It’s become increasingly clear that true compliance with applicable cookies requirements is no easy task. Sorting through the requirements of General Data Protection Regulation (“GDPR”), the ePrivacy Directive and now the California Consumer Privacy Act (“CCPA”) is just the beginning. In order to be truly compliant, an organization must establish a detailed understanding of what cookies are being placed on the browsers of visitors to websites across its domains, as well as the purpose of each of those cookies. Only then can appropriate consent and choice be presented to website visitors.
In 2019, the European Court of Justice made it clear in its Planet 49 judgment (in line with GDPR and the ePrivacy Directive) that for EU website visitors, informed and affirmative consent is required prior to placing all but “essential” cookies. CCPA, on the other hand, requires notice of what personal data is being collected by cookies, but rather than consent, organizations need only allow visitors to opt-out of the sale of their personal data, which may include exchanges of value based on personal data collected by cookies.
Perhaps the most challenging aspect of gaining compliance with these requirements is identifying all cookies being placed and ascertaining what personal data they collect, the purposes of the collection (e.g., are they essential cookies, functionality cookies, performance cookies, marketing cookies, etc. . .) and whether there is a sale of data taking place. While the end result is a cookies banner with appropriate choices, quite a bit of work will go into putting underlying structures in place so that, for example, cookies are not placed on browsers of EU residents until they consent, and cookies are appropriately categorized in order to allow application of website visitors’ choices.
While organizations may choose between conducting this process on their own or with the assistance of a cookie compliance tool (e.g. OneTrust, TrustArc), each approach will require manual steps for the identification and categorization of cookies, as well as continuous communication with internal stakeholders and third-party service providers.
Conducting Inventory of Sites and Cookies
Depending on the size and nature of its business, an organization may operate multiple websites under multiple domains, each of which may set different types of cookies for different purposes. An organization undertaking a cookies compliance initiative should develop an inventory of all websites which includes the domain name, the purpose of the site, the types of visitors using the site, the geographic region(s) being served, and any service providers that are engaged to update the site. Just obtaining this baseline information will require communication with, and cooperation from, multiple internal teams and service providers.
After obtaining a clear picture of different domains being operated and the website for each domain, the cookies being served to these websites must be identified. Organizations may choose automated tools to conduct scans of their website which will generally produce a list of cookies that may include (depending on the cookies) the name, lifespan, category, and description of each cookie. There are a variety of methods for identifying cookies being placed, including tools like OneTrust and TrustArc, as well as browser extensions such as Cookie Inspector or Ghostery, as well as scanner websites like Cookie Serve. This can also be accomplished by reviewing the Content Settings on a web browser. Experience shows that certain methods may pose issues with accuracy and consistency, so conducting multiple scans via different methods will help to create and maintain a comprehensive list.
Once the list of cookies has been developed for each site, the cookies need to be categorized so that appropriate preferences choices can be provided to visitors. Categorization also supports the determination of which cookies may be covered by applicable exemptions and for which cookies choices must be offered.
At a high level, all Cookies will fall under two large categories: essential and non-essential.
Essential Cookies (also commonly referred to as “strictly necessary cookies”) are necessary for the site to function and are only used to provide those essential services to the visitor. These cookies are exempt from the EU consent requirements or the CCPA opt-out-of-sale requirements and, therefore, may be placed on devices and remain on the devices to the extent necessary to provide the essential functions.
Non-Essential Cookies are any cookies that do not fall within the definition of an essential cookie, and may fall into one of several subcategories:
- Performance and Analytics: These cookies collect information about how visitors use a website in order to analyze visitor behavior and improve the websites services.
- Functionality: These cookies generally collect and “remember” visitor choices in order to provide a more personalized and functional user experience.
- Targeting and Advertising: These cookies are used to target and display advertisements based on user preferences.
Determining the appropriate category for each cookie can be time-consuming and challenging, depending in part on the sophistication of the website. It must, however, be done diligently, as essential cookie improperly categorized as non-essential could be disabled by a website visitor, impacting the functionality of the website. Additionally, non-essential cookies that are miscategorized as essential may result in violations of applicable requirements.
If the organization is working with a third party to manage their site, that service provider should assist in determining – most importantly – which cookies are essential to the site’s functionality and, in categorizing any other non-essential cookies. This approach will likely require consistent communication between the service providers and internal stakeholders and requires a fair amount of diligence to keep the process thorough and efficient.
Organizations using a cookie compliance tool should start by looking into the scanning resources offered by that tool. These tools can categorize the bulk of the more well-known cookies, but any cookies that are not recognized by their system or are that are specific to your site will remain “unknown”.
For unknown cookies, or for organizations performing the categorization manually, there are online resources that may be helpful. Cookiepedia, for example, a public OneTrust site, provides categories for any cookies that exist within their database. Alternatively, inputting the cookie name into a search engine often will return results which may provide sufficient information to correctly categorize the cookies. In situations where the search engine results provide a description of the cookie, but do not definitively categorize the cookie, there may still be enough information to deduce the purpose (e.g., cookie whose descriptions including words like “required” may be essential, whereas those with descriptions such as “advertisers” or “targeting” would appear to be non-essential). The accuracy of these manual categorizations should always be verified by the website manager or your web services provider.
Putting the Results to Work
Accurate cookies categorization requires commitment to get it right and to periodically validate that categorizations remain accurate. The efforts, however, pay off in putting in place the structure to enable effective cookies compliance and management. Upon completing the inventory and categorization, an organization will be in a position to:
- Design and implement a cookie banner. The banner is critical as the initial point at which the website visitor has the opportunity to learn what cookies will be placed and make choices about those cookies.
- Preference and consent management. A critical interaction point with your website visitors. This allows the organization to present more granular choices than are available on the initial cookies banner.
A thorough and complete cookies categorization initiative will provide the proper foundations to implement key components of your cookies compliance efforts, including blocking non-essential cookies until an EU website visitor provides consent, and delivering opt-out-of-sale options to California residents.
If you have any questions about categorizing cookies or implementing a complete cookies compliance program, please contact us.