Summary

In our "Implications of Tracking Technologies" series, you will find insights on the regulatory requirements surrounding the use of cookies and other tracking technologies as well as considerations for building appropriate compliance or privacy/security safeguards.

This first post in the series is meant to serve as an introduction to the topic. We'll be delving further into details in the upcoming posts.

Though they may not be as old as your grandma’s chocolate chip cookie recipe, web cookies have been around since the internet exploded in popularity in the early 90’s and have played an understated role in improving the browsing experience of countless users on the internet. Cookies are used to make the website experience better for the site visitor or the organization hosting that website, such as retaining login information, tracking user preferences (i.e., language, consent, etc.), personalizing ads, or providing website owners with valuable statistics used to improve site functionality. However, the constantly evolving (and sometimes conflicting) privacy landscape, within the United States and abroad, has made cookie compliance an increasingly difficult task. With the added layer of increased consumer awareness around the misuse of personal information, it is especially important that companies are not only adhering to any applicable privacy laws, but also remaining transparent with their customer base around their use of cookies.

In this series, we will provide insight and guidance on how to stand up a cookie compliance program from start to finish. To begin, we are covering the foundations of cookies and compliance requirements, including a basic understanding of what cookies are and an overview of the current regulatory landscape. In later posts, we will address what it looks like to actually implement a cookie compliance program with an emphasis on best practices, frequently encountered roadblocks, and insight on how cookie compliance might differ depending on the industry. 

What are Cookies and Tracking Technologies?

It is important to note that cookies are just one type of tracking technology that website operators use to collect, store, and share information about visitors’ activities on the internet. Any regulations mentioned are used to govern all tracking technologies. In this article we will use the term ‘cookie’ to refer to all ‘tracking technologies’.

The list of the most prominent tracking technologies includes, but is not limited to the following examples:

• Web cookies: small text files stored locally on a user’s device by the website that the user is visiting.
• Tracking pixel: a 1×1 pixel graphic used to track user behavior, site conversions, web traffic, and other metrics similar to a cookie. They are typically designed to be transparent or otherwise invisible to the site visitor.
• Tracking Tags: a piece of code that is added to a website URL in order to provide richer analytics about web traffic and user behavior. Tracking tags can also be referred to as UTM codes.
• Web Beacon: an HTML code snippet which is loaded when triggered by a user’s action, like the opening of an email. Similar functionality to a tracking pixel and also designed to be inconspicuous. 

What do we need to know about ‘cookies’ we use?

A successful cookie compliance program starts by developing a cookie inventory. Simply put, a cookie inventory is a comprehensive list of all the tracking technologies being used by a business on their website and should include various details (name, purpose, etc.) about each cookie. Developing the cookie inventory from scratch can be simplified by using a tool that scans the business’ website and automatically documents each cookie it encounters. However, regardless of how the inventory is initially compiled, it is recommended to collaborate with site owners and any relevant stakeholders to ensure the initial list is both thorough and accurate.

Once a list has been developed, there are several details that should be identified including the source of the cookie. When identifying the source, it is important to distinguish between first-party or third-party cookies.

• A first-party cookie is created or placed by the website the user is visiting. These often include cookies that are essential for site functionality or enhancing the user experience.
•  A third-party cookie is created by websites other than the one a user visits. These often include cookies that support targeted advertising or site analytics.

Further, as an industry standard, cookies are generally categorized into four to six categories with each category covering a different purpose a cookie might have. The four most common categories are:

1. Essential/Strictly Necessary – These cookies are necessary in order to operate websites, provide services, enable specific features or functionality, make them available to site visitors, and to ensure the security of a websites (including the security of any transactions made by the site visitor).
2. Functional – These cookies can provide enhanced functionality and personalization, such as honoring user’s requests to keep them automatically logged in, remembering users’ preferences (like preferred language or currency) or items left in a shopping cart, and assist in filling out forms, etc.
3. Performance/Analytics – These Cookies allow site owners to count visits and traffic sources so they can measure and improve the performance of their website. They help provide insight on which pages are the most and least popular and see how visitors arrive on or move around the website. If the visitor does not consent to these cookies, they site operator will not know when the user has visited the site and will not be able to monitor its performance in connection with your visit.
4. Marketing/Targeting/Advertising – These Cookies may be set on a website directly by the site owner or the owner’s advertising partners in order to tailor or deliver online advertisements to the site visitor, both on the primary sites and unaffiliated third-party sites, based on the site visitor’s online or offline activities and interests, also known as Targeted Advertising.

Identifying the source and category for each cookie is often a cross-functional initiative that requires input and cooperation from teams such as the site team, marketing team, data team, legal/compliance team, in addition to the vendor contacts for third party cookies.

What are the requirements when using ‘cookies’?

