those types of things, Google Analytics, Microsoft Clarity would be one . kind of tracks not just data but like a visual representation of somebody’s scrolling through a website what they click on. Adobe Analytics as kind of a more enterprise level Google Analytics requires a lot of additional configuration but a lot more insight into certain things and feeds directly as Google and Adobe might indicate feeds directly into their own marketing platforms then which feeds marketing cookies. Of course, analytics cookies, we need to require consent. These targeting and advertising marketing cookies are probably the ones that everyone’s most concerned about. Because what this does is tracks not just anonymous user behavior, but it tracks users across different websites in order to deliver targeted ads and measure campaign effectiveness. So, we’re watching maybe they come to our website and then we’re going to watch where they go from there.

00:18:53

Andrew Husted: And that’s a little bit concerning. This requires explicit opt-in. Like you have to opt in, not just like, oh, I accept all cookies, but no. Like I opt in and I want to have these cookies. That’s what the GDPR law states. For these ones in particular. Some examples might be Facebook tracking pixel. So Facebook ads use that. And it uses kind of a collection of all of the internet’s placements of Facebook pixels so that Facebook can understand you really well. And you may have never gone to Facebook before. But yet Facebook’s going to know a lot about you and can advertise to you because of its tracking pixels. LinkedIn similarly, and then Google ads as well. That’s one of the most well-known ones. I’ve talked a little bit about cookies that are kind of essential to a single website, but then cookies that are broadly applicable to many websites.

00:19:54

Andrew Husted: The first group’s called first party. So those are basically just think of those as friendly helper cookies. They’re created by the site you’re visiting. So when you go to fsm. FSM. may create a cookie that only exists on that website . it doesn’t affect anything else that’s a browsing pattern of view and may remember certain things about that site experience. The ones we’re concerned about are the third-party cookies. Think of those as the nosy visitors. So, you may go to a website and there’s a ad network. You’re being tracked on some social media thing. There’s all kinds of different analytics businesses that are grabbing your data and adding it to their data sets. Businesses you’ve never even heard of and then they’re taking that information and they’re using that to advertise to you. And so that’s really what the European Union was trying to focus on. Keeping that in check. So just some details here.

00:20:53

Andrew Husted: First party cookies main differentiator it’s set by the website you’re visiting on. Third party cookies you go to a website but a cookie is given to you by somebody else that you’ve never visited or experienced. And so that’s kind of what third-party cookies are. So that’s what cookies are. Let’s talk a little bit about cookie privacy compliance and how that works. We have a nice infographic here that is way over complicated. So don’t get too lost in this. We’ll go through step by step kind of what all of these things mean. But the whole process to implement cookie privacy looks like this . you have to have the ability to have consent rules. So that would be that popup when you visit the website and then how do I want to provide consent? Do I need to check boxes? What options do I have? Do I accept all? Do I have to choose which types of cookies and then accept those?

00:21:52

Andrew Husted: Like all of that gets configured in that window. Secondly, we’ll talk about in more detail, but there’s this thing called Google consent mode. Essentially when people are opting out of accepting your cookies, if done incorrectly, you lose all of that data as a marketer, which, if it’s anonymous, harmless data to an individual user, you want to avoid because you want to be able to have that. That way, you can make smart decisions about your website. Google consent mode helps fill in those gaps. So if people opt out, Google can then help still get an insight into traffic patterns happening on your website without invading anybody’s privacy, which is nice. Third, got to have a privacy policy. So this is like a terms and conditions or etc. It’s a policy on your website. It’s legal language and it has to describe how you as an organization have provided these different cookies, what cookies are available, what your rules are around those cookies.

00:22:59

Andrew Husted: And then that way people know what to expect. And there’s kind of rules set in place that you follow and how you treat cookies on your website. We have to do a data map or a cookie inventory. So we have to see all the cookies going on in the website . we have to categorize those to all those different types that we just talked about. Make sure they’re all in their proper home. That way the cookie privacy window and Google consent mode know what those cookies are and what they’re used for. And then you have to protect and minimize data. And there are certain things that have to be followed to make sure you’re not collecting more data than you need to. You want to collect just the right amount of data that’s helpful to what your goals are. But also not keep data longer than is necessary as well. Okay.

