Cookies or “HTTP cookies” are small fragments of data created by the websites you visit that get saved as text files.
While they’re fundamental to any website, cookies do raise some privacy concerns. That’s the reason why some countries established cookie warning laws, calling for new requirements and safeguards to be put into place to ensure user privacy.
This article will discuss the purpose and laws regulating a cookie warning and whether your website needs one.
Why Does Every Website Warn You About Cookies?
Nearly every website nowadays shows a cookie warning, including retailers like Amazon. But, of course, cookies have existed ever since the Internet was created, so why does every website suddenly ask you to agree to them?
The answer is simple: the European Union’s General Data Protection Regulation (GDPR) enacted much stricter data privacy laws, regularizing personal data collection, processing, and sharing.
Once the GDPR went into effect, companies and jurisdictions worldwide hurried to ensure compliance with the new data privacy laws for all their users around the globe. Even though the GDPR is only enforceable if a company does business in the EU, other countries and states have enacted similar regulations.
In the United States, for example, the California Consumer Privacy Act (CCPA), the Virginia Consumer Data Protection Act (CDPA), and the Colorado Privacy Act (CPA) all demonstrate the growing trend of stricter data privacy laws across the board.
Along with the GDPR, these legislative instruments across the US have forced companies into compliance or — in other circumstances — preemptive obedience by adding a pop-up cookie alert feature into their websites.
What Is the Purpose of a Cookie Warning?
The primary purpose behind cookie warnings is to enhance transparency and, in turn, build trust between the users and the website.
Whether someone uses a website or an app, protecting online consumer privacy involves obtaining explicit consent to use their data. That’s why a cookie warning gets displayed on the screen — it’s how the website or app informs users of the usage of cookies.
Users also get asked to authorize activation of these cookies so that their personal data can be processed and used.
If a cookie can identify an individual through their device, the website using such cookies needs the cookie warning to facilitate the user’s consent.
In essence, the cookie banner is an agreement between a website or app and its visitors. This contract aims to inform visitors about any potential third-party tracking and foster more transparency across the internet.
Does Your Website Need a Cookie Warning?
Now that you have a better understanding of the rationale behind the need for cookie warnings, you might be wondering whether your website or app needs to have one.
If you have customers or users based in the EU or your company’s located or based in a jurisdiction with cookie laws, your website or app most likely needs to include a cookie warning. If you don’t have one, your website or app might be blocked to the customers or users that are covered by those laws — you might also face severe penalties.
Here’s a look at the EU’s law regulating cookie usage, what happens if you fail to comply, and what it means when someone chooses not to consent to cookie usage.
Cookie Warning Law Summary
The GDPR was initiated as a directive from the European Union. Under these directives, several requirements have been placed on the collection of cookies for tracking users.
To comply with the fundamental guidelines, an individual, company, or organization running a website or app must:
- Know the type of cookies — essential and nonessential — that their website or app uses and what categories these cookies fall under.
- List all cookies in both the privacy policy and cookie policies of the website or app.
- Inform users about the cookies being used on the website or app, explaining it in explicit, GDPR-compliant, cookie warning language.
- Only activate nonessential cookies if a user authorizes their use.
- Give users the option to withdraw or alter their cookie preferences at any given time.
- Maintain consent logs of user cookie preferences.
Exemptions
Not all cookies fall under the scope of the GDPR — these cookies get referred to as essential cookies.
Essential cookies are fundamental for the smooth working of a website. That’s why the GDPR made an exception for these types of cookies, which are absolutely necessary to complete tasks requested by the website’s users.
But what a “strictly essential” cookie is, remains somewhat ambiguous.
The guideline provides that strictly essential cookie types won’t stand in the way of any technical storage or access for solely transmitting a communication over a network. That’s why these cookies are also exempt — because they’re strictly necessary to enable a website that provides information to users who specifically request such information on the content they are seeking.
For example, this exemption applies to you if you own an e-commerce site that uses a session cookie that allows users to place items in their cart during their time on the website.
It also applies if you rely on a load balancing cookie to allocate your network traffic over a range of servers — because the primary function of such a cookie is to identify one of the servers.
Record Keeping
Furthermore, even though under the cookie warning law, records of consent are not explicitly required to be kept, most of the time, cookies collect and process user data, which is why they fall under the GDPR requirements of record keeping. Cookie warnings aren’t mandated to list out every cookie used, though — just their type, usage, and purpose need to be stated.
