To say cookies are ubiquitous is an understatement. They are an invisible but ever-present technology for anyone who uses the internet. Often maligned for their role in tracking people’s behavior, they are also essential for the functioning of most websites and help improve online experiences in ways that we’ve all come to expect.
With the appearance and proliferation of data privacy laws such as the EU’s General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), cookies are in the spotlight for their privacy implications. Here is a brief explanation of what cookies are and how they can affect your business’s privacy compliance strategy.
A cookie is a small text file placed on a website visitor’s browser by a server. It usually contains a random ID that has been assigned to the visitor, and it logs whatever information it was designed to monitor. That information can vary widely, from the timestamps of previous to which items a person added to their cart. They can help a website remember if a person has logged in to their account and, ironically, keep track of a person’s cookie preferences. These small files are the foundation of the modern, personalized internet.
Cookies are separated into two groups: first party and third party. First-party cookies are placed by the website the person is visiting; third-party cookies are placed by a domain other than the website the person is visiting. Third-party cookies are often associated with marketing activities such as targeted advertising, though other types of cookies may also be third party.
Cookies are personal information because they identify a particular person (or at least a particular device). Combined with other information, it can be used to learn something about an individual. For this reason, the privacy notices required by various laws should include a mention of how cookies are used.
Other applications of cookies carry more significant privacy implications. A common scenario is the use of third-party cookies for targeted (i.e., interest-based) advertising: A cookie is placed on the visitor’s browser; as they navigate the website, the cookie logs interactions such as products viewed or added to a shopping cart; when the visitor goes to another website, an ad network can read the information on the cookie and use it to serve relevant ads. Here the cookie has gathered personal information (interactions with the website) and shared it with an outside party (the ad network) that can then use that information for its own purposes. This type of arrangement is considered selling personal information under privacy laws and triggers the consumer’s right to opt out, so businesses must have a way to stop the process if a consumer requests it.
Websites based in the European Union or United Kingdom, or that target residents of those places, must comply with the ePrivacy Directive (EPD). Known as the Cookie Law, the EPD requires websites to get visitors’ consent before setting most types of cookies.
While the EPD is a separate law from the GDPR, there is a connection between the two in that the GDPR’s consent rules apply. Cookie consent must be affirmative and specific. Affirmative consent means the visitor must actively choose to accept the cookies (i.e., click “Yes” or “Accept”), as opposed to a passive arrangement in which the visitor is told that by continuing to use the site they are giving their consent. Specific consent means that the choice can’t be presented as an “all or nothing” option. Websites must divide the cookies into categories (e.g., analytics, marketing, etc.), and give the visitor the option to accept or reject each category.
The only types of cookies that do not require visitors’ consent are those that are strictly necessary for the website to function. For example, cookies that allow a website to remember what is in the visitor’s shopping cart are considered strictly necessary.
Cookies play an important role in the online activities of most businesses, but they also carry with them legal obligations in the form of privacy compliance. TrueVault Polaris helps businesses navigate this complex landscape by taking them step by step through the compliance process. With our attorney-designed software, businesses can finish the initial onboarding in as little as a few hours, and our automated workflows help them stay compliant with minimal ongoing effort. Contact our team today to schedule a demo.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.