1. What are Cookies?
A cookie is a tiny bit of plain text that a website downloads to a computer when that user’s browser opens a new webpage. They are used to remember useful pieces of data from the users they encounter, acting as an invisible liaison between a domain’s owner and visitors.
A cookie can identify both the user and the browser, and can be left on the user’s device indefinitely. When the user’s browser returns to that website, the cookie connects with the domain and shares with it the data it has collected or stored about that user.
Companies use the data collected from cookies – from the details of a browsing session to a customer’s credit card number – to personalize the user experience, ensure the proper functioning of their website, and advance their enterprise.
2. Cookie Functions and Risks
Cookies can serve a wide range of purposes for a business, but the following are the main categories under which most cookies fall:
- Essential – Essential cookies are a website’s basic form of memory, used to store the preferences selected by users on a given site. As the name implies, they are essential to the website’s functionality and cannot be disabled by users. For example, an essential cookie may be used to remember the items a user places in their online shopping cart.
- Performance and functionality – These cookies are used to enhance the performance and functionality of your website, but are not essential to its use. However, without these cookies, certain functionality (like videos) may become unavailable.
- Analytics and customization – Analytics and customization cookies track user activity so website owners can better understand how their site is being accessed and used.
- Advertising – Advertising cookies are used to customize the user’s ad experience on a website. Using the data collected from these cookies, websites can prevent the same ad from appearing again and again, remember user ad preferences, or tailor which ads appear to users based on their activities.
- Social networking – Social networking cookies are used for exactly that – they allow users to share content on social media platforms and help link activity between a website and third-party sharing platforms.
While they contribute a great deal to the operation and optimization of a business, these cookies may also pose a risk to users – and to your business. As they collect and store personal data, cookies are subject to data breach and malicious mining.
These potential risks, coupled with the personal nature of data that cookies collect, inspire the rising need for cookie laws and regulations.
3. Cookie Laws
Cookie laws are cropping up around the world in order to mitigate the risks that cookies pose.
While cookie regulation is still relatively new territory, the following rules are breaking ground on providing notification and consent rights to users over the cookies they encounter online:
The General Data Protection Regulation (GDPR)
One of the main laws dictating lawful cookie practices is the GDPR. This regulation aims to give users greater rights over their data through stringent notification and consent guidelines.
Under the GDPR, users need to be informed of the existence of cookies on a given website and consent to their deployment, in order for those cookies to lawfully collect information from that user.
However, there are some exceptions. Recall the previously mentioned types of cookies often used by businesses – namely essential cookies and performance and functionality cookies.
These types of cookies are often arguably used on the basis of legitimate interests or for the fulfillment of a contract, meaning user consent isn’t necessarily mandated for these cookies to be lawfully deployed.
Furthermore, in accordance with Article 12 of the GDPR, personal data collection (including that achieved through cookies) needs to be clearly outlined to users through accessible policies.
When it comes to the relationship between cookie use and the GDPR, the important thing to remember is that data collected from cookies is considered personal data – and therefore subject to all personal data collection guidelines of the GDPR.
The EU Cookie Law
The EU Cookie Law (or EU Cookie Directive) is an adaptation of the EU ePrivacy Directive – one of the cornerstone legislations governing digital privacy throughout the EU (the other being the GDPR).
The Directive will soon receive another update, and will be renamed the ePrivacy Regulation. Still in the finalization process, the Regulation is set to come into effect in the next two years.
As is the case with the GDPR, the law not only applies to all businesses operating within member states of the EU, but any business with users in the EU – regardless of the company’s physical location.
The Cookie Law comes down to one main premise – obtain user consent to cookies.
However, the law stipulates that the opt-in requirement only applies to non-essential cookies, meaning you can deploy the cookies that are necessary for the proper functioning of your website without first getting consent.
US Cookie Laws
In the United States, while there is no single overarching cookie law that applies in all cases, there are several individual privacy rules that apply to corporate cookie usage, including:
- The Computer Fraud and Abuse Act of 1984
- The Americans with Disabilities Act
- The Children’s Internet Protection Act of 2001 (updated 2013)
- The Children’s Online Privacy Protection Act (COPPA)
Furthermore, the recently-passed CCPA also applies to cookie usage as the act serves to safeguard the personal data of internet users in a similar manner to the GDPR.
On top of fines and penalties from supervisory authorities, the California Consumer Privacy Act (CCPA) gives users the right to sue a business for breach of data – even if no monetary or physical damages are suffered.
While laws governing cookie use differ between the US and the EU, the aim of almost all cookie legislation is essentially the same. Lucky for you, that means just implementing a few practices could keep your cookies legally compliant no matter which regulations may apply to your business.
How to Stay on the Right Side of Cookie Laws
As cookie laws and their specific stipulations differ from place to place, it’s important to look into exactly which rules and regulations apply to your business, and navigate them accordingly.
That being said, there are some basic steps you can take to keep your cookie practices on the right side of the primary cookie laws:
1. Audit and classify your cookies
In order to accomplish the next two items on this list – disclosing your cookies and getting consent to deploy them – you need to first know and understand the cookies you use.
Many websites are running more cookies than they even realize, making cookie compliance, as well as data protection, difficult business.
Figuring out which cookies your site uses isn’t always easy. Use our free cookie scan to discover all the cookies your website uses, and which categories they fall under.
Not only should you make an effort to discover which cookies you use, but you should then classify those cookies by their purpose (take, for example, the six main cookie categories we mentioned above). Organizing your cookies by the purposes they serve is essential to completing the following two steps.
2. Disclose your cookie practices to users
Now that you know which cookies you use and what purpose they serve, it’s time to present that information to your users.
Make this policy easily available to users by linking it in your website’s footer and in the next step of your compliance plan – your cookie consent banner.
3. Get consent before deploying cookies
- The option for users to set their cookie preferences – If users choose not to consent to the use of all cookies, they should be allowed to give specified consent to certain categories of cookies (e.g. performance, analytics, etc.).
- The ability to revoke consent at any time – Even if a user has consented to your cookies or set their specific preferences, they should have the ability to easily rescind that consent and cease their relationship with your cookie use.
Most of this can be easily accomplished through a cookie consent banner.
Furthermore, your banner should include a link that directs users to learn more about your cookie use and set their cookie preferences if they wish.
Once again, this consent banner will cover the majority of your responsibilities in getting lawful cookie consent for users.
Remember to keep records of user cookie consents and preferences stored, where you can easily access them in the event of a privacy complaint compliance audit.
Cookies are a complex, yet valuable tool in operating an online business. The global call for greater user privacy rights and digital transparency has paved the way for emerging data laws that now target cookie use.
Complying with laws like the GDPR and the EU Cookie Law can be difficult business – but not complying can be financially detrimental.
If you want a simple solution to cookie law compliance, check out how Termly can help with our state-of-the-art cookie consent manager.