Cookies and Compliance: How Key Data Privacy Regulations Impact Cookie Management

Using online cookies has become ubiquitous among organizations across all industries due to their ability to enhance and simplify user experience and to inform the business on its client base. However, since cookies allow businesses to track, store, and share user behavior, cookies are now the source of privacy concerns for consumers and security and compliance risks for businesses.

A recent study by Cisco found that over 84% of global consumers want more control over how their data is being used. This call for increased privacy rights and digital transparency has motivated privacy regulations like the GDPR and the CCPA to target cookie use to address the risks associated with cookies and data protection.

Unfortunately, many organizations are now struggling with how to effectively use cookies while managing cookie consent requirements and remaining compliant as privacy regulations evolve. In this post, we’ll take a closer look at the different types of cookies, how cookie requirements differ under the CCPA, the GDPR, and the ePrivacy Directive, and how you can ensure your organization is cookie compliant.

Understanding Cookies

A cookie is a small text file processed and stored by a web browser to remember information about a user. When a user visits a website, a cookie is downloaded into their web browser and stored as a plain text file. When the user visits the same website again, the website reads the cookie and knows it’s the same user.

Cookies are not programs, nor do they perform any functions. They are like digital post-it notes that help websites create a more personalized user experience - from remembering login details and online shopping cart items to session management and multi-tab browsing to analytics and targeted ad campaigns.

There are many types of cookies, and the average website has about 23 different kinds. The purpose of these cookies typically falls under one of the following five categories:

• Essential Cookies: A website’s basic form of memory, used to store the preferences of a user on a given site. These cannot be disable by users as they are essential (as the name implies) to the website’s functionality.
• Performance and Functionality Cookies: Used to enhance the performance and functionality of a website but are not essential to its use.
• Web Analytics and Customization Cookies: Used to track user activity so website owners can understand how their site is being accessed and used.
• Targeted/Advertising Cookies: Used to customize a user’s ad experience on a website. Can prevent a specific ad from appearing repeatedly, remember user ad preferences, and tailor ads based on user activities.
• Social Networking Cookies: Allows users to share content on social media platforms and link activity between a website and third-party sharing platform.

Roughly 60% of the cookies that companies use fall into the Targeted/Advertising category. These are considered to be the most privacy-intrusive as they track users’ activities across various websites and build profiles of their interests, helping businesses sell more services or products to them.

Cookie Compliance Regulatory Change

Over the years, computer cookies have earned an unsavory reputation, but they are not inherently bad. They are simply a mechanism to how the world wide web works. However, since some companies utilize cookies to capture data to create detailed user profiles to sell to other companies for marketing and advertising purposes, users have grown wary of the intentions of cookies.

Depending on an organization’s scope, the rules and laws governing cookies can vary. In the EU, cookie usage and consent are governed by the GDPR and the ePrivacy Directive, otherwise known as the “Cookie Law.” In the U.S., the CCPA has its own requirements for cookie management.

To complicate matters, since users can visit a website from anywhere in the world, differentiating U.S. citizens from EU citizens can make compliance with the appropriate regulation a challenge for most organizations. If cookies are present on a website and they collect information from an EU resident, the organization is responsible for ensuring its website is compliant with the GDPR and the ePrivacy Directive. The same goes for websites that collect information from residents of California – the organization must be compliant with the laws set forth by the CCPA. 

Computer Cookie Laws Explained

The EU ePrivacy Directive and Cookies

The EU ePrivacy Directive, which came into effect in 2002, has been amended a few times over the years – most recently in 2011. The ePrivacy Directive established guidelines and expectations for electronic privacy, including cookie usage. The ePrivacy Directive works alongside the GDPR to regulate the use of cookies on websites and web applications and applies to any website that originates either in an EU member country or targets residents in the EU.

While not yet enforceable, the EU has published the ePrivacy Regulation, a proposed replacement to the directive that would be legally binding throughout the entire EU and enforced through a standardized set of rules. The ePrivacy Regulation would also work alongside the GDPR, similar to how the Directive does now, but is said to be the most stringent proposal regarding cookies so far. However, because the ePrivacy Directive is currently not legally binding, the EU sets specific guidelines requiring user consent in order to use cookies but allows member states to create their own provisions for how this requirement is implemented and enforced.

The ePrivacy Directive contains a few minimum requirements that all applicable businesses must follow, including:

• Users must be informed that cookies are being used on the website, as well as what cookies are being used, why they are being used, and how they are being used
• A notification that makes it clear to users that the website or web application is using cookies (e.g., prominent banner in the website header)
• The option for users to provide, opt-out, or withdraw consent to the use of cookies
• Active consent must be obtained before cookie-related scripts can be used on the website or web application

Under the ePrivacy Directive, for consent to be considered valid, it must be active, which means users must execute some type of action indicating their compliance. However, this does not need to be checking a box or clicking a button. Continuing to browse the website, traveling to another page, or clicking on a link can all qualify as active consent. The ePrivacy Directive does not require websites to keep a record of each user’s consent, though. In addition, a number of countries have adopted additional custom measures to enhance their online policies surrounding cookies.

The General Data Protection Regulation (GDPR) and Cookies

The GDPR is one of the most comprehensive data protection regulations in the world, yet, there is only one section of the law that actually directly addresses cookies, stating:

“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags.”

Despite the singular mention, cookies are regarded as a means of collecting personal data and fall under the GDPR’s sweeping guidelines governing the handling and storage of personal data. Therefore, cookies used to capture data for analytics, advertising, and functional services like chats and surveys must follow the standards for personal data.