00:24:02

Andrew Husted: The first part of this to go in a little bit more detail this is that popup we call these our cookie consent rules or something that you should be familiar with is the term CMP or consent management platform. There are a lot of different services out there that provide this kind of interactivity as a service that gets installed into your website, manages all those different settings that people can select when they’re just deciding how they want to interact with privacy and their own information on your website. And it gives you just a lot of options, granular choices. There’s a lot you can do. We’ve chosen this platform called Cookie Yes. So if you want to look that up on your own time, feel free to go to cookieyes.com. It’s one of the top performers in the space. It’s one of the easiest to work with. You have the most control over it. You can make it fit the experience you’re really going for without making it too much or too little. It’s just really flexible. Not only that, it works really well with WordPress.

00:25:03

Andrew Husted: Make some of those things really, really easy. It’ll automatically scan and detect and do some categorization of cookies that are found on your website . it unfortunately doesn’t know all of the cookies because there are millions and millions of different types of cookies out there, but it knows a lot of them and it can identify those and do a lot of the initial categorization for those. It’s fully customizable. You can make it look like your brand, so it’s not going to look like this random thing stuck on your website. Gives you a lot of granular consent. It pre-blocks certain things before it loads up, which is really useful to stay compliant. It’ll also make a cookie policy. So, because it has an understanding for the different cookies and how they’ve been categorized, it builds that into a privacy policy and keeps track of that dynamically. So as cookies are added, as this Cookie Yes is maintained, the policy adapts to the cookies being used, which is really useful, a huge timesaver.

00:26:05

Andrew Husted: Takes the cookie inventory, like we said. It also has consent logs and proof of compliance. This is useful if there’s ever a litigation going on or there’s some kind of legal risk happening with your business. You can actually go back and say was consent given or not in certain situations. So that’s like well, you know, we have logs of this consent and we can prove that we’re doing what’s required and accepting the consent in certain ways for our visitors. That’s really helpful legally, but also proof of compliance. So it can be relied on to say hey no we are compliant, we have this thing in place it’s showing compliant so therefore we’re compliant and then the final benefit of this is that it has multi-region law coverage built into it. So as we saw all those different areas have their own laws in place and some have none and so for us in Ohio, we don’t have those strict requirements.

00:27:10

Andrew Husted: So, we may not want to have a huge banner with all of these granular options to let people choose what kind of privacy they want or don’t want. Maybe we just want to notify them. We use cookies and they can just close the box. That’s really all we’re required to do. So, it’ll detect where we’re coming from, what laws apply to us as a user based on where we live and then apply the appropriate level of preferences and interface that’s required by the laws in that person’s territory, which is a very complicated structure, but it makes it very simple for us to leverage. So there’s a lot that goes into that. Just a little bit of a preview of what that can look like. Here’s just an example of Cookie Yes. It’s very clean. It’s very direct. It tries to not be overbearing. So some of these tools we’ve been looking at are just really ugly. They aren’t customizable. They look kind of offensive on your website.

00:28:13

Andrew Husted: Fortunately, this isn’t one of them. Mentioned too about the requirement to protect and minimize data. So, I just want to talk about that aspect of this a little bit more. So there’s if you’re storing any personal data there are rules around how that needs to be handled. For the majority of us that’s going to be in terms of really just form submissions. There may be a lot of others if you have more sophisticated websites that have more that’s required of your customers or logged in portals and things like that. There may be a lot more personal data that you need to worry about. For the most of us with just a simple brochure or marketing website, really the data you’re collecting is going to be a form submission. So, somebody wants to do business with you, they fill out their name, company, their phone number, maybe an address or zip code, and then why they want to, you know, why they’re reaching out. That gets entered into a form.

00:29:10

Andrew Husted: It gets saved in a database on your website. And basically the privacy rules are saying, well, once you’ve followed up with them, you really don’t need that anymore. Like you’ve maybe they went into a CRM. You don’t need to hold on to all of that history of people who have filled forms out on your website. It’s not relevant anymore. So fortunately in a situation like that, the tool we use, Gravity Forms for many of the websites we work with, lets you kind of set rules within it for how long you want to keep that information. So, that needs to be configured to make sure that gets cleaned out on a regular basis to stay compliant so that we’re not holding on to data longer than is necessary. Wanted to talk about Google consent mode in more detail as well because this part’s really really key to kind of preserving privacy while at the same time not hamstringing any marketing efforts. So, Google’s been working really hard on this problem because obviously it can dramatically affect its ability to provide advertisements and generate revenue the way it’s been doing that for the last 20 years.

