Some privacy laws require businesses to create data retention policies, but figuring out the maximum amount of time you can hold on to data can be complicated.
To say cookies are ubiquitous is an understatement. They are an invisible but ever-present technology for anyone who uses the internet. Often maligned for their role in tracking people’s behavior, they are also essential for the functioning of most websites and help improve online experiences in ways that we’ve all come to expect.
With the appearance and proliferation of data privacy laws such as the EU’s General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), cookies are in the spotlight for their privacy implications. Here is a brief explanation of what cookies are and how they can affect your business’s privacy compliance strategy.
A cookie is a small text file placed on a website visitor’s browser by a server. It usually contains a random ID that has been assigned to the visitor, and it logs whatever information it was designed to monitor. That information can vary widely, from the timestamps of previous to which items a person added to their cart. They can help a website remember if a person has logged in to their account and, ironically, keep track of a person’s cookie preferences. These small files are the foundation of the modern, personalized internet.
Cookies are separated into two groups: first party and third party. First-party cookies are placed by the website the person is visiting; third-party cookies are placed by a domain other than the website the person is visiting. Third-party cookies are often associated with marketing activities such as targeted advertising, though other types of cookies may also be third party.
Cookies are both personal information in themselves and a means for transmitting personal information. For this reason, the use of cookies must at least be disclosed to consumers, and depending on the type of cookie, businesses may have other responsibilities as well.
Cookies are personal information because they identify a particular person (or at least a particular device). Combined with other information, it can be used to learn something about an individual. For this reason, the privacy notices required by various laws should include a mention of how cookies are used.
Other applications of cookies carry more significant privacy implications. A common scenario is the use of third-party cookies for targeted (i.e., interest-based) advertising: A cookie is placed on the visitor’s browser; as they navigate the website, the cookie logs interactions such as products viewed or added to a shopping cart; when the visitor goes to another website, an ad network can read the information on the cookie and use it to serve relevant ads. Here the cookie has gathered personal information (interactions with the website) and shared it with an outside party (the ad network) that can then use that information for its own purposes. This type of arrangement is considered selling personal information under privacy laws and triggers the consumer’s right to opt out, so businesses must have a way to stop the process if a consumer requests it.
Websites based in the European Union or United Kingdom, or that target residents of those places, must comply with the ePrivacy Directive (EPD). Known as the Cookie Law, the EPD requires websites to get visitors’ consent before setting most types of cookies.
While the EPD is a separate law from the GDPR, there is a connection between the two in that the GDPR’s consent rules apply. Cookie consent must be affirmative and specific. Affirmative consent means the visitor must actively choose to accept the cookies (i.e., click “Yes” or “Accept”), as opposed to a passive arrangement in which the visitor is told that by continuing to use the site they are giving their consent. Specific consent means that the choice can’t be presented as an “all or nothing” option. Websites must divide the cookies into categories (e.g., analytics, marketing, etc.), and give the visitor the option to accept or reject each category.
The only types of cookies that do not require visitors’ consent are those that are strictly necessary for the website to function. For example, cookies that allow a website to remember what is in the visitor’s shopping cart are considered strictly necessary.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.