7 Best Practices for Cookies and Live Chat [GDPR-compliant]

In May 2018, the GDPR hit the digital ecosystem like a wrecking ball. Cookies – probably the most heavily used tool on the web – turned from sweet to sour.

The changes in cookie policies not only affected areas such as advertising and tracking. They also had an impact on customer experience solutions like live chat.

Customers now have to consent to cookies used in chat before you can process the data. The majority of website visitors, however, won’t choose to opt in – and thus won’t see the chat option on your website. If you’re offering live chat, you might have already noticed this in a drop in chat interactions.

Luckily, there are ways to fight this effect and ensure that you can still offer live chat support successfully.

Before we dive into these options, let’s make a quick excursion to learn what cookies are and what changed.

What are cookies

According to a definition by the ICO , “Cookies are small text files that websites place on your device as you are browsing. They are processed and stored by your web browser.”

cartoon of the cookiemonster

Cookies don’t pose any harm in themselves. They do, however, store data. Lots and lots of it.

The General Data Protection Regulation (GDPR) and ePrivacy Directive (also known as the “cookie law”) empower users to hold businesses accountable over the use of their data.

Cookies and the GDPR: Do’s and don'ts

When cookies are used to identify users, they qualify as personal data and are therefore subject to the GDPR:

Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers ... This may leave traces which ... may be used to create profiles of the natural persons and identify them.

Recital 30, GDPR

You still have a right to process this data as long as you received active consent. Whether consent is required depends on the cookie’s purpose , organized into different categories:

  • Strictly necessary cookies (or “essential”)
  • Preferences cookies (“functional”)
  • Statistics cookies (“performance”)
  • Marketing cookies (“advertising”)

According to Europe’s top court , all cookies that are not strictly necessary for browsing your website and using its features (e.g. putting items into the shopping cart), require you to obtain active consent from every website visitor before using them . This primarily refers to third-party cookies used for analytics, retargeting and functional services – like live chat.


What’s more, you can’t rely on implied consent or “legitimate interests,” force visitors’ consent through cookie walls , nudge them toward consent or declare non-essential cookies as essential. A lot of cookie policies you see on the internet, however, are still not in compliance with the GDPR. For clarity, I recommend taking a look at this informative read on cookie myths debunked .

But playing by the rules is not just a matter of taking the moral high ground. Violations of the GDPR are being prosecuted by data protection authorities and companies are already facing serious fines (get an interesting overview here ).

Besides being penalized, ignoring your customer’s rights and toying with their personal data can cause lack of trust and negatively reflect on your company’s image. Acting in accordance with data protection regulations doesn’t have to be deleterious but gives you a chance to distinguish yourself from your competition as a business that takes its customers’ rights seriously.

Our updated guidance is based on the basic information rights principles of fairness, transparency and accountability. Being fairer, more transparent and accountable to the people who use your website will increase their trust and confidence in you. And that benefits everyone.

Ali Shah, head of technology policy at ICO

If you want to learn more about cookies and their relation to the GDPR, take a look at this guide .

How cookies impact live chat

Before the GDPR, offering live chat support was simple. You added chat to your website and your visitors would immediately see the chat button and could get in touch with you.

Things have gotten a bit more complex since. One reason for this is the purpose of cookies, as discussed above.

Live chat is not required for delivering your online presence and as such, cookies related to chat don’t qualify as “essential” (the only category where user opt-in is not required). They’re part of the functional cookies which your users will have to actively opt in to before you can drop them.

The problem? Recent studies suggest that when given the free choice, only a fraction of users will actively consent to these non-essential cookies:

Our results … indicate that the privacy-by-default and purposed-based consent requirements put forth by the GDPR would require websites to use consent notices that would actually lead to less than 0.1 % of active consent for the use of third parties.

Utz et al. 2019, Human-Computer Interaction

This is a serious issue for online businesses because it renders most of their external website tools obsolete. The vast majority of your visitors will escape their purpose completely.

What people might not realize is that cookies don’t just process data your customers share in the chat, such as their name or order number. Advanced live chat solutions also come with built-in analytics and CRM functions. So cookies are involved at pretty much every part of the live chat interaction. Even before a chat session actually starts.

That’s an important realization. Cookies are necessary to display the chat button on your website and define its behavior. If your web visitor doesn’t accept your functional cookies, the live chat on your website will never even show. Your customers won’t be able to benefit from a convenient way to get in touch. And you won’t be able to benefit from the myriad advantages that made you get live chat in the first place.

Looking for better customer relationships?

Test Userlike for free and chat with your customers on your website, Facebook Messenger, and Telegram.

Read more

But there are ways to solve it. Discuss the following solutions with your data privacy officer and select the ones that work best for your business.

1
Use a consent management tool

To realize a GDPR compliant setup for your website, one of the first steps is to add a cookie banner. It’s a consent notice that pops up when a user first visits your site, informing them about the cookies you use and asking for their consent.

screenshot of cookie consent banner by Cookiefirst

There are a lot of consent management platforms out there. Just make sure you’re deciding on one that’s fully GDPR-compliant, such as Cookiebot , Borlabs or Usercentrics .