00:30:19

Andrew Husted: So it developed this thing called Google consent mode. Essentially it’s Google’s framework that allows websites to respect user privacy choices while still enabling measurement and ad optimization even if users decline cookies. It uses different methods to do that that are not tracking user data that is not anonymized. So consent mode really says we’re going to use this to enforce privacy expectations. So when you go through this kind of method to get to privacy it’s an additional level layer of enforcement. And so it’s also going to preserve the ecosystem of performance. What I mean by that is you have this kind of history of data that you’re probably used to looking at on your website. You’ve used to looking at it in a certain way. Previously, when cookie policy was enabled, half your data goes away because studies show 40-ish% of people decline cookies when they come to your website. So suddenly you’re looking at a smaller portion of the data.

00:31:31

Andrew Husted: This helps keep that data more full. And it leverages advertising spend. So if you’re doing Google ads, if you’re doing meta ads and things like that, Google will then actually say, “Oh, you’re respecting people’s privacy. I’m going to make sure that your ads are served more efficiently”. So there’s actually a benefit on the ads side to using Google consent mode. All of this in an effort to kind of twist the arm of the internet and force us all to think more about privacy. So, there’s bonuses in there from Google. If you do that effectively using their Google consent mode, you actually get a little bit more of a lift on some of your efforts. So, here’s an infographic. You can look at this on your own time. We’ll send this over afterwards. But really the thing to take away here is whether a user gives you access to their cookies or deny access to your cookies it will still kind of feed the data through to the various platforms like analytics, Google ads and so on.

00:32:37

Andrew Husted: Because it uses a modeling method and that’s the key differentiator. So, if they decline the cookies on your website for tracking purposes, what Google does then is says, “Okay, I recognize they declined. I’m going to use this in a more of an algorithmic model as opposed to directly watching that person”. So, it looks for trends and it looks for tendencies and it starts to see where things go and then it uses the algorithms and AI to represent where all of those things ended up. And so the data looks very similar because it can model it very accurately on what it would have tracked had you tracked users individually. So that’s in a nutshell kind of how it works. Without getting too far into the weeds. So I wanted to remind us all we’re talking about data data privacy and it’s very complicated. There’s all these steps involved and there’s all these laws etc etc. But I want to remind everybody that data privacy is actually a good thing.

00:33:40

Andrew Husted: It’s good that Google’s kind of forcing us twisting arm a little bit to kind of fall in line and do this. It’s good that states in the United States are slowly adopting much more quickly now adopting the GDPR rules for themselves. Because the internet’s evolving very quickly, particularly now with AI and so we just want to make sure that we have proper governance on how that data is handled for now but also into the future. And really we want people to trust us as well. It’s important for people to feel like we are respectful of the information that is kind of like could be out there on the internet and be transparent about how we interact with them. So data privacy is a good thing. It can be used when not back in the wild west could be used for some nefarious purposes. So it’s it’s really good that we have these rules kind of coming along to help prevent a lot of that from happening.

00:34:39

Andrew Husted: All right. Risks of non-compliance. Four things there’s actually there you can imagine there are many different risks involved in this. I’m trying to boil it down to just a few simple takeaways. If you don’t do compliance correctly, you can have digital marketing platform degradation. So if you’re doing advertising out there, it can actually decline in performance. You risk jurisdiction creep from non-geographic users. Little more on that a little bit later, but essentially the law requires that wherever you live, that is the law that applies, not the website you’re viewing. So if we’re in Ohio, and the laws don’t apply here in Ohio, they don’t apply to us when we view websites in California, but applies to Californians when they view websites in Ohio. There are litigation risks. Talked about that, but that’s a trend that’s growing as we’ll see. And then there’s failure to future proof. And I’ll let you know what I mean by that in a little bit.

00:35:41

Andrew Husted: I mentioned just a few minutes ago that about 40% of users decline cookies when they are given the option. If you’re implementing this incorrectly, if you’re not using Cookie Yes, that works in tandem with Google consent mode, you’ll lose 40% of all of your data. And configuring those two things is very, very important to make sure that that data is maintained. So, if you just kind of like install cookies on your own and you hit, you know, run compliance, just kind of installing and running that by itself isn’t going to get you there. And it’s also going to leave these huge gaps on the data collection side where you’re not being able to see everything, all the the impact that your marketing efforts are having on website traffic like you could before. And so there’s a lot that goes into that. But that’s kind of an important one. And I think that one’s pretty obvious. A little bit more about jurisdiction creep. When it comes to the regulation of that, kind of like I said, it’s all about where you are coming from and the rules that apply to you where you live in the location you’re coming from.