Compliance in the US

Since the US does not have a federal regulation addressing the use of cookies, business obligations and consumer rights are limited to the individual states with privacy laws.

Currently, states with regulations governing the use of cookies include California, Virginia, Colorado,  Connecticut, and Utah. These regulations are based on an opt-out model which means that almost all categories of cookies may be placed on consumers’ browsers until that user provides notice of opt-out. Additionally, these US state privacy laws only provide the right to opt-out of cookies that constitute a “sale” or “share”/”targeted advertising”.

• “Selling” is defined differently state by state, however it generally refers to providing consumer personal information to another business or third party for “monetary or other consideration”. In the context of cookies, this generally applies when third parties are permitted to place cookies on a digital property to collect site visitor data which they may use for their own purposes, in exchange for money or other value (i.e., analytics, rewards, marketing, etc.). It is not considered a sale if the site visitor information is being shared to communicate their opt-out preference or where the recipient of data is acting as a service provider (i.e., they are only using the personal information to provide a service and won’t use it for their own purposes.)

• “Sharing”, also just referred to as “targeted advertising” in some states, is simpler and includes any disclosure of consumer’s personal information to a third party for cross-contextual advertising.

US Opt-out Requirements

Site visitors opt-outs may be communicated through automated means as they enter the site through universal opt-out methods[1] (e.g., Global Privacy Control) or manually after they have entered the site and the cookies are already placed (e.g., Opt-out Webform, Opt-out Preference Center).

As mentioned above, the scope of US consumer cookie opt-out rights are limited to non-essential cookies that are “selling” or “sharing” consumers’ information. All other categories of cookies may be placed even after an opt-out request. For this reason, it is important that all cookies are properly assessed and categorized to ensure that the correct cookies are no longer placed in accordance with the opt-out request (i.e., no requirement to restrict as the cookies do not comprise a sale or share of personal information).

US Notice Requirements

In addition to providing the right to opt-out as described above, many of the US regulations have disclosure and notice requirements. A company’s privacy or cookie notice should be updated to include a description of the cookies being placed, how those cookies are used, the data collected by the cookies, and their purposes. For this reason, it is important that the legal team is notified before any new cookies are placed to ensure that the privacy notice is reflecting those updates.

FTC and OCR Guidance : Impermissible Disclosure of Sensitive Personal Health Data

As it relates to tracking technologies in general, the healthcare sector has been under recent scrutiny from federal regulators. The Federal Trade Commission (FTC) and the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) issued a guidance over the summer regarding  impermissible disclosure of sensitive personal health data to third-parties by websites and mobile apps.  

Compliance in the EU + UK

The main regulation governing privacy in the EU and UK is the General Data Protection Regulation (“GDPR” and “UK GDPR”), though cookie consent and management is governed further by the ePrivacy Directive. In contrast to the US cookie landscape, the directive provides an opt-in model which requires that organizations obtain affirmative consent from consumers before placing any non-essential cookies on their browser and provide them with the right to opt-out at any time.

EU + UK Consent Requirements

As mentioned above, websites targeting EU residents may only place essential cookies on a consumer’s browser without consent and must obtain consent before any other category of cookie can be placed. Additionally, consumers should be given the right to provide “granular” opt-in consent, meaning that they can select the non-essential categories to which they consent. As such, it is required that all cookies on EU sites are accurately and diligently categorized into one of the four categories to ensure that they are being turned on or off consistent with the consumers’ choices.

To provide these consent choices, when entering a site consumers must be presented with a clear and conspicuous pop-up or banner that provides details about the specific non-essential cookies the site is seeking to place. The banner must also provide consumers with the choice to affirmatively accept or reject all placement of those non-essential cookies before anything is placed on their browser. Pre-ticked boxes or consumers’ inaction are not considered valid consent. The directive also requires that organizations update their privacy notice or cookie policy to include the list of cookies and their corresponding details in addition to informing the consumer about what cookies are, whether they are being used, and how to opt-out. Similarly, it’s important to notify legal about any new cookies being placed on EU sites so that the applicable notices can be updated.

What does that mean for us?

With this foundational understanding of what tracking technologies are, and an awareness of the applicable data protection regulations that govern the use of such tools, we can begin to formulate a cookie compliance program. The effectiveness of such an initiative is crucial for any business with an online presence, not just to ensure compliance with regulatory requirements, but to maintain a positive relationship with the customer base by providing a positive user experience and increasing trust online.

Our next post on this subject will include a step-by-step guide to building such a program with more topics, so stay tuned for more insights on everything to know about Cookie Compliance!

---

[1] Accepting opt-out through a universal opt-out method is currently required under the California regulation and many states with privacy laws have deadlines for universal opt-out compliance in 2024 and 2025.

---