Using online cookies has become ubiquitous among organizations across all industries due to their ability to enhance and simplify user experience and to inform the business on its client base. However, since cookies allow businesses to track, store, and share user behavior, cookies are now the source of privacy concerns for consumers and security and compliance risks for businesses.
A recent study by Cisco found that over 84% of global consumers want more control over how their data is being used. This call for increased privacy rights and digital transparency has motivated privacy regulations like the GDPR and the CCPA to target cookie use to address the risks associated with cookies and data protection.
A cookie is a small text file processed and stored by a web browser to remember information about a user. When a user visits a website, a cookie is downloaded into their web browser and stored as a plain text file. When the user visits the same website again, the website reads the cookie and knows it’s the same user.
Cookies are not programs, nor do they perform any functions. They are like digital post-it notes that help websites create a more personalized user experience - from remembering login details and online shopping cart items to session management and multi-tab browsing to analytics and targeted ad campaigns.
There are many types of cookies, and the average website has about 23 different kinds. The purpose of these cookies typically falls under one of the following five categories:
- Essential Cookies: A website’s basic form of memory, used to store the preferences of a user on a given site. These cannot be disable by users as they are essential (as the name implies) to the website’s functionality.
- Performance and Functionality Cookies: Used to enhance the performance and functionality of a website but are not essential to its use.
- Web Analytics and Customization Cookies: Used to track user activity so website owners can understand how their site is being accessed and used.
- Targeted/Advertising Cookies: Used to customize a user’s ad experience on a website. Can prevent a specific ad from appearing repeatedly, remember user ad preferences, and tailor ads based on user activities.
- Social Networking Cookies: Allows users to share content on social media platforms and link activity between a website and third-party sharing platform.
Roughly 60% of the cookies that companies use fall into the Targeted/Advertising category. These are considered to be the most privacy-intrusive as they track users’ activities across various websites and build profiles of their interests, helping businesses sell more services or products to them.
Cookie Compliance Regulatory Change
Over the years, computer cookies have earned an unsavory reputation, but they are not inherently bad. They are simply a mechanism to how the world wide web works. However, since some companies utilize cookies to capture data to create detailed user profiles to sell to other companies for marketing and advertising purposes, users have grown wary of the intentions of cookies.
Depending on an organization’s scope, the rules and laws governing cookies can vary. In the EU, cookie usage and consent are governed by the GDPR and the ePrivacy Directive, otherwise known as the “Cookie Law.” In the U.S., the CCPA has its own requirements for cookie management.
To complicate matters, since users can visit a website from anywhere in the world, differentiating U.S. citizens from EU citizens can make compliance with the appropriate regulation a challenge for most organizations. If cookies are present on a website and they collect information from an EU resident, the organization is responsible for ensuring its website is compliant with the GDPR and the ePrivacy Directive. The same goes for websites that collect information from residents of California – the organization must be compliant with the laws set forth by the CCPA.
Computer Cookie Laws Explained
The EU ePrivacy Directive and Cookies
The ePrivacy Directive contains a few minimum requirements that all applicable businesses must follow, including:
- Users must be informed that cookies are being used on the website, as well as what cookies are being used, why they are being used, and how they are being used
- A notification that makes it clear to users that the website or web application is using cookies (e.g., prominent banner in the website header)
- Active consent must be obtained before cookie-related scripts can be used on the website or web application
Under the ePrivacy Directive, for consent to be considered valid, it must be active, which means users must execute some type of action indicating their compliance. However, this does not need to be checking a box or clicking a button. Continuing to browse the website, traveling to another page, or clicking on a link can all qualify as active consent. The ePrivacy Directive does not require websites to keep a record of each user’s consent, though. In addition, a number of countries have adopted additional custom measures to enhance their online policies surrounding cookies.
The General Data Protection Regulation (GDPR) and Cookies
The GDPR is one of the most comprehensive data protection regulations in the world, yet, there is only one section of the law that actually directly addresses cookies, stating:
“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags.”
Despite the singular mention, cookies are regarded as a means of collecting personal data and fall under the GDPR’s sweeping guidelines governing the handling and storage of personal data. Therefore, cookies used to capture data for analytics, advertising, and functional services like chats and surveys must follow the standards for personal data.
- Consent must be freely given, specific, informed, and unambiguous: One of the most important goals of the GDPR is transparency, so clearly communicating what information is collected and how the information is shared is essential.
- Consent must be a clear affirmative action: This can range from clicking an opt-in box, pushing an accept button, or choosing specific settings from a drop-down menu. Pre-ticked boxes are not allowed on consent forms and can result in significant penalties.
- Data subjects must be able opt-out: Data subjects should be able to withdraw consent as easily as they provided consent. With cookies, this should mean data subjects can revoke consent through the same action they used when they gave consent.
- Data subjects that reject cookies must still receive full access to the website: A website owner is not allowed to offer limited features or functionality to visitors who do not want their information tracked.
However, not all cookies require consent under the GDPR. Many cookies are essential to creating a strong user experience on websites, therefore, certain cookies (e.g., authentication, multimedia content player, load-balancing, third-party social-plug-in content-sharing) are exempt from needing consent before the collection of data.
The California Consumer Protection Act (CCPA) and Cookies
- The types of cookies used within the website
- The categories of personal information the website collects
- The purpose for collecting that information
- The retention period of that information
- The third parties that provide the scripts behind the cookies
Complying with Data Protection and Cookie Laws
Cookies play an integral role on most websites, which makes complying with multiple cookie regulations seem like a daunting task. But, by putting in the effort to align with these privacy regulations, you’ll be able to avoid potential legal battles, significant fines, and build stronger consumer trust. Here are a few basic steps that will help your organization meet the requirements of these major cookie directives and regulations.
1. Audit and classify your cookies
In order to properly describe your cookie practices to users, it is important to understand what cookies are currently being used on your website. Most websites run more cookies than they realize, so conducting an audit will provide a detailed report of the cookies present on each page, their purposes and categories, and even the third-party cookie settings on your site. Depending on the software, these scans can even detect cookies found behind logins, simulate user journeys, and maintain an audit trail that will help you demonstrate compliance efforts. An audit is also a good opportunity to assess expired third-party relationships to determine whether any inactive vendors are still using your website's cookies.2. Disclose your cookie practices to your users
Each of the three regulations above require that businesses provide a detailed description that notifies users of the cookies being used, how they are being used, the personal information being collected, and who that data is being shared with. The report generated from the cookie audit will be helpful with compiling this information.3. Ensure you gain consent before employing cookies
4. Customize a cookie banner (or pop-up notification)
Want more insights into the latest privacy news?
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.