When it comes to data privacy, what is at once the greatest source of risk, the most common method of user data collection, and one of the most crucial elements for compliance?
Cookies.
When investigating a business, regulators will often look for cookie compliance first, as cookies are one of the most common ways to collect, process, and transmit user data. They’re small text files stored on the user’s browser to track and collect their data. This includes the user’s name, geo-location, IP address, website preferences, and more.
Fortunately, becoming cookie compliant is straightforward—but not necessarily easy.
Cookie compliance means ensuring your use of cookies is in accordance with data privacy laws. Each law comes with its own particularities. But in most cases, cookie compliance starts with informing users you use cookies, explaining how and why you use them, and gathering and recording users’ consent.
Failing to become cookie compliant is a violation of the data subjects’ rights. After all, you’re collecting and using their data without their consent.
The fines for this type of violation are huge. The exact amount varies from law to law, but as an example, under the GDPR fines can reach $20 million or 4% of annual turnover (whichever is greater).
Privacy laws have varying requirements for cookie compliance. The EU General Daata Protection Regulation (GDPR) is one of the strictest, but the newly enacted California Privacy Rights Act (CPRA) isn’t too far behind. Let’s review the three types of consent before looking at the specifics of cookie compliance under different laws.
With this type of consent, you can’t load any non-essential cookies without the user’s permission. Opt-in banners often have two buttons: one to accept cookies and one to reject them. However, they can also provide users with the option to consent to more specific types of cookies, including personalization, analytics, and marketing cookies. A link to the cookie policy will also be included.
When using this type of consent, you can load cookies while giving people the option to opt out of cookie collection. If they choose to opt out, you can only load essential cookies.
With this option, users can’t opt out of using cookies. You inform them of their use and nothing more. This version is not compliant with any of the recent privacy laws.
First, there was the EU Cookie Law. While its provisions respected privacy rights in principle, it wasn’t a very strict law, and websites still had great freedom with cookie usage. The arrival of the GDPR—the strictest data privacy law to date—changed that.
GDPR cookie compliance is all about opt-in consent, which should be:
Users must also be able to withdraw consent.
How do you prove you obtained consent from a person? By keeping records of the user’s consent preferences and proof that you acted on their consent. There are many consent management platforms that can help you do this, so don’t worry; you won’t need to do it all manually!
CCPA/CPRA cookie compliance requires opt-out consent.
However, there are a few exceptions that require opt-in consent, such as for the sale or sharing of personal information belonging to minors under 16 or for using data collected via cookies for a secondary purpose beyond what you initially disclose to the user. Plus, if you think there’s a risk someone from the EU will stumble on your site, opt-in consent is the safer option.
More and more laws are coming into effect, like Brazil’s LGDP or the Connecticut Data Privacy Act. Most are similar to the GDPR in their approach towards cookies and require opt-in consent.
In some places, opt-out or implicit consent is still used, especially in the U.S. But to be on the safe side, businesses may want to consider securing opt-in consent just in case their local law changes, or if they expand and become subject to a stricter law.
To check for cookie compliance, you must do a thorough review of your website, your policies, and the consent records you have (if any). Here are some things to consider.
Audit your website and compile a list of all the cookies.
Include both first-party and third-party cookies and make note of their type, purpose, and duration. If you’re not sure how to identify cookies on your website, here are 5 ways to identify cookies and scripts.
Review your privacy and cookie policies.
Make sure your privacy and cookie policies explain why and how you use cookies, and most importantly, that they do so accurately.
Obtain clear and informed consent.
This means both looking at your cookie banner and how it works, but also checking the consent records. Make sure you aren’t employing any dark patterns in your cookie banner and that you can prove you’ve collected and acted upon your users’ consent preferences.
Conduct periodic audits and update your cookie policy accordingly.
Compliance isn’t a one-time thing. It’s a continuous effort, and periodic self-audits are part of the process. In particular, make sure that you coordinate with your marketing, web, and development team to stay in the loop should they add any new technologies to your website that introduce additional cookies.
Stay up-to-date with privacy laws.
More and more laws are coming into effect. Just because you’re compliant with everything that applies to you today doesn’t mean you’ll be compliant with new regulations as well. Keep an eye on new laws and on how they may affect your business. Working with a legal consultant could also help.
Cookie compliance is not a complicated process. But that doesn’t mean it’s easy. It comes with various challenges, some of which are easier to overcome, and some harder.
Keeping records of consent.
The GDPR requires proof of consent. And the only way to do that is to record each user’s choice. You need to know when a user gave their consent and for what cookies.
Allowing users to revoke consent.
Someone agreed to cookies. Great! But what if they change their mind? The GDPR clearly states that data subjects have the right to withdraw consent. If you kept the records mentioned previously, you’re one step closer to overcoming this challenge as well. But you need to make sure your consent management tool allows you to respond quickly each time someone changes their mind about cookies.
Correctly categorizing cookies.
Informed consent means you need to tell your users about all the cookie categories you use. But categorizing them correctly may prove to be more challenging than expected. A good consent management platform will help you overcome this challenge quite easily, though.
Balancing compliance and user experience.
Have you ever entered a website only to be deeply annoyed by a cookie banner that keeps getting in your way? Unfortunately, this is needed for opt-in consent—the banner needs to stay in place until the user clicks on it. Does that really mean you need to make it impossible to browse the site though? It doesn’t. As long as you don’t assume consent, they should be able to browse the site with essential cookies only. But finding the right balance can be challenging.
While sometimes challenging, the compliance journey is straightforward.
Start with a cookie audit and make a list of all the cookies you use.
First-party and third-party cookies both count for compliance purposes.
Choose your cookie banner solution.
Make sure it meets all the cookie notice requirements, such as offering opt-in or opt-out consent, making it just as easy to accept cookies as it is to reject them, keeping records of consent, and more.
Choose a consent management platform.
These are complete solutions that offer everything from a banner to keeping records. Often, they support other data privacy needs beyond just cookie consent management, like executing data subject access requests (DSARs). Make sure your solution gets clear and informed consent from users. It should also be easy for them to read information about your use of cookies and revoke consent whenever they change their mind.
Publish a cookie policy.
Be transparent and comprehensive. List all the cookies you use, their type, scope, and duration.
Review your policy and conduct a new cookie audit.
You can’t write a cookie policy once and then forget about it for all eternity. On the contrary, you should update your cookie policy every 6-12 months or whenever you start using new cookies or become subject to new laws.
If you want a consent management platform to tackle all your cookie compliance needs, Osano CMP might be just what you’re looking for. It’s easy to set up, comes with a customizable banner, and helps you with the much-needed proof of consent. To see it in action, sign up for a free account or request a demo.