From news sites to ecommerce stores and forums to social media, if you spend any amount of time on the web, you’ve almost certainly been exposed to what are called “cookie policy and consent interstitial pop up banners.” And if you’re like most, you’ve not only encountered them but been absolutely inundated by them. That’s because cookies on the web are ubiquitous.
Cookies are tiny bits of code that identify you and your browser for a variety of reasons. Some simply enable a website to function in a way that is compatible with your device and other settings while others are potentially more intrusive – used to track locations, on-site actions and more. And if you’re asking whether your company needs to have a policy or consent banner that notifies your users of your own cookie practices, you’re likely no stranger to the conversations around them and their relation to data privacy and the regulations that ensure it. Your need for a cookie banner can be somewhat defined by the data privacy laws your company is subject to.
- Are you subject to GDPR? If yes, you definitely need a cookie policy and consent banner.
- Are you subject to CCPA or another state-level data privacy law? If yes, you should probably have a cookie policy and consent banner.
- Are you subject to neither of the above? You probably should still have a cookie policy and maybe even a consent banner.
Disclosure: while these are our opinions, we are not lawyers. If you have legal concerns, we strongly suggest you seek the advice of legal professionals.
Cookie Policies and Consent If Your Company is Subject to GDPR
GDPR has perhaps the strictest requirements when it comes to the management and disclosure of cookies and their application on a website. Site owners must disclose what cookies are being used on the site, explain their purpose and list the data it collects. These details should be present in a subsection of that company’s Website Privacy Policy.
GDPR also requires a further level of consideration called “prior consent.” In essence, this means that you must first ask for permission before setting a cookie on a user’s browser as opposed to setting it and then giving the user an option to opt out. This is problematic because in most cases, cookies are set when a page loads. This means that a user must be presented with the option to opt in for cookies, have that opt-in recorded and only then have the cookie set. This can be tough to manage given that most websites lack the native functionality to – Load page > pause cookie set > opt-in/out > load no cookies or only the opted in cookies.
The emergence of third-party tools that help manage third-party cookie opt ins has made it easier for marketers and webmasters to overcome this obstacle. Many of these tools, like CookiePro and Cookiebot, allow website administrators to list their cookies, segment them into different buckets based on their function and finally, allow site visitors to opt in to all, none or select groupings of cookies. These tools also often come equipped with a dynamic tool that allows you to embed cookie permissions directly within a website’s privacy policy. It creates what is essentially a “manage preferences” area for cookies. The combination of these functions help site administrators better adhere to privacy legislation and eliminate manual cookie management.
Cookie Policies and Consent If Your Company is Subject to CCPA or Similar State Regulations
While there are considerations for cookies under CCPA, they vary greatly from the requirements of GDPR. Under CCPA, many cookies frequently used by marketers and advertisers are still deemed to be personal information in many circumstances. This means that they should be part of a CCPA compliance plan.
While GDPR requires a strict opt-in and prior consent for most cookies, CCPA does not carry this requirement, making it much easier for web admins to manage them. That is, unless you’re using cookies to execute targeted advertising campaigns. According to many thought leaders, this practice may constitute the “sale” of personal data, according to its broad interpretations. This would also require users to be offered the opportunity to opt out of these cookies as well, necessitating a third-party tool. The safest course of action is to utilize a tool that notifies users of the use of cookies and allows for them to opt out of their use.
Regardless of how your legal counsel and team decide to translate the “sale” of personal data associated with advertising cookies, the responsibility of notifying users of cookies and their use within your website privacy policy remains.
Cookie Policies and Consent If Your Company is Not Subject to Data Privacy Laws
Even if your business does not bear the legal burden of gaining consent for cookies or explicitly disclosing their use, this type of functionality and corporate communication is becoming the standard expectation for consumers. They expect to be able to manage their exposure to privacy breaches and limit the harvesting of their personal information in a way that they see fit. Delivering on these expectations is part of a positive user experience and helps build trust between companies and consumers. While you find it may not be necessary to utilize all features of these tools and enlist legal council to create a comprehensive privacy policy for your website, working towards transparency with your user base will help sow trust and deepen relationships with your audiences.
Thanks for such amazing post.