I like Cookiefirst best because they have a beautiful interface and give you the option to explain what the cookies do. For most website visitors, the different categories are technical jargon that don’t make any sense.

Whenever you’re dealing with customers interacting with people, explaining begets understanding . By filling the word “functional” with meaning, customers interested in using your live chat will be more likely to opt in to these cookies.

2
Set up a landing page for live chat opt-in

This one is a bit more advanced but it’s the smoothest, fully GDPR-compliant workaround I’ve seen so far.

Live chat is consumers’ preferred contact channel and significantly improves their shopping experience. It can be argued that when given the choice, people would freely opt in to cookies used for chat.

However, the functional cookie category is a pretty broad one. Aside from live chat, it includes unpopular data kraken cookies such as social media plugins, or those needed for automatic logins.

Split the functional category up by what matters to your users and give them the option to opt in to live chat specifically. The kudos for this clever idea goes out to M1Beauty , a center for aesthetic and plastic medicine who’s using our live chat solution Userlike .

When a customer visits the M1Beauty website, they first see the usual cookie banner asking for their consent.

a screenshot of M1Beauty's cookie banner

People who only accept the essential cookies will not be able to see the live chat when they continue browsing the site.

However…

Although the chat is disabled, M1Beauty still shows an icon in the right bottom corner that looks exactly like the live chat button. When a visitor clicks that button – thinking it’s the actual live chat button and wanting to get in touch – they will be navigated to a dedicated landing page for live chat opt-in .

a screenshot of the live chat opt-in landing page by M1Beauty

Here, M1Beauty explains to the customer why the live chat isn’t visible. As discussed before, many people might not be aware of its connection to cookie policies and that they themselves disabled this function earlier by not accepting the functional cookies.

M1Beauty also uses this as an opportunity to share more information about live chat, the philosophy behind why they offer it, and to inform users about their service times. For full transparency, they also link to their data privacy policy.

The customer can activate live chat with a simple switch and page reload...

… and the chat becomes visible! :)

a screenshot of M1Beauty with live chat activated

3
Use a disclaimer before the chat

This workaround distinguishes cookies needed for displaying a chat and cookies occuring in a chat session.

a privacy notice in the Userlike website messenger

To load and display the chat messenger on a website, technically necessary cookies are saved in the user’s browser. These cookies will only be filled once/if the user decides to start a chat. That’s why one could argue that these are essential cookies for delivering your website presence – which digital service is a vital part of today. This interpretation means you would not be required to obtain consent from your visitors to simply show the chat messenger.

When a user decides to start a chat session, more functional cookies qualifying as personal data will occur. At this stage you have to ask your users for their consent. With Userlike, you can set a disclaimer before the chat, informing your customers about the use of cookies. They will have to actively opt in to start a chat session.

Our default privacy notice explains how Userlike uses cookies and reassures visitors that you’re handling them with care.

Note that this point requires its own disclaimer because data privacy experts haven’t reached a consensus on where to draw the line with legitimate interests. If you’re in doubt, make sure to check with your data privacy officer.

4
Set a cookie timeout

Cookies are saved in the customer’s browser. Some are deleted once they close their browser (“session cookies”). Others are stored for up to one year (“expire cookies”) and include parameters such as the numbers of visits or individual user ID.

By default, Userlike stores cookies of the latter type for one year. But you can flexibly adjust this in your settings.

the cookie timeout setting in the Userlike Widget Editor

5
Don’t collect personal data

Userlike offers a data privacy chat mode which basically works as a personal data filter for all your chat sessions. When enabled, you don’t collect any personal data. The filter applies to IP, user agent, referrer and page visits.

the data privacy chat mode in the Userlike Widget Editor

Note that the privacy mode doesn’t cover data your visitors submit themselves, like when they share their name or email address in a registration form before the chat starts.

6
Link to your terms

a website messenger home screen showing a button to the data privacy policy

To increase transparency for your data privacy-conscious customers, you can include a direct link to your official privacy policy in your website messenger.

Informing your visitors proactively about your stance toward data privacy reduces service pressure and conveys transparency. A cornerstone in customer service. You can either point visitors to your own privacy policy or the one by Userlike , which is tailored toward web chat.

7
Ensure re-authentication process

When you offer customer messaging , communication doesn’t only happen when both parties are online (like in live chat) but becomes asynchronous . Consequently, customers can open conversations they’ve had with your business at a later point. To make sure the right person gets access, cookies saved in the customer’s browser help identify them.

But what happens when your customer deletes their cookies in the browser or logs out of the messenger after the conversation ends?

With Userlike, they can still easily get into their previous conversations. By requesting an authentication link in the website messenger, they receive an email in their inbox that they can use to identify themselves and pick up the chat where they left off.


The GDPR brought some changes upon businesses. Not with the intention to hold them back, but to make commerce fit for the digital age.

Live chat has become an essential part of customer experience and the new policies won’t change that. On the contrary, modern channels such as messaging and live chat empower consumers by making support faster and more convenient than ever before. For more information on chat, the GDPR and data privacy, read our dedicated post on the topic.

This post was not written by a legal advisor and does as such not claim to be legally valid. In case of doubt, always consult your data privacy officer, lawyer or legal department.