Cookie management — whether that means obtaining consent or otherwise — is required by most privacy and data protection laws. In Europe and elsewhere around the world, consent is required for the use of nonessential cookies, think tracking or analytics cookies, and in many U.S. states, residents now have the right to opt out of cookies that are used in the sale or sharing of personal information as well as targeted advertising.
The most common way companies manage this notice and choice obligation is with a cookie banner, but adding a cookie banner to your website isn't a quick trip to compliance. Companies have a lot of decisions to make prior to implementing a cookie banner and need to create processes to maintain compliance as business practices and privacy laws change.
Establishing your governance program
As you establish your cookie — and other tracking technologies — program, you will need to put some important elements in place.
Program leadership
The placement of cookies on your online domains requires a cross-functional team that includes privacy, marketing and web development. Designating an individual responsible for implementing and maintaining your program is essential to success.
It's important to outline specific roles and responsibilities, such as who is responsible for managing the cookie consent solution, who owns placing cookies or pixels on the site, and who will keep up with ongoing regulations.
Cookie governance policy
A well-thought-out cookie governance policy will establish a standard company-wide approach to ensure you are meeting your legal obligations and the commitments you make to consumers. A governance policy should outline the company's approach to:
- Third-party cookies.
- Pixels — both browser-based and server-to-server.
- Analytics tools.
- Essential cookies vs. nonessential cookies.
- When to remove cookies.
- Notice and opt-out link requirements.
- Consent software requirements.
The policy should clearly determine what types of cookies and pixels are approved or prohibited. It should also state how a company will vet third-party vendors prior to entering into a contract with them and what must be included in a contract, for example, what type of data will be collected and how it will be used by both the company and the third party.
Clearly identifying the permissible uses in your contract is critical in evaluating whether the disclosure may be determined as a "share or sale" of data under laws such as the California Consumer Privacy Act. Additionally, the policy should set rules around notice, opt-out and consent setting obligations.
Equally important to having rules for placing pixels and cookies on your site is having rules and guidance for their removal. You don't want cookies and pixels on your site for years collecting and sharing data unnecessarily and without appropriate protections.
Systems and technology
Whether you choose a third-party vendor or create a mechanism in-house, you will need a technical mechanism to ensure that individuals' cookie preferences are respected and managed appropriately. Depending on the laws applicable to you, you will need to provide notice of the types of cookies you include on your site and the consent options available to the user. In general, there are three types of cookie banners: notice only, notice and opt-in, and notice and opt out.
When providing choices related to cookies, ensure you are following privacy-by-design principles and laws against "dark patterns." Visually, the option to accept or deny cookies should have equal impact and ensure that nonessential cookies are not placed until the individual indicates a preference. This means you should have the option to accept optional and reject optional cookies.
Consider the font size, color of the boxes, if the boxes are outlined, and even the words used in the description and choices to ensure they are not pushing consumers into accepting nonessential cookies.
Bonus tip: It is also a best practice to ensure that "reject all" is in the cookie settings pop-up, not just on the banner.
Regular testing and audits
It is essential you test systems at the onset and set a cadence for regular testing and holistic cookie audits.
These cookie audits will review the cookie banner for proper setup, scan the cookies on the site, they change often, to adjust their categorization as needed, and test the technology to ensure it continues to work as intended. For example, is the reject-all button actually blocking the cookies it should be? Often, the cookie consent software is not set up properly, can break when there is a website update, or some other software bug causes issues.
How often you add new cookies to the site should determine the frequency you perform these audits. Companies should review and update their practices monthly or quarterly, depending on their needs. At a minimum, doing so twice a year — aligning with new state regulations that take effect each 1 Jan. and 1 July — is considered best practice.
PIAs for new cookie use
You should have a privacy review process in place for any new technology to determine whether it adds additional risk to the personal information you process. Additionally, many privacy laws require privacy or data protection assessments for any sale or sharing of personal information or its use for targeted advertising. Conducting an annual data inventory is also a good practice to catch the use of new cookies or use cases and identify when a privacy impact assessment is needed for existing cookie usage.
Training
None of the above will be effective until employees are given visibility into the program and appropriately trained. All employees who might engage with a cookie or its placement should be trained. Privacy training is also important for those employees that regularly interact with consumers and their personal information.
Privacy notice requirements
The more your brand values privacy and demonstrates this through transparent practices, the more credibility and trust you will build with your users. Whether you choose to provide notice about your cookie practices in your full privacy notice or in a separate cookie notice, you must accurately reflect your company's cookie practices. This includes what kinds of cookies you use, their purpose and any disclosures of personal information via tracking technologies.
All U.S. state consumer privacy laws and those in other regions require opt-outs to be conspicuously available in a privacy notice. Some go even further, with the CCPA requiring the opt-out to be available on the home page of a website or app, your choices are either: Do Not Sell My Personal Information or Your Privacy Choices icon. Be sure to review the laws in jurisdictions where you operate and always have the proper notice and opt-out links where required. Including links to privacy notices and privacy rights pages in your footer can help ensure that these links are included on all pages of your website where personal information may be collected, mitigating a risky privacy violation.
Evolve with business
Technologies that enable companies to market their business, produce analytics and understand their customer base are constantly changing. The privacy landscape is also changing. Your business may grow into new markets which might have different privacy requirements. All of these changes require you to diligently maintain your cookie program. Putting in place processes to review your program and practices and update documentation, notices and training accordingly are essential to continued compliance.
Conclusion
Your business likely falls under the jurisdiction of several privacy and data protection laws, each of which may have differing obligations. Depending on your budget, resources, and the size and complexity of your business, you may choose to approach this challenge with a one-size-fits-all solution or treat regions differently based on their laws.
Either way, setting up and maintaining a proper cookie governance program takes a knowledgeable and skilled team who pay attention to the changing privacy laws, engage in the use and placement of cookies and pixels, and have the technical know-how to communicate with marketing, web development, privacy and others to ensure continued compliance.
Editor's note: This article does not, and is not intended to, constitute legal advice.
