Gain Compliance with Cookie Requirements

While we talk about the cookie requirements as per the various data privacy regulations around the world,

European Court of Justice (in line with the EU General Data Protection Regulation and ePrivacy Directive) has made it clear that for EU website visitors, informed and affirmative consent is required before placing all cookies except “essential” cookies.

CCPA on the other hand requires the notice covering what personal data is being collected, stored, shared by the cookies, but instead of collecting consent, the organizations can solely provide an option to “opt-out of their sale of personal information”, which may include exchanges of value based on personal data collected by cookies.

Whereas the most challenging aspect of gaining compliance with these requirements seems to be getting the right cookie consent banner on your website and a consent mechanism to record the consent but it is not. In fact, the true challenge lies in doing the underlying work that supports the efficient and accurate functioning of these mechanisms.

The underlying work we are talking about here is

• Identifying all cookies being placed by your website.
• Determining what personal data these cookies collect.
• Identifying the purpose of the collection.
• Disbursing the cookies into categories based on their purpose (say for e.g., are they essential cookies, functionality cookies, performance cookies, marketing cookies, etc.)
• Whether the sale of data takes place or not.

While the cookie banner with proper choices may appear simple, straightforward, and compliant, a lot of work still goes in putting the structures in place like non-essential cookies are not placed on browsers of EU residents until they consent, and cookies are appropriately categorized to apply the website visitors’ choices.

You may choose to conduct this process manually, or you may use a cookie compliance tool like us. However, both approaches require manual steps to identify and categorize cookies, as well as communication with internal teams.

Depending upon the size of operations and nature of business, an organization may operate multiple website domains for multiple locations setting different cookies used for different purposes. These types of organizations starting on their cookie compliance initiative require an inventory of all the websites that includes their domain name, sub domain name, purpose of website, kinds of visitors on the website, the relevant geographic location and the service providers involved. Just obtaining this information requires a lot of communication with multiple internal teams and service providers.

Once the different domains being operated and their respective websites are identified, the cookies being served to the browsers of visitors to those websites needs to be identified. Automated tools can be utilized to conduct web page scans on a site, which generally provide a list of cookies, which generally includes the name, lifespan, category, and description of each cookie. There are a variety of methods for identifying cookies being placed, including tools, browser extensions and scanner websites. This can also be accomplished by reviewing the content settings on a web browser. Certain methods may have consistency and accuracy issues, so conducting multiple scans using multiple methods will help create and maintain a comprehensive list.

After preparing a list of cookies for each of the website domain, you need to categorize it as per their purpose so that that consent or appropriate preferences choices can be provided to visitors. By categorizing cookies, we can also determine which cookies may qualify for exemptions.

Generally, all cookies will fall into two large categories: essential and non-essential.

Essential Cookies (also commonly referred to as “strictly necessary”) are necessary for the website to function and store the preference settings selected by a user for this website. These cookies are only used to provide those essential services to the visitor. These cookies are not covered by the EU opt-in requirements or the CCPA opt-out-of-sale requirements, so they may remain on devices while they perform the essential functions.

A non-essential cookie is any cookie that does not fall under the definition of an essential cookie and may fall into one of several subcategories, commonly including:

• Performance and analytics cookies, allows to analyze website visits and traffic sources (e.g., number of visits, time spent on the site) to measure and improve our website’s performance.
• Functionality cookies, allow enhanced functionalities when accessing or using organizations’ websites and services.
• Targeting and advertising cookies, used to target advertising to a user or track the user on a website or across several websites for similar marketing purposes often served by third-party companies and track a user across websites.

The classification of each cookie can be time-consuming and difficult, depending in part on the sophistication of the website. However, this task must be done with at most diligence as website visitors could disable essential cookies improperly classified as non-essentials, affecting the site’s functionality. Otherwise, non-essential cookies if miscategorized as essential may result in violations of applicable requirements.

A web services provider managing a website should help identify the cookies necessary to the site’s functionality and help categorize non-essential cookies. Keeping the process thorough and efficient will require consistent communication between service providers and internal stakeholders.

If an organization uses a cookie compliance tool, it should first look at the scanning resources offered by the tool. Although these tools categorize most of the more well-known cookies, any cookies that are not recognized by their system or are specific to your site will remain unclassified.

There are online resources that may be helpful if you’re categorizing unknown cookies or performing it manually. If you type the cookie name into a search engine, you will often get results that provide enough information to correctly categorize the cookies or enough to determine their purpose (e.g., cookies with descriptions like “required” or “strictly neccessary” may be essential, while those with descriptions like “advertiser” or “targeting” or “statistics “would seem non-essential). Website managers or web services providers must verify such manual categorizations.

To categorize cookies accurately, you must be committed, first by getting the categorization right and then by periodically ensuring that it remains accurate. However, the effort pays off once a structure is put in place to enable effective cookie compliance and management. After completing the inventory and categorization, an organization will be able to:

Prepare and publish a cookie policy: Identifying and categorizing the cookies can only be accomplished after they have been identified, since the policy must inform visitors of what types of cookies are being used, and what types of personal information will be collected.

Create and implement a cookie banner: The banner is a critical method for website visitors to learn which cookies are being placed and to make choices concerning those cookies.

Establish a Preference and consent management center: The cookies banner provides more granular choices than are available on the initial cookies banner, providing a crucial interaction point with your website visitors.

By organizing your cookies categorization process comprehensively, you will lay the proper foundation for implementing key aspects of your cookie compliance efforts, such as blocking non-essential cookies until visitors to your EU website provide consent and providing California residents with opt-out options.

Resource:
IAPP