1. What are Cookies?
A cookie is a tiny bit of plain text that a website downloads to a computer when that user’s browser opens a new webpage. They are used to remember useful pieces of data from the users they encounter, acting as an invisible liaison between a domain’s owner and visitors.
A cookie can identify both the user and the browser, and can be left on the user’s device indefinitely. When the user’s browser returns to that website, the cookie connects with the domain and shares with it the data it has collected or stored about that user.
Companies use the data collected from cookies – from the details of a browsing session to a customer’s credit card number – to personalize the user experience, ensure the proper functioning of their website, and advance their enterprise.
2. Cookie Functions and Risks
Cookies can serve a wide range of purposes for a business, but the following are the main categories under which most cookies fall:
- Essential – Essential cookies are a website’s basic form of memory, used to store the preferences selected by users on a given site. As the name implies, they are essential to the website’s functionality and cannot be disabled by users. For example, an essential cookie may be used to prevent users from having to log in each time they visit a new page in the same session.
- Performance and functionality – These cookies are used to enhance the performance and functionality of your website, but are not essential to its use. However, without these cookies, certain functionality (like videos) may become unavailable.
- Analytics and customization – Analytics and customization cookies track user activity so website owners can better understand how their site is being accessed and used.
- Advertising – Advertising cookies are used to customize the user’s ad experience on a website. Using the data collected from these cookies, websites can prevent the same ad from appearing again and again, remember user ad preferences, or tailor which ads appear to users based on their activities.
- Social networking – Social networking cookies are used for exactly that – they allow users to share content on social media platforms and help link activity between a website and third-party sharing platforms.
While they contribute a great deal to the operation and optimization of a business, these cookies may also pose a risk to users – and to your business. As they collect and store personal data, cookies are subject to data breach and malicious mining.
These potential risks, coupled with the personal nature of data that cookies collect, inspire the rising need for cookie laws and regulations.
3. Cookie Laws
Cookie laws are cropping up around the world in order to mitigate the risks that cookies pose.
While cookie regulation is still relatively new territory, the following rules are breaking ground on providing notification and consent rights to users over the cookies they encounter online:
The General Data Protection Regulation (GDPR)
One of the main laws dictating lawful cookie practices is the GDPR. This regulation aims to give users greater rights over their data through stringent notification and consent guidelines.
Under the GDPR, users need to be informed of the existence of cookies on a given website and consent to their deployment, in order for those cookies to lawfully collect information from that user.
However, there are some exceptions. Recall the previously mentioned types of cookies often used by businesses – namely essential cookies and performance and functionality cookies.
These types of cookies are often arguably used on the basis of legitimate interests or for the fulfillment of a contract, meaning user consent isn’t necessarily mandated for these cookies to be lawfully deployed.
Furthermore, in accordance with Article 12 of the GDPR, personal data collection (including that achieved through cookies) needs to be clearly outlined to users through accessible policies.
When it comes to the relationship between cookie use and the GDPR, the important thing to remember is that data collected from cookies is considered personal data – and therefore subject to all personal data collection guidelines of the GDPR.
The EU Cookie Law
The EU Cookie Law (or EU Cookie Directive) is an adaptation of the EU ePrivacy Directive – one of the cornerstone legislations governing digital privacy throughout the EU (the other being the GDPR).
The Directive will soon receive another update, and will be renamed the ePrivacy Regulation. Still in the finalization process, the Regulation is set to come into effect in the next two years.
As is the case with the GDPR, the law not only applies to all businesses operating within member states of the EU, but any business with users in the EU – regardless of the company’s physical location.
The Cookie Law comes down to one main premise – obtain user consent to cookies.
However, the law stipulates that the opt-in requirement only applies to non-essential cookies, meaning you can deploy the cookies that are necessary for the proper functioning of your website without first getting consent.
US Cookie Laws
In the United States, while there is no single overarching cookie law that applies in all cases, there are several individual privacy rules that apply to corporate cookie usage, including:
- The Computer Fraud and Abuse Act of 1984
- The Americans with Disabilities Act
- The Children’s Internet Protection Act of 2001 (updated 2013)
- The Children’s Online Privacy Protection Act (COPPA)
Furthermore, the recently-passed CCPA also applies to cookie usage as the act serves to safeguard the personal data of internet users in a similar manner to the GDPR.
On top of fines and penalties from supervisory authorities, the California Consumer Privacy Act (CCPA) gives users the right to sue a business for breach of data – even if no monetary or physical damages are suffered.
