By Joel Wuesthoff, J.D., CISSP, CIPP/E
No two internet sites are the same, yet there’s one feature that is — or will be soon — common to most of them: the cookie banner.
These pop-ups have become more ubiquitous as a result of the European Union’s 2018 General Data Protection Regulation (GDPR), which contains a single reference to cookie identifiers — small files of personal data that are downloaded and stored on a device when users access a website.
Because the 88-page regulation mentions the term cookie only once, the EU has been working to replace its ePrivacy Directive (ePD) with an ePrivacy Regulation (ePR), the latest draft of which was issued on November 8, 2019, and goes into detail about digital identifiers. Europe’s highest court, the Court of Justice of the European Union, also weighed in when it recently ruled that storing cookies requires users’ active consent and, therefore, a pre-checked box is insufficient.
With the California Consumer Privacy Act (CCPA) now in effect as of January 1, 2020, more U.S. websites are expected to feature cookie banners. To ensure compliance, corporate legal departments and law firms will need to advise management or clients on the need for a cookie management program.
To understand the relationship between data privacy and cookies, let’s take a closer look at what these little data files are.
A brief history of cookies
Fundamentally, cookies make e-commerce and other digital transactions possible. The concept is simple: When consumers log on to a website, it saves a small data file on their device. This cookie contains a tracker that confirms their identity, so the server knows who it’s communicating with.
Cookies went mainstream in the late 1990s and were soon adapted for other purposes, such as monitoring user activity, gathering behavioral data and even keeping track of users when they moved on to another site. Therein lay the problem: Average web users didn’t even know cookies existed, let alone how to block or delete unwanted ones.
That all changed when the GDPR became law.
The EU’s cookie monster
One area of concern for the GDPR is cookies that “may be used to create profiles of the natural persons and identify them.” To protect individuals’ privacy, users have to explicitly consent, and services cannot be conditional on consent to nonessential data requests.
In other words, users must be able to use a website even if they refuse cookies. The only cookies that do not need explicit consent are those that the website needs in order to function or process a user’s request; all others must be optional.
The cookie law for U.S. companies
The GDPR applies to any organization that gathers data within the boundaries of the EU, no matter where the organization is based. The extraterritorial enforcement of this regulation is quite serious, as in the case of a U.S.-based company that was fined upwards of 50 million euros (about $57 million) relating to improper disclosures of how its various services collect and use personal data.
The California law also has a reference to a “unique personal identifier” such as “cookies, beacons, pixel tags, mobile ad identifiers, or similar technology.” Like the EU regulation, California consumers have the right to be informed about cookies and to request deletion. A handful of other states are also planning their own versions of consumer privacy acts, and the general mood favors a clampdown on cookies.
4 steps to cookie compliance
Cookies represent a familiar problem for legal departments: How do you stay compliant when the rules keep changing?
Whether your company is likely to be affected by GDPR, ePD (and future ePR), CCPA, or another data privacy legislation, here are four steps that can help it stay on the right side of the rules.
1. Audit your digital infrastructure. Perform a top-to-bottom evaluation of any publicly available digital services, including all websites and apps. You need, at the outset, a complete list of every cookie on your site, whether it’s first-party or third-party.
2. Review your data collection strategy. In an age of analytics, data is power. The more data you have, the more you can learn about your customers and their behavior. That’s why so many organizations want to capture every possible detail about website visitors.
To model GDPR compliance and to stay on the right side of the rules, examine the data you collect and ask if you really need it. You may find that some cookies are returning personal information that is of no business value, in which case you can retire those trackers.
Also consider how long you want or need to keep the data. Cookies come in basically two sizes. Session cookies expire when you leave the site or close the browser (finish the session), which is a more privacy-friendly approach than persistent cookies.
3. Rewrite your privacy policy in everyday English. The GDPR mandates that privacy policies be “easy to understand, and that clear and plain language be used.” Without resorting to legalese, your privacy policy should give details about the tracker’s purpose, what data it acquires, how you process the data and how long the cookie lasts.
4. Add a cookie banner. The GDPR also mandates that the privacy policy be easily accessible[1]. The ePD requirements are that the banner should:
- Appear before cookies are set in the user’s browser[2]
- Give accurate information about the cookies used[2]
- Allow users to opt in or out of cookies (other than those deemed strictly necessary for site functionality)[2]
- Allow returning users to update their preferences[3]
- Ask for consent again after 12 months[2, 4]
Are cookies going stale?
We are already seeing nails on the cookie’s coffin due to the spate of data privacy regulations. In the summer of 2016, for example, Apple’s Safari browser started deleting third-party cookies after 24 hours. Other browsers have either followed suit or will soon do so.
In the aphorism made famous by "Jurassic Park," life finds a way. Marketers are similarly inventive. They’re already looking beyond cookies to other strategies, such as contextual marketing and people-based targeting (tracking within the ecosystem of a single site).
Will legislative bodies keep up and eventually limit these kinds of activities, too? At minimum, law firms and corporate legal departments need to keep up with developments in this ever-shifting landscape.
Joel Wuesthoff is Managing Director of Consulting Solutions for Robert Half Legal. A former practicing attorney, he is a Certified Information Systems Security Professional (CISSP) and Certified Information Privacy Professional (CIPP/E) with more than 20 years of legal practice and consulting work in high stakes litigation and government investigations. To learn more about Robert Half Legal’s data privacy consulting services, visit our website.
None of the content in this article should be considered legal advice. As always, consult a lawyer.
[1] GDPR Art. 12: “[Mandates] appropriate measures to provide any information … relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child.”
[2] ePrivacy Directive Art. 5(3): “[G]aining of access to information … stored, in the terminal equipment of a … user is only allowed on condition that the … user concerned has given his or her consent, having been provided with clear and comprehensive information … about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.”
[3] ePrivacy Directive Rec. (25): “Users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment. This is particularly important where users other than the original user have access to the terminal equipment and thereby to any data containing privacy-sensitive information stored on such equipment.”