Ultimate Guide to Cookies, Consent, and Compliance

Originally published at — www.cookieyes.com/ultimate-guide-to-cookies-consent-and-compliance on November 3, 2020.

Cookies — Yes, it sounds palatable! But now we’re not referring to those sweet, savory chunks!

What we’re going to discuss here is all about HTTP cookies, the small pieces of text files that a website stores on a user’s computer while they’re browsing the website.

“We use cookies to ensure that we give you the best experience on our website”

It’s a safe bet to say that you might have come across these kinds of notification popups countless times while browsing the Internet!

Several sites worldwide show cookie consent notifications to users immediately upon their first visit. And, typically, the majority of the visitors would simply press ahead, accepting the use of cookies.

Why do most of the users don’t give cookies the attention that it deserves? Perhaps they are not pretty much aware of what cookies are and how they work. But once you get to know this, you’d see cookies as a matter of much greater importance.

This post is intended to help website owners get acquainted with cookies and make its use in line with the relevant laws and regulations including the GDPR, PECR, and the ePrivacy Directive.

HTTP Cookies — What Does it Exactly Mean?

A Cookie as a term has become increasingly prevalent in recent years. But many Internet users are still not aware of what cookies are and how websites would use it.

Let’s discuss them in more detail here!

An HTTP cookie (also known as Internet cookie, or browser cookie, or web cookie) is a small piece of data that a website installs on a user’s browser while the user is browsing the web.

There exist different types of cookies that serve different purposes such as collecting users’ behavioral data for creating targeted ads.

To put it simpler: you might have noticed several times that advertisements keep on appearing on social media sites or some other sites for items you were searching for on any shopping site just moments ago.

Have you ever wondered how these ads reach before you? The cookies (or the so-called small text files) stored on your browser is the reason why this happens! It tracks the information you’ve searched on the web, thereby generating targeted ads tailored to your specific needs and interests.

Furthermore, websites use cookies for various other purposes like remembering your device information, website login, shopping carts, site preferences, location data, and so forth.

Types of Cookies

Cookies are generally classified based on their characteristic attributes such as their mode of origin, the time period they remain on a user’s browser, and what purposes they serve. The most common types of cookies are described in brief below.

  • First-party Cookies

First-party cookies are placed on a user’s browser by a website or a domain the user visits directly.

These kinds of cookies are being set for purposes like collecting analytics data, remembering browsing options such as language or location settings, and carrying out other activities that improve the browsing experience of users.

  • Third-party Cookies

Third-party cookies are issued by any party apart from the website or a domain that a user visits directly.

A third party can be referred to as an advertiser who provides targeted ads; or services that help website operators add third-party elements (e.g. live chat, social-media buttons, Google Maps element, etc.) on their site.

Session Cookies

  • Session cookies (aka Non-persistent cookies) are temporary cookie files that get expired immediately after a user closes the browser window.
  • Session cookies are typically used to recognize the online behavior of users and remember their actions during their browsing session. These types of cookies save a user’s items selection or their shopping cart list even after they switch to a different page.

Persistent Cookies

  • The functionality of persistent cookies is much relative to session cookies but differ from it when it comes to the matter of the expiration period. Unlike session cookies, persistent cookies remain on a user’s browser for a considerably longer time. Therefore, it’s also known as permanent cookies.
  • Persistent cookies usually come with an expiration period ranging between a single second to several years. Once these cookies reach their expiration date, they will get deleted automatically from the user’s browser.
  • Persistent cookies recognize users and remember their browser settings or preferences on their subsequent visits. This is how these kinds of cookies help websites provide better user experiences.
  • Strictly Necessary Cookies

Strictly necessary cookies, as its name itself suggests, are essential for a website to provide the basic features (e.g. user registration, shopping carts, wish lists, e-payments, etc.) to the users.

  • Performance Cookies

Performance cookies (aka Statistics cookies) allow websites to provide enhanced user experience by remembering the users. These cookies evaluate the performance of a website by collecting information on how visitors use the website.

  • Functional Cookies

Functional cookies (aka Preference cookies) are classified as cookies that ensure a website functions properly

Cookies that allow user registration or remember username and password for automatic login, a user’s site preferences (e.g. the language preference of a user), etc. are examples of functional cookies.

  • Marketing Cookies

Marketing cookies are used by websites to track the activities and behaviors of users online so as to provide them with personalized advertisements. These types of cookies are often persistent in nature and are usually installed on a user’s browser by third parties.

Use of Cookies — The Legal and Regulatory Requirements

Cookies are vitally essential for the smooth operations of your website. As cookies are created to identify users over the web, they can foster the collection of enormous amounts of data, including personally identifiable information about users.

This could be a user’s name, age, gender, residential address, email id, IP address, telephone number, financial/health information, etc.

But as a website owner, it’s necessary that you are aware that gathering or processing a user’s data without their explicit consent is unlawful. Yes, there exist certain rules and regulations that govern your website’s use of cookies.