What if your website also uses third-party cookies? Then you need to ensure that users are informed of these third parties, directing them to the respective privacy and cookie policies.
Consent
Notably, you must obtain a user’s consent the first time they visit your website. There’s no obligation to ask repeatedly for permission after the initial cookie warning. Once a user has granted authorization, you can safely assume that they consent to the continuous use of such cookies.
However, if your website uses third-party cookies, it would be better to obtain new consent each time a new third-party cookie must be activated.
Nevertheless, even after permission is received, you will still be required to provide your cookie policy. This policy should include the types of cookies used and how they are used.
Lastly, the GDPR requires that consent be voluntarily given by the user to be classified as valid.
Therefore, any use of coercion to obtain consent may render it invalid. So, even though the website may restrict specific content due to cookie preferences, the user’s access to the general website must not be denied solely due to the denial of consent.
What Happens if You Don’t Use a Cookie Warning?
Violating the GDPR’s cookies law can result in penalties in the form of monetary fines up to €20 million (roughly $20,372,000), or 4 percent of companies’ worldwide turnover for the preceding financial year—whichever is higher. The maximum penalty will typically be imposed if the violation is deemed intentional, causing significant distress to the user.
For example, in 2014, a Dutch public broadcaster was fined $29,000 for failure to comply with cookie laws set by the Netherlands Authority for Consumers and Markets. The broadcaster’s negligence in implementing a compliant consent mechanism resulted in the imposition of the fine.
What if a Visitor Doesn’t Accept Your Cookies?
If a user doesn’t accept your cookies, then their request needs to be honored. That doesn’t, however, mean that they get entirely restricted from the website.
If your website can still be accessed using non-essential cookies, users should be granted access to that extent. However, this could mean providing content that may not be entirely relevant or a less personalized experience.
For websites requiring usernames and passwords, users would have to insert their credentials manually every time they access your website.
Tips on Setting up a Cookie Warning
While cookie warning laws are generally quite similar, they do have particular distinctions. For example, the CCPA and the GDPR have somewhat different requirements for cookie warnings. So it’s important for you as a website or app owner to ensure that such cookie warnings are displayed based on what laws your business needs to comply with.
Here are some fundamental obligations that are identical in nearly all of the laws and should get integrated into your website.
1. A Voluntary Consent Button
You must provide user-informed consent for the usage of cookies. This essentially requires that users have an option to opt out of the use of their data. However, this doesn’t mean that users can be entirely restricted from accessing the website by declining the use of cookies.
Also, the opt-out option should be as convenient and easy to use as the opt-in feature.
2. Boxes That Have Not Been Pre-checked
To properly comply with the GDPR and other cookie warning laws, all checkboxes in the cookie warning must be blank. If they’re pre-checked, you will be violating the GDPR.
The rationale here is that a user’s informed consent must be obtained freely and without using any coercive or deceptive methods — pre-checked boxes go against this. The Federal Supreme Court reinforced this position in the Planet49 decision.
3. Selective Cookie Usage
As part of obtaining the user’s informed consent, a website visitor or app user must also be allowed to select the type of cookies they authorize and the ones they don’t. In addition, they need to be informed of the various types of cookies used by your website or app and be given the option to choose the ones they want to activate.
4. Avoid Implied Consent
A user ignoring your cookie warning — or simply clicking an “OK” button — and continuing to browse does not count as consent to your cookie usage. Cookie warnings that are only for informational purposes and don’t allow the alteration of cookie usage are in breach of the GDPR requirements. For a cookie warning to be compliant, just displaying an ‘OK’ button goes against the purpose of these warnings — if a user is given no option to select, it can’t be deemed voluntary consent.
5. Link to Privacy Policy
Apart from displaying the cookie warning on the website, it’s also important to provide an easily accessible privacy policy on your website or app. To remain in compliance, your cookie warning should have a link to your privacy policy.
Conclusion
There are stricter laws now regulating the use of cookies. Data privacy laws across the globe have been increasingly reinforced. So even if your company or website isn’t located or based in the European Union, some of your users may reside there.
That’s why your company needs to comply with new cookie warning laws and regulations concerning their use.
More about the author
Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP
Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author
