Cookies and Privacy Compliance

With the appearance and proliferation of data privacy laws such as the EU’s General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), cookies are in the spotlight for their privacy implications. Here is a brief explanation of what cookies are and how they can affect your business’s privacy compliance strategy.

What Is a Cookie?

A cookie is a small text file placed on a website visitor’s browser by a server. It usually contains a random ID that has been assigned to the visitor, and it logs whatever information it was designed to monitor. That information can vary widely, from the timestamps of previous to which items a person added to their cart. They can help a website remember if a person has logged in to their account and, ironically, keep track of a person’s cookie preferences. These small files are the foundation of the modern, personalized internet.

Cookies are separated into two groups: first party and third party. First-party cookies are placed by the website the person is visiting; third-party cookies are placed by a domain other than the website the person is visiting. Third-party cookies are often associated with marketing activities such as targeted advertising, though other types of cookies may also be third party.

Privacy Implications of Cookies

Cookies are both personal information in themselves and a means for transmitting personal information. For this reason, the use of cookies must at least be disclosed to consumers, and depending on the type of cookie, businesses may have other responsibilities as well.

Cookies are personal information because they identify a particular person (or at least a particular device). Combined with other information, it can be used to learn something about an individual. For this reason, the privacy notices required by various laws should include a mention of how cookies are used.

Other applications of cookies carry more significant privacy implications. A common scenario is the use of third-party cookies for targeted (i.e., interest-based) advertising: A cookie is placed on the visitor’s browser; as they navigate the website, the cookie logs interactions such as products viewed or added to a shopping cart; when the visitor goes to another website, an ad network can read the information on the cookie and use it to serve relevant ads. Here the cookie has gathered personal information (interactions with the website) and shared it with an outside party (the ad network) that can then use that information for its own purposes. This type of arrangement is considered selling personal information under privacy laws and triggers the consumer’s right to opt out, so businesses must have a way to stop the process if a consumer requests it.

The ePrivacy Directive - Europe’s Cookie Law

Websites based in the European Union or United Kingdom, or that target residents of those places, must comply with the ePrivacy Directive (EPD). Known as the Cookie Law, the EPD requires websites to get visitors’ consent before setting most types of cookies.

While the EPD is a separate law from the GDPR, there is a connection between the two in that the GDPR’s consent rules apply. Cookie consent must be affirmative and specific. Affirmative consent means the visitor must actively choose to accept the cookies (i.e., click “Yes” or “Accept”), as opposed to a passive arrangement in which the visitor is told that by continuing to use the site they are giving their consent. Specific consent means that the choice can’t be presented as an “all or nothing” option. Websites must divide the cookies into categories (e.g., analytics, marketing, etc.), and give the visitor the option to accept or reject each category.

The only types of cookies that do not require visitors’ consent are those that are strictly necessary for the website to function. For example, cookies that allow a website to remember what is in the visitor’s shopping cart are considered strictly necessary.