Now, let’s see what these laws are and how they regulate cookie usage on websites.

The Impact of Various Data Protection Laws on Cookies

The most prominent and comprehensive regulations include the General Data Protection Regulation (GDPR), the UK Data Protection Act 2018 (DPA 2018), the Privacy and Electronic Communications Regulations (PECR), the ePrivacy Directive (ePD), and the ePrivacy Regulation (ePR) that would come to force in the near future.

Let’s get an overview of how these laws apply to a website’s use of cookies.

Here’s what the Recital 30 of the European Union’s General Data Protection Regulation has stated about the online identifiers for profiling and identification.

“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”

This conveys that all kinds of online identifiers including cookies that collect the personal data of individuals are required to comply with the GDPR.

This is to say: a website or an organization needs to be very transparent about the types of cookies they use and the purposes they serve.

In other words, websites are required to obtain explicit consent from its users before placing cookies or online trackers on their terminal devices.

The UK Data Protection Act 2018, which has been amended from the UK Data Protection Act 1998 is nothing but the UK’s implementation of the GDPR. The Act aims at protecting the personal data of British residents.

Therefore, when it comes to cookie usage, the DPA mandates websites to receive prior consent from their visitors for their use of cookies.

Regulation 6 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 states that:

A person shall not use an electronic communications network to store information or to gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

The requirements are that the subscriber or user of that terminal equipment —
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) is given the opportunity to refuse the storage of or access to that information.

Although the PECR has not included the term ‘cookie’ anywhere in its legislation, its Regulation 6 can be read in conjunction with the context of cookies.

That is, under the PECR, a person (let’s say a website owner) must clearly notify users of the comprehensive details of the cookies on their site. Furthermore, the PECR requires websites to get consent from the users prior to its use of cookies.

Regulation 66 of the ePrivacy Directive (aka Cookie Law), which came into effect in 2002 and later amended in 2009, states about cookies as follows:

“Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.”

This indicates that the ePD mandates websites to obtain consent from visitors before collecting their personal information. Moreover, this data privacy legislation lets users allow or refuse a website’s cookie usage.

The forthcoming ePrivacy Regulation will replace the ePrivacy Directive and complement the GDPR. But the regulation on the use of cookies will remain more or less the same as how the ePD and the GDPR mandate now

Failing to adhere to the above laws and regulations can put organizations at the risk of heavy penalties or fines. The violators of the GDPR can be fined up to €20 million or 4% of the annual global turnover — whichever is greater.

So, if your website uses cookies, make sure your site operates legally.

Achieving Legal Compliance for the Use of Cookies

As a website owner, ensuring regulatory compliance is highly imperative to drive growth in your business and protect yourself from non-compliance penalties.

If your website uses cookies that could identify users, you’re required to obtain consent from them before collecting or processing their personal data. This way, you could ensure that your website is in compliance with the major laws that regulate the use of cookies.

But managing the cookie consents of a plethora of users may not be quite as easy as it sounds. Therefore the best possible thing you can do is implement a consent management solution that ensures that no cookies and trackers are installed on your users’ terminals prior to receiving explicit consent from them.

CookieYes is one such consent management solution. It lets you add a customizable cookie banner to your site so that your users can easily give consent or reject your site’s use of cookies. Also, it scans your website for cookies and automatically blocks all the non-essential cookies until obtaining your users’ consent.

How to Become Cookie Compliant?

CookieYes enables you to add a cookie banner to your website so that your visitors know that your site uses cookies and they will be able to easily make their privacy choices. Check out the CookieYes Setup Guide to get started with it.

Here’re some factors that you need to focus on to become compliant and stay compliant for your website’s use of cookies.

  • Provide information about the cookies that are being used on your website
  • Let users give consent by a clear, affirmative action
  • Allow refusal or withdrawal of consent anytime
  • Keep a record of user consents

Final Recap

Cookies are small data files that a website stores on a user’s terminal for accomplishing a range of different purposes — such as uniquely identifying users, managing their browsing sessions, facilitating personalized user experiences, ad targeting, and much more. Cookies have actually become an indispensable component for the efficient operation of a site.

Not all cookies are used to track the browsing activities of users across the web. But the cookies used for analytics, advertising, marketing, and functional services are more likely to collect the personal data of users. This gave rise to increasing data privacy concerns among users.

In order to address this issue, many laws and regulations have been formulated, mainly focusing on the residents belonging to the member countries of the (European Union) and EEA (European Economic Area).

All the data privacy laws governing cookies require websites to get explicit consent from users prior to its use of cookies.

Implementing a cookie banner is the best and most effective way to get cookie consent. A good cookie consent solution like CookieYes enables you to add a cookie banner to your site and manage user consents seamlessly.

This way, you could easily make your site’s use of cookies compliant with the regulatory requirements. Adhering to these laws will not only help you stay away from hefty fines but also helps build customer trust and loyalty naturally.

GDPR Cookie Solution Trusted by 1M+ Websites