A recipe for cookie transparency

The future of cookies is in question. Privacy professionals and advertisers are both looking for answers about how best to tap into online behavior without running afoul of privacy regulations.

There is increasing pressure to limit profiling and behavioral advertising — and avoid “dark patterns” — to meaningfully enable consumer choice and engagement. This is creating challenges for privacy professionals who are trying to advise their marketing and advertising teams on how to effectively navigate these requirements.

The following topics lay out some guidelines for privacy professionals along this journey.

Cookie 101

Cookies are a family of small text files that websites place on a consumer’s device during a browsing session. Cookies are primarily used to serve critical functions related to website operations. In addition, certain types of cookies can store data about browsing patterns and behaviors across the web — enough to potentially identify a consumer.

Essential or strictly necessary cookies are used to store the settings selected by a user on a given website. As the name implies, these cookies are required for the website to function properly. These cannot be disabled by users. Examples may include being able to navigate from page-to-page, add items to a cart, or save preferences within a single session.

Non-essential cookies may be grouped into various other categories, such as:

• Performance and functionality cookies are used to enhance the performance and functionality of a website. These cookies typically provide data back to a website host, like the user’s frequently visited pages or preferences.
• Web analytics and customization cookies track user activity in their respective web browsers, so that website owners can better understand how their website is being accessed and used across geographies.
• Advertising cookies are used to customize a user’s ad experience on a website based on their browsing history. Using the data collected from these cookies, websites and advertising companies tailor ads that appear in web browsers based on a user’s online activities.
• Social networking cookies allow users to share content on social media platforms and help link activity between a website and third-party sharing platforms.

Cookie consent requirements in the US versus EEA/UK

Over the last decade, there has been increased regulatory scrutiny over the use of cookies for non-essential purposes. The EU’s e-Privacy Directive, known as the “cookie law,” and the General Data Protection Regulation (GDPR) set forth requirements governing transparency around data use and confidentiality of electronic communications and the tracking of digital consumers. US states have started to address similar cookie-based concerns with the introduction of requirements under the California Consumer Protection Act (CCPA), California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (VCDPA) and Colorado Privacy Act (CPA).

From a privacy perspective, the general requirement is relatively simple: consent must be relied upon for behavioral and/or targeted advertising. In applying this requirement, the US and EEA/UK models diverge in terms of an opt-in versus opt-out model.

To address EEA/UK cookie consent requirements from GDPR and the e-Privacy Directive, organizations are required to have a user-friendly cookie consent banner pop-up deployed with information about all cookies and trackers embedded on their website in plain language. All cookies and trackers must be withheld until users have given explicit consent to their activation. If an individual refuses to allow the use of certain cookies, they must have full access to an organization’s service regardless of their choice. Once an individual makes a choice, that consent record shall be documented and stored. Finally, the ability for individuals to refuse or withdraw consent at any time must be as easy as it was for them to give consent.

To address US cookie consent requirements, including the various US state privacy laws like CCPA / CPRA, VCDPA, and CPA, organizations should employ an opt-out mechanism to allow individuals to withdraw their consent. This means an organization’s website can use cookies without prior consent but is required to provide individuals with a simple way to opt out of the sharing or selling of their data within the context of cookies at any time. The opt-out mechanism must take the form of a “clear and conspicuous” link or button allowing individuals to make their choice with ease. Organizations must have a written policy that provides transparency related to the categories of personal information collected on the website, information about the third parties with whom personal information is shared with or sold to, types of cookies and other tracking technology, as well as a description of the opt-out right and how to exercise it.

Enforcement actions to date

Enforcement action related to cookie consent violations have been increasing. In 2021, NOYB, an EU non-profit digital rights organization, filed more than 500 GDPR complaints on cookie banners and scanned more than 10,000 websites in Europe to address the prevalence of violations. Of those 10,000 sites, nearly all had violations identified.

In February 2022, the Belgian Data Protection Authority ruled that Interactive Advertising Bureau Europe (IAB Europe) Transparency and Consent Framework (TCF, or “Cookie Consent Framework”) violates multiple provisions of the GDPR.

