Cookies are one of the building blocks of your website. You would lose a huge portion of your site functionality without them. At the same time, they require the sharing of information between your website and your visitors' computers, and those relationships have more legal protection than ever.
Why and how should you share your cookie use? We put together a complete guide to cookie notifications including examples from sites who have done so perfectly.
- 1. What Are Cookies?
- 1.1. First-Party vs. Third-Party Cookies
- 2. Cookies, Personal Data, and the GDPR
- 3. Do You Need Consent for All Cookies?
- 4. Notifying Users of Third Party Cookies
- 5. Should You Get Rid of Cookies?
- 6. How to Notify Users About Cookies
- 7.2. Creating a Cookie Consent Notice
- 8. Create your Cookie Consent
- 9. Use All Three Forms of Cookie Notifications
What Are Cookies?
A computer cookie, internet cookie, or just cookie for short is a packet of data exchanged between websites and computers.
When you visit a website, the site sends a bundle of information (a cookie) to your computer. Your computer then stores it in your web browser, like Google Chrome or Safari.
Cookies are tools that make browsing the web simpler. For example, when you shop online, the retailer sends cookies to your computer to keep track of the items you put in your cart. If it doesn't, you would lose your cart every time you navigated away from checkout.
At the same time, malicious malware and viruses can take on the appearance of cookies. Zombie cookies and supercookies are problematic for computer security.
First-Party vs. Third-Party Cookies
Cookies fall under one of two domains - first- or third-party.
First-party cookies are those provided by the page you visit. They are set by the web server, and their domains match. You expect these cookies when you visit a new site
Third-party cookies are stored by a domain that isn't the one you visited on your own volition. You might encounter third-party cookies when a web page references files outside its domain.
If a site owner allows third-party tracking, it allows those parties to track the site's users without telling users who is watching them and what behaviors they're watching.
Cookies, Personal Data, and the GDPR
If you operate in Europe or accept European site visitors, then your need to notify users began in 2002 with the ePrivacy Directive, otherwise known as the Cookie Law. The Cookie Law was the first to require websites seek informed consent BEFORE allowing any cookie-related scripts to run on the site.
The GDPR only mentions cookies once across 88 pages, but the essence of the law still touches cookie use. The regulation concerns itself with protecting the privacy of users by protecting their personal day, so when cookies identify individuals and behaviors, the GDPR considers cookies to be personal data.
One of the ways the GDPR changed the personal data collection landscape is through the recognition of six legal bases for processing personal data. The six bases are a contract, legal obligations, public interest, legitimate interest, vital interests of the subject and consent.
Consent also changed under the GDPR. The regulation requires consent mechanisms to be more robust and fair than they often were before. Article 7 of the GDPR outlines the conditions for consent.
What are the new rules?
When you ask for consent, it also needs to be:
- Written in plain language
- Easy to read for your target customer
- Written in an accessible font and font size
- Displayed prominently
The GDPR says, "It shall be as easy to withdraw as to give consent."
Third, you need to make it clear that consenting to cookie use isn't a condition of accessing the service. You can't punish a user for not using cookies. If they want to remember their log-in details and enter them manually whenever they arrive on your site, then it's their choice.
Do You Need Consent for All Cookies?
The EU doesn't require you to ask for consent for all cookies - far from it. The EU advisory body on data protection notes that there are cookies that are "clearly exempt from consent."
These cookies include:
- Authentication cookies (session cookies that identify users when they login)
- Load-balancing cookies (session cookies)
- Multimedia content player cookies (session cookies that store technical data for playing content)
- Third-party social plug-in content sharing cookies (session cookies for social network members)
- User-centric cookies (session cookies that detect authentication abuses)
- User-input cookies (session-id cookies that track forms, shopping carts, etc.)
- User interface customization cookies (session cookies that store language preferences)
Why do these cookies not require consent? Because the cookies listed here carry out communication transmissions and are explicitly required for providing the service visitors expect. They don't collect or store personally identifying information.
Notifying Users of Third Party Cookies
Sites like yours use third party cookies all the time. Many of these cookies relate to marketing and advertising and others perform other essential functions like preventing fraud.
