Internet cookies are tiny data files that websites place and store on the computers and mobile devices of users who visit those sites. These files contain information about the user’s actions on the website.
They are most often used to recognize return users and remember information about them, such as their browsing activity, whether they put items into a shopping cart, information they enter into text fields – including names, email addresses, and credit card numbers – and login information.
In addition, the policy will outline the other types of tracking technologies that may be used by the website, such as web beacons and pixel tags.
If your website is based in the US and targets users in the US, it is advised that you include such a policy. However, unlike privacy policies, you are not legally required to have one. While the Federal Trade Commission and various state laws such as CalOPPA govern internet privacy in the US, there is no law specifically pertaining to the use of tracking technologies at this time.
Mobile applications and the third-party services they employ may also use these kinds of tracking technologies. If they do, they are subject to the same laws and regulations that websites are, including those of the European Union. It is your responsibility to know and understand whether these technologies are being used.
Most US-based businesses, websites, and mobile apps simply include a section about these technologies within their privacy policies.
3. Applicable Agencies & Regulations
Additionally, with the passage of time, more and more attention is being paid internationally to internet privacy. There will be more laws and regulations pertaining specifically to tracking technologies in the future.
EU ePrivacy Directive
The preeminent law governing the use of tracking technologies is the EU Privacy Directive. This law applies to anyone who has an EU-based business, or who directly targets EU-based users.
Basically, the law states that in order to use tracking technologies on your website, you must have a dedicated policy that outlines which ones you use and how and why they are used. You must also obtain informed consent from your users before placing these technologies (e.g. cookies, web beacons, etc.) on their browsers.
Cookies can be broken down into classifications according to their lifespans and the domains to which they belong. Regarding their lifespans, they are either referred to as session or persistent.
- Session: those that are erased when the user closes their browser.
- Persistent: those that remain on the user’s computer for a predesignated period of time.
Regarding their domains, they are either referred to as first-party or third-party.
- First-party: those that come from the web server of the page visited by the user.
- Third-party: those that are stored by a different domain than that of the page visited by the user.
According to the EU ePrivacy Directive, websites are not required to obtain the informed consent of the user in order to use first-party session cookies. However, the use of the first-party persistent type does require informed consent. Additionally, the persistent variety must have an expiry period of no more than a year.
What is meant by “informed consent” is hotly contested and has still not been clarified. How to satisfy this requirement is also unclear. However, most affected websites use either a popup notification or a banner to inform users that tracking technologies are being used. These notifications allow users to opt in or out of their use.
Failure to comply precisely with the directive’s stipulations may result in legal proceedings and steep fines. In fact, two companies were slapped with heavy fines in 2014, despite having made efforts to comply with the directive.
Federal Trade Commission
The FTC does not have any regulations pertaining explicitly to the use of tracking technologies or policies addressing the use of these technologies. However, it does have requirements regarding the collection and handling of personal information and the implementation of privacy policies to describe such practices.
Further, the FTC enacted the Gramm-Leach-Bliley Act in 1999, which goes into detail about what is considered personal information. The act addresses tracking technologies and states that the information collected by them is legally considered personal information.
If these technologies are used on your site, it is best practice to have a separate, dedicated policy.
A comprehensive, dedicated policy will be comprised of the following parts:
- An explanation of what cookies are
- A description of the types used by the site
- A description of the types used by third-parties to the site
- An explanation of how and why they are used
- Detailed instructions on how users can opt out of their use
A breakdown such as this is common amongst the policies used online, and will keep your site compliant with both the EU ePrivacy Directive and the FTC. Some policies will also include a section which discusses where you can find additional information about these tracking technologies.
The BBC displays its policy in an FAQ format. The FAQ queries all address the fundamental components required by the aforementioned governing bodies.
Additionally, within the settings section is an interactive menu which allows users to opt in or out of the use of tracking technologies in real time.
This kind of policy goes above and beyond what is required by the ePrivacy Directive, and gives users a stronger feeling of privacy and security. However, you can generate a comprehensive policy online that will go just as far to ensuring that you stay compliant.
5. How to Obtain Informed Consent
The ePrivacy Directive and the FTC both have guidelines which need to be followed in order to stay compliant with their regulations. One very important aspect of compliance with these regulations is the informing and notifying of users.
The degree to which users need to be made aware of the use of tracking technologies varies significantly between the two regulatory guidelines.
According to the European Union’s ePrivacy Directive, webmasters must receive “informed consent” from visitors before they can place tracking technologies on user devices. One simple solution to this is the placement of a banner across the top of the website that requires users to take action.
Banners inform visitors that these technologies are used on the site. They also provide a link to a page where users can gain more general information about them. Finally, they give users the choice whether to opt in or out of the placement and storage of cookies on their devices via clickable form.
Jamie Oliver’s website uses the banner method to obtain informed consent.
The site has a very noticeable banner running across the top of the page that informs visitors of the use of tracking technologies. There is also a link that users can follow to learn more information. Not shown is a button that reads “Continue”, which will allow users to opt in when clicked.
Aside from a banner, the other proper way to adequately notify users in accordance with EU regulations is to use a popup window. When visitors first arrive at a site, they are greeted with a popup window that informs them of the data files used by the website and prompts them to opt in or out.
They are more intrusive than banners, but they are also more effective at getting people’s attention and obtaining informed consent.
BT uses a popup notification to get informed consent.
The popup allows users to opt out of the placement and storage of data files on their devices. It also informs them of their right to change these settings whenever they please.
The relevant sections should outline which tracking technologies are used, what information they gather, and for what purpose this information is collected and used.
6. Notable Examples
In the policy, the company informs visitors that its website uses several different first-party and third-party tracking technologies in order to provide a uniquely customized experience for everyone.
Interestingly, because of the Guardian’s worldwide appeal, it uses geotargeting technologies to establish the user’s location. This way, the company can provide location specific news and language settings.
The company has a combined policy page, but its cookie section is quite extensive. The section outlines the company’s use of tracking technologies on its website and in its mobile app.
There is also a large section which describes the user’s options regarding their use, including detailed instructions on how to opt out.
Greggs is a popular UK bakery chain that specializes in savory pastries like meat pies and sausage rolls. As it deals with cookies – and not only the sweet kind – it is required by EU law to include an easily accessible, dedicated policy on its website. It can be found, like most sites, in the footer.
The company takes a light-hearted, conversational approach to the policy.
This kind of approach can be very effective in relating to consumers and building their trust. However, it’s essential to cover all bases when building a legal policy. Ambiguous language or an important omission could end up costing thousands of dollars.
Pro:Direct Soccer is a UK-based company that sells soccer apparel, equipment, and footwear to all of Europe and beyond. The company ships to many countries, including the United States. Therefore, it is required to stay compliant with UK and EU laws and regulations.
The policy outlines the company’s reasons for using tracking technologies, the types used, and the right of users to disable them. It is important to let users know that disabling their use may affect their ability to use some features of the site, such as placing items in a shopping cart.