00:36:51

Andrew Husted: So, you don’t have to have a local office in California to have to comply with California CCPA rules. You just have to be a Californian or accessing the internet from California. You don’t have to have servers in that area. You don’t have to have data physically stored in that location. You don’t even have to advertise there. It could be an area you don’t even do business with. But if those people start coming to your website just to check out content you have, suddenly you have to comply with what’s required in their location. So, that’s something to consider. On the litigation side, here are some quick graphs that I grabbed from enforcementtracker.com. The one on the left is showing the rise from really when GDPR went in place in 2018 through January 2026, the increase in litigation costs in billions of euros.

00:37:55

Andrew Husted: So a lot of lawyers are taking note of this. They’re seeing a lot of exposure and a lot of people aren’t taking the right steps to mitigate this because they don’t understand it. And so they’re able to take advantage of that by having class action lawsuits and those are amounting to billions of euros right now. But as we can imagine globally much more than that. Then on the right hand side we have the total number of cases and this is specific just to the EU right now. But I just wanted to illustrate that that is sharply increasing as time goes on from the 2018 all the way through now. So definitely something to keep note of. We actually have some clients who have had kind of issues with this and things are showing up and suddenly their legal team has to get involved and it’s definitely easier to avoid it and comply than to have to kind of backpedal, deal with that situation then at the same time become compliant.

00:38:56

Andrew Husted: And then there’s the final piece here, failure to futureproof. I mentioned AI before. AI is changing everything . it’s changing everything about how people interact with the internet. It’s changing everything about information on the internet and how that’s handled which is particularly important for this topic because AI is now this unfettered understanding of pretty much all data on the internet. And there’s very very little regulation in place right now. But we know that regulation will come in the future. And so what Google consent mode does by getting kind of onto their platform, we can kind of then rely on this future proofing being implemented into Google consent mode on our behalf. So as rules come out with AI and limitations are placed on how AI’s data can be used, can it be used for model training? Can it be used for decision-making? Can it be reused beyond how it was intended? Once those things get figured out, Google consent mode will adopt that.

00:39:50

Andrew Husted: And if we’re already using Google consent mode, we’re adopting it, too. And so it helps us in the future as these laws change, evolve, adapt, remain compliant, even though those are changing. So, what’s the recipe for baking better cookies? How can we handle cookies better on our websites? Happy little image here . people are so excited to have the proper cookies on the devices they’re viewing the internet from. Just wanted to talk a little bit about really our services here because FSM can help come alongside you and implement cookie consent and make sure you’re compliant with all of these different rules. We’ve put together a service that really helps you achieve that. The first part of this service is a setup phase. And so basically we have to get it all installed. We have to purchase Cookie Yes as a software implement that on your website. We have to run an initial audit that identifies all the locations of cookies, which cookies are used, what issues are there right now with data such as do we have those form fill data components?

00:41:10

Andrew Husted: Is that being cleared out regular basis? We have to look at all of that, see what we’re dealing with. Then we have to implement Google consent mode. That’s that key piece to keep us future proof that integrates with cookie. Those two things we configure to work together. Through doing that we’ll have categorized your cookie inventory. So the websites we’ve been working on so far have anywhere from 10 to 150 cookies . it can become very very complex. But you have to go through identify what those cookies are used for and categorize them properly. Because that has to influence then the privacy policy page. We have to know what cookies are available in order to inform the public about what we’re doing with those cookies and why we have them. And then configure the geographic rules. That part’s really important. That way we’re adjusting the experience in the best way possible.

00:42:11

Andrew Husted: If we’re in Ohio and they’re come traffic’s coming from Ohio, very little disruption in their experience related to privacy. If somebody’s coming from Europe to our website, it’ll change the experience dynamically and make sure that all of the components are required from Europeans expectations. And then there’s an ongoing service component to this as well. So our web team will actually take a look at the cookie setup on a monthly basis, rerun an audit and ensure proof of compliance on a monthly basis. So if you happen to be like a high-risk business, this will be like really useful to you, especially if you’re a global business. We want to mitigate that risk as much as possible on the litigation side. So, our team will be in there rerunning that audit and automatically just on a monthly basis resolving any issues that may be cropping up. And so maybe there’s a new tracking code that went in place. There’s a new plug-in that was installed. There’s something that was added to the website that suddenly all these new cookies are in place that we were blind to before. We’ll resolve all of those on a monthly basis pretty much up to one hour of work or less just automatically.

