Can Lack of Cookie Consent Hurt Your International SEO?

By now, there's no way you could have been using the internet without seeing the cookie consent pop-up at least a few trillion times. It feels like every single website now has this white noise gateway before you can view what you're looking for, asking you to accept or configure your cookies. Do you want to accept it all? Do you want to dig through six menus and turn off the marketing and tracking cookies only to find some can't be disabled? Do you want to just mash the escape key and hope it closes it? Do you use an ad blocker to block the page elements or a script blocker to block the common scripts from showing up at all, cookies be damned?

There's a lot of story and detail here and a lot of groundwork we need to lay before we can get to the meat of the issue, which is this: does having or not having the cookie consent field hurt your SEO?

I'll get to that, so bear with me as we dig into what these are, why they exist, and why you may or may not need one.

What Are Cookies, Anyway?

First, let's talk a little about what cookies are in the first place. If you already know, just skip past this part.

Many years ago, when the internet was relatively new, and programmers were pretty much in charge of everything, they named things the kinds of names they used elsewhere, in data structures and database management and programming itself. Since programmers are gigantic nerds (which I can say because I am one myself), they often take names and references from other things, usually because they make sense in some abstract context.

In this case, the original term was "magic cookie," and it referred to a kind of token or identifier that a program could generate to pass data to another system or service. These tokens could pass data like user identification or authentication.

Since the internet in the early days was sort of viewed as a huge series of individual systems – websites – that would occasionally need to pass data from one to another, magic cookies were developed as a way to do that. A website could store a cookie on your computer that would store data such as whether or not you're logged into that website. When you return later, you wouldn't have to log back in because the website could check to see if you had a cookie and could authenticate you based on the data in it.

Cookies are generally pretty abstract. They include simple information such as the site they come from, an expiration date, and unique (and even encrypted) information for things like session IDs, Google Analytics property information, and unique identification values.

You can actually view the cookies on your computer at any time, though they're not always easy to find or read. It's just not generally useful information for an individual to have since it's just abstract data used by websites.

The problem with cookies came later, alongside the bane of all of our lives: advertising.

Now, we need to get into a little bit more detail.

1. First, there are two kinds of cookies: session cookies and persistent cookies. Session cookies expire automatically, possibly when you close a website, possibly when you close your browser, or possibly after a certain number of hours. They can be used by a site to store information like what products you've viewed recently on a store or whether or not you've read a forum thread. These days, a lot of this information is linked to a user account instead, but cookies still play a role.

Conversely, persistent cookies last some longer length of time, potentially an indefinite length of time. A simple example would be whether or not you've clicked the light mode or dark mode preference on a website. Even without a user account, the site can remember your preferences, so you have a slightly better user experience each time you visit. The cookie might expire after a week, 30 days, or even never unless you clear them.

2. Second, there are two kinds of cookies: first-party and third-party cookies. First-party cookies are provided by the site you're visiting. Reddit puts a cookie with your Reddit information on your system, which is usable by Reddit for Reddit things.

Third-party cookies are used by third-party systems. The most common of these by far is Google Analytics. Google is a third-party for everyone except Google, and most of the sites with cookie consent pop-ups are using Google Analytics, which is why they have the cookie consent in the first place.

Analytics and advertising are the two biggest systems that use third-party cookies. Advertising networks use cookies to track things like the sites you visit and your user preferences so they can better target ads at you. That's why, even if you visit a dozen different sites, you see similar ads on most of them. All of those ad networks have "profiles" about you stored in cookies.

3. Third, there are two kinds of cookies: essential cookies and non-essential cookies. Non-essential cookies are things like tracking cookies, where purging them doesn't really matter. Whether or not an advertiser is tracking your information on a site isn't really important to your ability to use that site, so deleting or rejecting that cookie doesn't hurt your experience in any way other than maybe making the ads you see less relevant.

Essential cookies are things like authentication cookies and can completely break the function of a website if you don't have them. Imagine, say, a website where you need to log in to view the content. Without a cookie, every time you click on a new page, you would have to log in again to see it because the site can't store your authentication status in a cookie it can read.

Cookies have been around since the early days of the internet, but why is it only in the last few years – since roughly 2018 – that everyone has been adding cookie consent boxes, and now they're everywhere?

Why Does Everyone Have a Cookie Consent Pop-Up?

Blame Europe.

By now, you've probably heard of GDPR, the European General Data Protection Regulation. GDPR is a huge 88-page set of rules and regulations about user data and privacy, largely online but also in other areas of life. It's law that applies to the European Union, but because of how the internet is global and interconnected, it cascades into all other areas of the world as well.

While the GDPR is huge, it actually only mentions cookies once.

"Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them." – Recital 30 of the GDPR.

Since the GDPR is primarily concerned with people being able to control how much information about them is tracked and is meant to allow people the right to be forgotten, it's meaningful when websites track potentially uniquely identifying information about them.

The GDPR was passed in 2016, and given the usual 2–3-year delay on enforcement actions for major legislation, that's why 2018 felt like a turning point for the proliferation of cookie consent pop-ups. However, the actual cause of those pop-ups is something a little older: the ePrivacy Directive, originally passed all the way back in 2002 and amended in 2009. This is commonly known as the Cookie Law.

The regulation was meant to take effect in 2018 alongside GDPR, but ongoing fights over it have seriously delayed it. The text of the regulation wasn't finalized until 2021, and it's still being discussed today. When it's finally approved, it will become Law 20 days later and has a two-year grace period before enforcement starts happening.

Basically, Europe is a lot more privacy-focused than the rest of the world, and since they're collectively a global superpower, the EU can make rules that affect the rest of the world indirectly. Any website that can potentially deal with European citizens needs to comply with European rules, whether or not that website is based in Europe, the USA, Saudi Arabia, China, or somewhere else entirely.