When you use third party cookies, you not only need to declare your use but you must also comply with the third party's Terms and Conditions agreements.
Google Analytics is a good example of a third party that requires all users to disclose the use of its data collection. According to its Terms of Service, all users must:
- Provide a cookie notice
- Disclose your use of Google Analytics (and explain how it works)
Google also encourages you to link to its sites when you do so, so that everyone has the information they need to make informed choices.
Should You Get Rid of Cookies?
There is no reason to remove cookie scripts from your site. No legislation even hints at this, and what is more, the idea isn't practical.
The only way to successfully get rid of cookies is to run a static HTML website. Any site more complicated than this will mean getting rid of important functionality, and some of those functions will cut right to the core of your site.
Telling visitors about cookies is comparatively painless compared to removing cookies entirely.
Here's how easy it is to notify users about your cookie use.
How to Notify Users About Cookies
Specific kinds of cookies carry personal data that can pose a risk to user privacy. New laws say that all data subjects have the right to know when you use them.
- Provide information on the use of cookie data
- Show users how to accept and withdraw consent for cookies
- Explain that denying or withdrawing consent doesn't impact their rights
- How the user can turn off/disable cookies
Let's look at a few good examples.
It answers the following questions:
- What are cookies?
- How long do cookies last?
- How can users control cookies?
You can see how the BBC uses lists and separate sections within this clause to address a lot of information while making it streamlined and easy to follow. A link is provided for where users can go to change cookie settings at any time, and they're reminded that they may also be able to adjust cookie settings on their personal devices:
Here's another example.
It does, however, go into detail about the types of cookies used.
American Airlines uses four: essential, preference, performance, and content/advertising cookies.
What about notifying users about third party cookie collection? The airline chose to do that in a separate section where it covers all third party information, which is a fine approach.
If you prefer to keep it simple, you can shorten your cookie section to a few descriptive sentences. Choosing this route works well for businesses that don't do much in the way of aggressive marketing or analytics or use a long list of third party vendors.
The cookies section falls under the label "Other information:"
That means listing:
- What cookies are
- What similar technologies you use
- Why you use the technologies
- Whether you use third party cookies
- How to manage cookie preferences
Here are a few helpful examples.
Finally, Airbnb details the potential for third party cookies on its site. It explicitly notes that it does allow third party cookies from partners and describes the usefulness of doing so:
You'll notice that Airbnb specifically notes Google Analytics and how to opt-out of Google Analytics tracking. The site does so not just for the sake of transparency but also because you'll remember that Google Analytics, like other third parties, requires it to do so within Google's own Terms and Conditions.
Twitter also has a standalone Cookies Policy that takes on a question and answer format. Its intro section lets users know that cookies are in use for a variety of different ways and that more detailed information is available in the rest of the Policy:
Creating a Cookie Consent Notice
Before you place cookies on devices of users in the EU, they need to opt-in. The easiest and most common way to get this done is by having a cookie consent notice that displays as soon as a user arrives at your site.
Most sites use a banner alerting the user to cookies as soon as they arrive on the page for the first time. While many sites simply display the cookie notice in a banner, you should have a consent mechanism along with it.
Keep in mind, you also need to record and update consent to comply with the GDPR.
The BBC provides a helpful example of a cookie consent notice. Not only does it title the banner "Let us know you agree to cookies," but it also provides both a confirmation and rejection option within the banner. The rejection takes the user to the settings section, which further empowers them to decide what data they want to provide.
MoPub uses a cookie consent notice that clearly provides simple options to Accept or Decline cookies. This is a simple and practically perfect way to get clear consent to place cookies:
Here's another simple but adequate example from Alpha:
A user can either agree/consent, or click to find out more. When clicking to find out more, users will be taken to a cookies information page for the company that details what cookies are used, why, and how this can be adjusted.
Create your Cookie Consent
Use All Three Forms of Cookie Notifications
Before you can send some types of cookies to a visitors' computer, you need their consent. Your first cookie notification should occur as soon as they land on your site and include an option for affirmative, legal consent.
All the law requires you to do is treat cookies like any other type of protected personal data. If you do that, you'll be more transparent with your customers and avoid violating privacy and cookie laws.