While laws governing cookie use differ between the US and the EU, the aim of almost all cookie legislation is essentially the same. Lucky for you, that means just implementing a few practices could keep your cookies legally compliant no matter which regulations may apply to your business.
How to Stay on the Right Side of Cookie Laws
As cookie laws and their specific stipulations differ from place to place, it’s important to look into exactly which rules and regulations apply to your business, and navigate them accordingly.
That being said, there are some basic steps you can take to keep your cookie practices on the right side of the primary cookie laws:
1. Audit and classify your cookies
In order to accomplish the next two items on this list – disclosing your cookies and getting consent to deploy them – you need to first know and understand the cookies you use.
Many websites are running more cookies than they even realize, making cookie compliance, as well as data protection, difficult business.
Figuring out which cookies your site uses isn’t always easy. Use our free cookie scan and cookie consent manager to discover all the cookies your website uses, and which categories they fall under.
Not only should you make an effort to discover which cookies you use, but you should then classify those cookies by their purpose (take, for example, the six main cookie categories we mentioned above). Organizing your cookies by the purposes they serve is essential to completing the following two steps.
2. Disclose your cookie practices to users
Now that you know which cookies you use and what purpose they serve, it’s time to present that information to your users.
Make this policy easily available to users by linking it in your website’s footer and in the next step of your compliance plan – your cookie consent banner.
3. Get consent before deploying cookies
- The option for users to set their cookie preferences – If users choose not to consent to the use of all cookies, they should be allowed to give specified consent to certain categories of cookies (e.g. performance, analytics, etc.).
- The ability to revoke consent at any time – Even if a user has consented to your cookies or set their specific preferences, they should have the ability to easily rescind that consent and cease their relationship with your cookie use.
Most of this can be easily accomplished through a cookie consent banner.
Furthermore, your banner should include a link that directs users to learn more about your cookie use and set their cookie preferences if they wish.
Once again, this consent banner will cover the majority of your responsibilities in getting lawful cookie consent for users.
Remember to keep records of user cookie consents and preferences stored, where you can easily access them in the event of a privacy complaint compliance audit.
4. Which cookies are exempt from the consent requirement?
According to the overseeing EU advisory body, businesses don’t need to get user consent to the deployment of all cookies under the Cookie Law. In fact, cookies that are used specifically for the following purposes are exempt from the ePrivacy consent requirements:
- used for the sole purpose of carrying out the transmission of a communication
- strictly necessary in order for the provider of an information society service explicitly required by the user to provide that service.
The advisory body further outlines some common cookies that fall under this exemption:
- User‑input cookies (session-id) — User-input cookies are used to track items that the user, themselves, inputs into your website. For example, a cookie that remembers the items in a customer’s shopping cart, or the answers to an online form, are user-input cookies.
- Authentication cookies — These trackers identify a user by their login credentials. When a website visitor enters their username and password, these cookies will confirm that user’s identity and “remember” their account information.
- User‑centric security cookies — They detect authentication errors and abuses, such as incorrect login details. When a visitor enters incorrect login credentials, these cookies detect that and track how many incorrect entries are made.
- Multimedia content player cookies — Content player cookies enable audio or video play. Say a user is scrolling through your site and encounters an auto-play video file. Multimedia player cookies allow that video to play.
- Load‑balancing cookies — These cookies serve perhaps the most basic cookie function, in that they connect information between the user’s server and your website’s server.
- User‑interface customization cookies — These cookies store user-experience preferences. For example, if a user has selected a preferred language.
- Third‑party social plug‑in content‑sharing cookies — These cookies are applicable to users logged into a social media platform at the same time as their visit to your site. If a user clicks a “Share on Facebook” button on one of your blog posts, these cookies connect that post with the user’s logged-in Facebook account.
All of these exempt cookies are only meant to serve their purpose over the course of the user’s session on your website. If they follow your users around the web, collecting information that isn’t necessary for website-user interactions, they are no longer exempt from ePrivacy consent requirements.
Cookies are a complex, yet valuable tool in operating an online business. The global call for greater user privacy rights and digital transparency has paved the way for emerging data laws that now target cookie use.
Complying with laws like the GDPR and the EU Cookie Law can be difficult business – but not complying can be financially detrimental.
If you want a simple solution to cookie law compliance, check out how Termly can help with our state-of-the-art cookie consent manager.