00:43:14

Andrew Husted: Sometimes there might be a situation where there’s like a huge new piece of functionality released that has like all kinds of cookies that need to be then recategorized and an analyzed. And so there might be a little bit more to it. So if there is more to it, we’ll definitely work with you on kind of what that looks like to bring along that and get it compliant as well. And so I want to show you what the pricing looks like. A lot of this is based on cookie. They have their own various sizes of platforms and that it comes in the form of basic pro and ultimate and it’s based on your site size. Generally speaking, smaller sites, there’s less going on. There are fewer cookies to worry about. There’s less from an audit perspective that has to be considered. Medium-sized websites on the pro plan, there’s probably a bit more . you’re probably leveraging your website at that level to provide really useful information to your audience.

00:44:11

Andrew Husted: So, it’s an active website. You’re publishing content. Perhaps it’s an e-commerce store and you’re placing orders and there’s a lot going on. It’s not just like a hey, get some info and learn about us and maybe reach out. It’s like no, this is like a tool people use. Then ultimate is probably for those bigger websites that are more for I would say global companies or at a minimum national companies that perhaps have multiple like departments within their organization that have multiple goals they’re trying to meet. There might be different stakeholders that are using different tools within the website and they each have their own tracking because they want to find out what’s going on in their various areas of the website. And so those ones are much much more complicated because unpacking what all those cookies are, what departments using it, why do they need it, what are the marketing efforts that they’re running from that is much more time consuming. So you can kind of see there’s a bit of a scale here in the fees just for that initial setup.

00:45:11

Andrew Husted: Basic it’s much more straightforward for smaller websites . the fee is a little bit lower and then that increases depending on the number of pages and therefore the implied complexity of the problem that we’re working with and what’s at stake as well. Bigger companies have a lot more at risk because if you remember up to 4% of their global annual revenue could be on the line if this isn’t. So there’s just a lot more risk associated with that. And then the monthly fee, what this does is that pays for the the regular updates and audits to make sure you stay compliant, but also pays for the cookies software as well, which scales in price according to how many pages your website has. So that starts at $50. I’ll note for basic websites, we’re only going to take a look quarterly. So once every three months because generally they’re not as active of websites. There’s not a lot going on. The risk is much lower. So quarterly monitoring is much more applicable there.

00:46:10

Andrew Husted: Pro and ultimate we’d be taking a look every single month. The difference between those two of course is how much there is to look at for each of us. Ultimate will have a lot more. So really encourage you to take advantage of these whether you’re required to because you do business and you have a lot of traffic coming from Europe or from California or various states outside of Ohio . definitely something you want to think about taking advantage of and I can tell you that this is where everything is going. Like we saw by 2030 it’s going to be the expectation that all websites kind of follow along in this. And so I just kind of want to land with I’m not really like a risk guy like I’m not going to try and scare tactic anybody. I don’t want to say you’re just going to get fined tomorrow so sign up for this now. I don’t think that’s true.

00:47:16

Andrew Husted: I do think the chances are increasing as time goes on. But I think the real reason to do this is because truthfully, the internet assumes you already have it. The expectations have been set. Google is expecting these things to be in place. Remember, they’re twisting our arm a little bit to get us to follow suit. And it’s going to want us more and more to comply with data privacy. And of course being the powerhouse that Google is, so many marketing efforts flow through its channels. It gets to run the show . since it’s assuming that we’re already following along, we should probably catch up and actually get there. Because our website will be a lot better for it and our users will actually have a really secure experience when they interact with us. So, that’s all I had. I know that was a ton of information . beginning with the history through technical things like cookies and security and all kinds of things. Amy, did we get any questions as I went through? Is there anything I can answer or does anybody have some now that they might want to ask?

Amy Husted: We haven’t had any questions come through at this point.

Andrew Husted: Yeah.

Amy Husted: But we can linger and stay on here a bit if anybody does have those questions.

Andrew Husted: I’ll give it 30 seconds to a minute and see if any questions come in. But if you’re not going to wait around for the questions I thanks for joining us today. It’s really important topic. I hope you had something that is a significant takeaway for you. And if you have any questions, feel free to reach out to FSM. We’d love to talk through that and see how we can help kind of get you into a state of compliance. But thanks again. Really enjoyed having this conversation and again hope it was valuable.