Stop Forcing Cookies Down Your Visitors’ Throats. It’s Illegal… and Weird.

We’ve all seen The Matrix, right? Is it even legal to build websites without first watching The Matrix? 

If you haven’t, shame on you. But to catch you up: there’s this seemingly sweet old lady inside the Matrix known as the Oracle. She knows everything about everyone. What they’ve been doing, what they’re currently doing. What they will do. Their patterns, habits, choices, and whether anyone left something in their online shopping cart (probably). She is also always making cookies and making people eat them.

Sure, she always asks it with a question mark at the end, but how can you say no to that sweet smile and a tray forced into your face? There’s no real choice there. 

As a kid, I thought the Oracle was just a nice grandmotherly figure. I never really knew how she knew so much… until I got a job in privacy. 

Now I see the scene like this: 

So THAT’S how she knows so much!

Spoiler: her behavior didn’t go unnoticed by the men in suits:

There are a lot of Oracle Agencies out there… they just don’t realize it

We are lucky enough to have over 10,000 web agencies sign up for our partner program. Agencies are truly the lifeblood that makes Termageddon possible. You all are great!

That being said, we see a bunch of web designers wanting to set “functional” and “marketing” cookies to “accepted by default.” And they don’t tend to like it when we respond with “no.” Every. Single. Time.

This blog is not legal advice, btw.

We hear questions like these all the time:

“But marketing cookies are essential for the business to grow and expand.”
“Functional cookies make the site more convenient to use.”
“If video embeds break without them, doesn’t that make them essential?”
“Everyone expects analytics. Isn’t that implied consent?”

From a design or business perspective, those arguments feel logical. From a legal perspective, they are completely irrelevant (kind of like that weird Frenchman from The Matrix Reloaded… still not sure what that arc was all about).

Speaking of language. We’ve found that a lot of the confusion comes from the word “essential.” 

“Essential” does not mean “Useful”

In the privacy law world, the word “essential” is pretty specific across most laws. From an agency’s point of view, it may be helpful to first talk about what it is not. 

It does not mean:

• Helpful
• Best practice
• Industry standard
• Expected by marketing people (we’re the worst)
• Important for conversions
• Makes the dashboard look nicer
• Makes the logo the right amount of big

“Essential” means one thing and one thing only: The website cannot function without it for the user. Not the business. Not the agency.

The user.

We always talk about how privacy laws are for protecting people, not businesses, to explain why a California law applies to a person in Tennessee or Canada – but we always forget to use this same explanation when explaining seemingly random cookie rules.

But don’t just take our word for it. There are currently five different privacy laws that specifically say marketing and functional cookies are not essential (and should not be accepted by default):

• GDPR
• UK DPA
• CIPA
• PIPEDA
• Quebec Law 25

So let’s look at marketing cookies and functional cookies separately and explain in more detail why they should be off by default.

Why marketing cookies should not be accepted by default

Marketing or advertising cookies exist to track users across sites, build profiles, retarget ads, and measure campaigns. 

They are very valuable for businesses making certain business decisions, but they are also not essential for a website to run smoothly for the user.

A user can read a blog, fill out a form, buy a product, or book a service without being tracked for advertising purposes. Because of that, every major privacy law requires explicit, affirmative consent before marketing cookies are set.

That means:

• No pre-checked boxes
• No “already on” toggles
• No firing before the user clicks “accept”

This one makes sense for most agencies. We’ve all been hounded by creepy sidebar ads because we looked at furniture once. It’s the functional cookies that throw people off.

Why functional cookies should not be accepted by default

We’re back to the language thing again. Functional cookies sound essential. They improve the experience. They remember user preferences. They make things more convenient.

BUT they still aren’t necessary. For example, functional cookies are commonly used to:

• Remember language preferences
• Enables embedded tools (videos or maps)
• Powers chat widgets
• Saves UI choices

While a user may want to accept these cookies for the sake of convenience, they still aren’t essential for that user to navigate and use the website. Therefore, consent is still required before any functional cookies are fired. 

Why “Accepted by Default” Breaks Consent

This is the point of the conversation where agencies will sometimes say something like:

But users have the option to turn these cookies off whenever they want. See the toggle right there? By not clicking that toggle, they are giving their consent… right?

That is an Oracle mindset for sure. Because, yes, the green-hued guests of the Matrix can always say no to receiving the cookie. However, the Oracle grabs the tray, walks up to the person, lifts it right under their nose, and says ‘have a cookie, you’ll feel right as rain.’ I mean, common! Right as rain? That sounds lovely! Not sure what it means, but lovely!

That’s a whole lot of factors that – many privacy laws – would consider to be forcing or swaying someone into consent. It requires the guest to take extra steps to say no. They have to back up, put a hand up, and come up with an excuse as to why they are going to break an old lady’s heart.

If the Oracle wanted to be more GDPR compliant, she’d leave the cookies next to the oven, remain seated, point to where they are, and let guests know what kind of cookies are over there. That’s it. Leave it up to the guest to take the extra step or two to accept one (or all if you have a weakness for 10-minute bake cookies as I do).

I had way too much fun with that analogy.

In short, consent must be:

• Freely given
• Informed
• Unambiguous
• A real choice

When marketing or functional cookies are pre-selected, the choice has already been made for the user. From a legal perspective, it’s no better than only offering an “Accept All” option. 

Conclusion: It’s not your fault

We’ve found that the vast majority of agencies aren’t trying to break the law. They’re simply trying to make nice sites, keep clients happy, and follow patterns they were taught years ago.

Understanding what actually counts as “essential” and why marketing and functional cookies require opt-in isn’t just a legal checkbox. It’s how agencies protect themselves and their clients from ending up on the wrong side of a CIPA demand letter. 

Hope this helps!

Now go watch that one Oracle scene from the Matrix. Kinda creepy, right!?