US enforcement has been ramping up in recent years, with the FTC taking action against multiple digital advertising organizations, including Google for violating the Children’s Online Privacy Protection Act by using cookies to track and deliver targeted ads to children. In July 2021, California’s Office of the Attorney General (AG) released a summary of enforcement actions the agency brought against organizations for alleged CCPA noncompliance since enforcement began. Of the 27 noncompliant examples detailed in the investigation summary, 16 were directly related to cookie consent / do not sell violations. Additionally, the California AG launched the Consumer Privacy Interactive Tool, which allows consumers to draft notices of noncompliance to organizations that do not post an easy-to-find opt-out link on their website.

The recipe: How to comply with cookie requirements

There are a number of methods for individuals to make a valid opt-in / opt-out request on an organization’s website. One of them is called Global Privacy Control (GPC), developed by a group of web publishers, technology companies, browser vendors and civil rights groups to help organizations easily respect California consumer opt-out of sale requests. California’s AG clarified that a GPC signal is a valid opt-out signal and must be honored by organizations. In the context of GDPR, a GPC signal may be interpreted as conveying a general request that data controllers limit the sale or sharing of the individual’s personal data. It has also been interpreted that a GPC signal opting out of processing could create a legally binding obligation for data processors. Using GPC is a method for consumers to signal privacy preferences to a host of websites without manually reaching out to each of the websites. In a December 2021 opinion, the UK Information Commissioner’s Office (“ICO”) mentioned that GPC is intended to convey a “general request” concerning the sale of personal data, and not “meant to withdraw a user’s consent to local storage as per the ePrivacy Directive.” Because of that, as per UK ICO, the tool “does not at this time appear to offer a means by which user preferences can be expressed in a way that fully aligns” with data protection requirements in the UK.

Cookie banners and consent management platforms (CMP) are two common methods used by websites to visually disclose a choice/preference related to setting cookies and tracking of website users. A cookie banner uses a display of banner or pop-up window to inform website users that certain data is collected, and the collected data will be used for certain purposes. CMPs deal with the control of user consent across devices. This makes CMPs very popular with advertisers. CMPs are used by organizations to legally document and manage a website visitor/user’s consent choices prior to initiating activities such as-collecting, sharing, or selling user data. CMP tools also provide end users with detailed information on how a user’s/visitor’s online behavior may be tracked, the purposes for which that information is collected, and the specific vendors and entities requesting to use the information. CMPs generally provide users/visitors the choice to grant, refuse, or revoke consent to having their online behavior tracked and data collected, used or sold.

Many cookie compliance technology solutions can help automate cookie compliance processes and be integrated with an organization’s digital marketing strategy. Regardless of which solution is deployed, organizations can take the following actions to help operationalize their cookie compliance process:

1. Conduct a cookie scan on your website(s). Initiate a scan of your organization’s websites to inventory, track and manage the cookies on your site. Pay close attention to the multiple domains owned by the organization. Consult with your legal and marketing teams to categorize the identified cookies to determine those that are strictly necessary, where you may have a service provider relationship, and those that would need to be blocked subject to an individual’s preference. Continually conduct ongoing scans to keep your organization’s cookie inventory evergreen.

2. Deploy your cookie preference center and banner/link. Design a preference center pop-up and deploy a banner/link that will capture an individual’s preference as it relates to non-essential cookies. Ensure the preference center and/or banner provide accurate and clear communication to individuals with an opportunity to understand the different types of cookies collected, how they are used, and how to opt in or out of allowing the organization to collect data.

3. Operationalize cookie blocking. There are multiple ways that cookies can be dropped on your organization’s websites. If using a tag manager, identify the tags managing cookies that would need to be fired or blocked based on choice. Configure those tags with firing triggers or blocking triggers that will activate if certain conditions are met. Alternatively, cookies can be dropped directly in a page’s source code rather than from a tag manager. The cookie scripts within the source code will need to be edited to be activated or blocked if certain conditions are met based on choice.

4. Review for dark patterns. Dark patterns are choices made during the user interface design. These choices get cemented into the design components of the website as a standard way of working. These design components may influence the decision making of an individual either intentionally or unintentionally to steer or coerce individuals through the website journey. Identification of such dark patterns is a key step in designing and deploying cookie compliance strategy.

With looming enforcement action and pressure from digital rights groups, organizations need to start developing an effective compliance and digital marketing strategy.