In very broad, overly simplistic terms, the ePrivacy Directive and the GDPR give everyone from the smallest of blogs to the biggest of megacorporations three options:

1. Stop using non-essential cookies entirely.
2. Use a Cookie Consent box to allow European citizens to configure their privacy settings as they desire.
3. Block European citizens from accessing their site.

Since no business wants to block an entire continent from accessing its site, and since marketing can still provide a ton of value even if some portion of users aren't properly targeted, most businesses choose the second option.

There's also the secret fourth option, which is "ignore it all until it becomes a problem," or the fifth option, which is "put up a consent box but don't actually listen to it," neither of which are real options and can get you in trouble in the long run. Maybe.

Do You Need a Cookie Consent Pop-Up?

Technically, yes, if you have anyone from Europe visiting your site.

There are a few exceptions to this.

If your site legitimately only harvests necessary cookies, and you do not harvest third-party or non-essential cookies, you can get away with just a banner saying you do. It doesn't need to be obtrusive; it just needs to exist. Similarly, if you have, say, a purely informational site with no need for user configuration at all and you don't harvest any cookies, you don't need the pop-up.

And, if you were to somehow decide to block all of Europe, you can get away with not having a pop-up, either. What would a landscaping company in North Dakota do with European traffic? Don't worry about it, at least until the US passes its own version of that privacy legislation, which, given the current surveillance state we have going on, will probably be a while.

Alright, I'm being a bit disingenuous here. While the USA has no federal laws regarding cookies as of yet, we do have some states that are more privacy-forward than others. California has the California Consumer Privacy Act, Virginia has the Virginia Consumer Data Protection Act, and so on. Many of these have modeled themselves after the GDPR and share a lot of the same language. So, actually, if you want to be safe for national-level USA operations, you should have cookie consent as well.

Other countries have also been passing their own laws, like the Lei Geral de Protecao de Dados, or LGPD, General Data Protection Law, in Brazil.

Cookie consent pop-ups can also build a small amount of user trust. While some users hate that they have to click through these stupid pop-ups every time they visit a website, others appreciate the token effort being paid to privacy. It's kind of a "six of one, half a dozen of the other" situation.

Okay, but what does any of this have to do with SEO? Hold your dang horses; I'm getting there!

Can Having a Cookie Consent Pop-Up Hurt Your SEO?

Anyone familiar with SEO rules has a little warning siren in the back of their mind screaming about these pop-ups. It hurts the user experience! That's bad for SEO!

That would be true, normally. And it is still kind of true in an abstract, tertiary sense. Some small percentage of users vehemently hate cookie consent pop-ups and bounce from sites that use them. This proportion has gotten a lot smaller as the pop-ups have gotten more prolific, though, since it's basically impossible to use the internet while avoiding them these days. So, while you might take a tiny SEO hit from a tiny percentage of increased bounces, it's unlikely to be meaningful.

The bigger issue would be having pop-ups at all, especially if they're content-blocking interstitials. Normally, that gets you a fairly substantial SEO penalty. However, Google knows that they can't really SEO-penalize every website that tries to obey the law, especially since they, too, are bound by that law. You can bet that the EU would have zero qualms about going after Google (again), especially since they're one of the biggest advertising platforms in the world.

So, Google has specifically identified cookie consent interstitials (as well as some other essential, law-specified pop-ups like age verification) as valid and non-penalized. This has been the case since 2016, when the GDPR first came into effect.

That said, John Mueller has mentioned that they generally prefer if a cookie consent pop-up is unobtrusive and doesn't block essential information. The full screen-covering blocks that prevent you from reading content until you click the boxes can technically hurt you, but a smaller box in the corner (like what I've implemented recently) will not.

Will a Lack of Cookie Consent Pop-Up Hurt Your SEO?

Finally, I'm getting around to the initial question. Can implementing a cookie consent pop-up actually help your SEO? Or, put another way, does not having one hurt your SEO?

The answer to this may actually be yes, surprisingly enough.

It's not as simple as "having this box is a boost to SEO," though. Instead, all of the benefits you get are secondary or tertiary.

• You get a small amount of increased user trust by admitting what you're tracking and allowing people to opt out.
• By keeping the box small and to the side, the user experience isn't hindered.
• You don't have to risk running afoul of the law down the road.

It's also possible that Google might just choose not to serve your site or rank it lower to European audiences if you don't have a cookie consent box. If you can benefit from European traffic or from traffic from other countries or US states that have privacy legislation, it can potentially be beneficial to have a consent box.

If you're going to implement a cookie consent box, make sure you do it properly. There are three keys you need to know.

• First, it should be minimally intrusive. Most of these boxes are small and off to the side these days, which is the ideal state for them. If users want to ignore them, they should be able to.
• Second, it should not delay your site loading. Lazy load it, or make sure it's not render-blocking or content-moving. You don't want to hurt your Core Web Vitals, after all.
• Third, it needs to be equally usable for accepting and rejecting cookies. This is a big one! One "trick" a lot of sites used to try to passively reject having this sort of legislation enforced on them was to make an "accept cookies" button, but making rejecting cookies take half a dozen clicks through different menus. This is actually also a violation of the law. You have to have a one-click reject if you have a one-click accept. Both sides need to be equally frictionless, basically.

Now, realistically, will your site get in much trouble over any of this? Probably not. The final regulation isn't even in force, and once it is, you can rest assured that the EU is going to be concerned with the ad networks far before it starts looking at business blogs.

But if there are even minor SEO benefits to installing whatever cookie manager is top-rated in the WordPress plugins directory this month, it's a small price to pay, right?