To use cookies and align with the GDPR, organizations need to meet the following requirements:

• Consent must be freely given, specific, informed, and unambiguous: One of the most important goals of the GDPR is transparency, so clearly communicating what information is collected and how the information is shared is essential.
• Consent must be a clear affirmative action: This can range from clicking an opt-in box, pushing an accept button, or choosing specific settings from a drop-down menu. Pre-ticked boxes are not allowed on consent forms and can result in significant penalties.
• Data subjects must be able opt-out: Data subjects should be able to withdraw consent as easily as they provided consent. With cookies, this should mean data subjects can revoke consent through the same action they used when they gave consent.
• Data subjects must have a choice: Just because a data subject uses a website does not mean they need to agree to all cookies. Data subjects need to have the option to accept or decline certain cookies with the purpose for each type of cookie clearly stated. Also, consent for these cookies cannot be bundled with other purposes or processing activities, such as grouping cookie consent to a privacy policy, or combining functional cookies with advertising ones.
• Data subjects that reject cookies must still receive full access to the website: A website owner is not allowed to offer limited features or functionality to visitors who do not want their information tracked.

However, not all cookies require consent under the GDPR. Many cookies are essential to creating a strong user experience on websites, therefore, certain cookies (e.g., authentication, multimedia content player, load-balancing, third-party social-plug-in content-sharing) are exempt from needing consent before the collection of data.

The California Consumer Protection Act (CCPA) and Cookies

Although there is not a comprehensive federal cookie law in the U.S., the CCPA serves as safeguard to the personal information of internet users in California. Similar to the GDPR, the CCPA views cookies as personal information, so in order for a business to have a compliant cookie policy, it must include the following information:

• The types of cookies used within the website
• The categories of personal information the website collects
• The purpose for collecting that information
• The retention period of that information
• The third parties that provide the scripts behind the cookies

Unlike the GDPR, CCPA cookie consent is based on an opt-out mechanism, which means websites can use cookies without prior consent, but are required to provide consumers with a simple way to opt-out of them at any time. The CCPA also requires businesses to disclose what information is being collected by cookies and how that information is used before or at the point of collection, but it does not require explicit cookie consent. Gaining consent for functionality, performance, or analytic cookies is optional.

As with the GDPR, cookies that are necessary to the functionality of the website do not require consent under the CCPA. The CCPA does not require that businesses have separate cookie policies addressing the collection and use of personal information revealed through cookies, as long as that information is included in the organization’s privacy policy. And, while the CCPA does not require a cookie banner, the website must feature a Do Not Sell My Personal Information link for users to opt-out of third-party sales of personal information.

Complying with Data Protection and Cookie Laws

Cookies play an integral role on most websites, which makes complying with multiple cookie regulations seem like a daunting task. But, by putting in the effort to align with these privacy regulations, you’ll be able to avoid potential legal battles, significant fines, and build stronger consumer trust. Here are a few basic steps that will help your organization meet the requirements of these major cookie directives and regulations. 

1. Audit and classify your cookies

In order to properly describe your cookie practices to users, it is important to understand what cookies are currently being used on your website. Most websites run more cookies than they realize, so conducting an audit will provide a detailed report of the cookies present on each page, their purposes and categories, and even the third-party cookie settings on your site. Depending on the software, these scans can even detect cookies found behind logins, simulate user journeys, and maintain an audit trail that will help you demonstrate compliance efforts. An audit is also a good opportunity to assess expired third-party relationships to determine whether any inactive vendors are still using your website's cookies. 

Each of the three regulations above require that businesses provide a detailed description that notifies users of the cookies being used, how they are being used, the personal information being collected, and who that data is being shared with. The report generated from the cookie audit will be helpful with compiling this information.

The most important measure is receiving consent to the use of cookies. Even though only the GDPR and the ePrivacy Directive require consent before cookies can be stored on a user’s browser, having all visitors (regardless of where they are residents) provide active consent is a good rule to follow. This should be obtained by placing a checkbox or clickable button in the notice that users must select in order to consent. While this form of consent is acceptable, there should also be the option for users to set their cookie preferences, declaring which cookie categories they accept or decline. In addition, included in the website footer, cookie policy, or privacy policy should be links that direct users to either a form or page where they can revoke or modify their consent.

4. Customize a cookie banner (or pop-up notification)

When users visit your website for the first time, they should immediately be notified that cookies are being used. The website banner should include easy to understand language, placement in an obvious location, and a link to your privacy policy containing additional information regarding cookie use. To also ensure compliance with the CCPA, a “Do Not Sell” link should be included for users to opt-out of advertising and data collection cookies on your website. You may also want to inform users that cookies are tracked by device, so if they want to opt out, they must do this on each device they've used to access your site.

Many companies choose to present the information about their cookie use in a separate cookie policy. However, this is not mandatory as long as the specifics of your cookies are included within your privacy policy. Your policy should include: 1) a brief overview of cookies and a statement that your websites uses cookies, 2) the types of cookies you (or any third party) are using on your website, 3) the reason for using the cookies, and 4) methods for opting out of having cookies placed on their browser. Since cookies change often, your policy should be reviewed and updated accordingly.

Cookies have become a complex yet valuable tool for most businesses, but it can be easy to rely too heavily on them and jeopardize your users’ privacy. With a host of new regulations monitoring cookies, a poor cookie policy can contribute to the growing mistrust of consumers and lead to significant fines and penalties. However, if you can properly inform your users about the cookies your site uses and receive the appropriate consent, you’ll be better prepared to take advantage of the benefits cookies offer, protect your company from the risk of noncompliance, and build consumer trust.

Want more insights into the latest privacy news?

Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.