Recently, one of my clients, who is quite well-versed in online marketing has asked the firm that created their website to create a GDPR overlay that covers the entire page, and doesn’t let users through unless they accept the placement of cookies in their browsers. He wanted to play by the rules.
At first, I didn’t think much of it – if someone wants to follow the rules this strictly, then they have all my respect. I asked the developer that created the website if this overlay hid the site’s code from Google’s crawling robot, and the answer was that it’s not hidden at all, and that Google can, in fact, see and crawl it. I checked it, and confirmed it to be true.
Let me add that we’ve also checked the website of some of the biggest multinational corporations and saw that they immediately place all (or almost all) of their cookies the moment a user opens one of the pages. Microsoft, Apple, and Media Markt all spam your system with their cookies, and even the Hungarian website Index.hu is guilty of this practice, regardless of what you click on afterwards:
This site places 4 cookies, but none of them are from Analytics.
On the top of the website, there’s a bar with some text stating:
This site places 25 cookies, with Analytics trackers among them.
At the bottom of the page, they state the following:
If we click the “Accept” button, then we get one more cookie, and the text disappears from the bottom of the page for good.
This site places 14 cookies.
The text on the bottom reads:
“You can read about how we keep your data safe in our data protection policy. Our pages use HTTP cookies for better functionality.”
When we click the “Ok” button, we get one more cookie, after which the bar with the text disappears.
The negative SEO results of using a GDPR overlay
However, after the new website started performing worse than the old one, I became worried. Both for the number of visitors and the number of conversions. My client was even more worried, as he was expecting anything but less conversions from the new website. He wasn’t exactly on the best terms with the site’s developer. So he immediately blamed the weaker performance on the new website and its new CMS. They tested the site’s speed, checked for any disappeared content, found some redirect chains, and confronted the developer.
There are three reasons, however, why these could not have been reasons behind the issue. The first one being that the new website became much faster than the old one, which did have some redirects, but those were already being eliminated at the time on the new site – otherwise, things were looking up. The next reason was the speed of the changes: they were almost immediate, after the new website launched. Google doesn’t penalize that fast. The third reason is that it wasn’t just traffic from organic Google searches that decreased, but traffic in general from all similar channels as well. Here’s a screenshot of the site’s Analytics:
If you take a look at the data, you can see that there were positive results as well. Metrics such as bounce rate, pages/session and session time have improved significantly. But none of that matters if conversion rates decrease. But then what caused that decrease?
Bounce rates have improved, or did they?
The overlay can annoy a lot of visitors, which could result in more bounces. Google gets suspicious if several visitors bounce back from a website immediately after they land on it, which is why it’s bad for SEO, but it takes time for this to have any effect on rankings and traffic.
But we can see that bounce rates have improved. Great, the new website has a better structure, it’s user friendly, offers superb user experience, so no problems here, right? Well, not quite. Due to tracking cookies not being placed immediately, Google Analytics doesn’t track the very first “page” that people see (“page zero”, if you will). This means that we can’t see how many people get scared and turn back when the see the overlay that covers the entire page. We could see it, if we placed Analytics’s cookies the moment a visitor lands on the site (as done on 99.99% of every other site). We currently have no data of this.
The sources from which traffic has decreased, however, supports this idea, as visitors landing on the site via ads and social media also get sacred when they see this “CIA” layer. But let’s see Google’s take on the correlation between SEO and GDPR overlays:
GDPR overlay – does it negatively affects SEO?
During a Webmaster Hangout episode, Google’s John Mueller got a question about how GDPR layers affect a website’s search performance. Here’s the exact question, and the answer given by Mueller:
“A question about GDPR pop-ups. How will they affect SEO and usability?”
“They are sometimes quite annoying, these pop-ups but they are how they are.
What doesn't work on our side is if you replace all of the content with just an interstitial or if you redirect to an interstitial and Googlebot has to click a button to actually get to the content itself then that's not going to happen. Then what will happen there is will index the interstitial content because that's only thing we have on this page and we won't know that you can actually like click a button and get a little bit more information there. Googlebot also doesn't keep a cookie. So it wouldn't be able to say well I'll click accept now and the next time I crawl your website you just show me your content normally. Googlebot wouldn't be able to kind of return that cookie to you and say I agree with your kind of Terms of Service.
So, those are kind of the two extremes that we've seen.
For the most part sites get this fairly right. And you can test it of course, you see it fairly quickly in search, if your site doesn't show up at all and the search results for normal content and probably we can't pick that up anymore. So for the most part I think that's working well.
You can test this on a technical level with things like the mobile-friendly test. Where you can render the page as a mobile Googlebot and then look at the HTML that is generated. So within the mobile-friendly test you can now look at the HTML after rendering and you can double check in the HTML that we can actually find your normal content and not just the interstitial.”
Well, the overlay does have a button for users to click, but according to our tests, Googlebot can see the page’s HTML source, so that can’t be the problem. We’ve seen that most websites place their cookies on your system when land on a page, and that it happens without your consent – but what does Google have to say about that?
Google and the GDPR
Numerous sources state that in some cases, you DO NOT need consent from the user, but these are very specific cases, and they make little sense. Just like this whole GDPR thing and those who came up with it. The entire confusion around GDPR stems from the fact that different people interpret its rules differently.
You can find the original source of this confusion here (https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/principles-gdpr/how-long-can-data-be-kept-and-it-necessary-update-it_en).
What does it say?
“By way of an exception, personal data may be kept for a longer period for archiving purposes in the public interest or for reasons of scientific or historical research, provided that appropriate technical and organisational measures are put in place (such as anonymisation, encryption, etc.).”
To some people, this means that if you DO NOT send your collected user data to third-parties, and you use them only for your own purposes (“for reasons of scientific or historical research”), then you DO NOT have to ask for consent from the user.
Other say that of you collect user data for advertising purposes with Analytics, then you HAVE TO ask for consent. Here’s is what Google considers advertising data (as per their official guide https://support.google.com/analytics/answer/2700409?hl=en):
- Remarketing with Google Analytics
- Google Display Network Impression Reporting
- Google Analytics Demographics and Interest Reporting
- Integrated services that require Google Analytics to collect data for advertising purposes, including the collection of data via advertising cookies and identifiers
By enabling the Advertising Features, you enable Google Analytics to collect data about your traffic via Google advertising cookies and identifiers, in addition to data collected through a standard Google Analytics implementation. Regardless of how you send data to Google Analytics (for example, via the Google Analytics tracking code, Google Analytics SDK, or the Measurement Protocol), if you use Google Advertising Features, you must adhere to this policy.
This source says that
“To restate this, the WP29 opinion here is that you can have Google Analytics enabled by default, without the need for consent as long as you:
• Provide an opt-out (e.g. pre-ticked tickbox with the ability to untick it).
• Anonymise the data sent to Google from the web browser.
• Are happy that Google is acting as a data processor.
Just so you know, this particular page also immediately places 5 cookies the moment you open it, as does https://wolterskluwer.hu, which is a legal publisher. If anybody, they surely know how to be GDPR-friendly…
How GDPR overlays affect conversions
Do you think that if a high-profile website like Index.hu doesn’t get penalized for how they manage cookies, an SMB will? SMBs are more likely to receive a warning at first, and the authorities responsible for issuing these penalties would have a ton of work on their hands if they raided everyone who doesn’t play by the rules. Also, you don’t get any prices for playing by the rules, and using an overlay, which people can use to opt out from using cookies – but you lose your conversions. Which scenario is more important for you?