Cookie Consent FAQ

In this cookie consent FAQ we'll go over some of the most common questions you may have regarding the law, cookie consent, notices, and how to ensure that your company is using cookies compliantly.

Which Laws Require Cookie Consent?

There are two kinds of consent which are considered acceptable under various laws. These types of consent are "implied" and "active."

Implied Cookie Consent Laws

Implied consent works on an "opt-out" basis. As a website owner that places cookies in a user's browser, this means it's acceptable for you to infer consent as long as the user doesn't actively say otherwise.

Some laws allow implied consent, and two of them are Canadian. Specifically, these are Canada's Anti-Spam Legislation and the Personal Information Protection and Electronic Documents Act (PIPEDA), also from Canada.

The third law, which doesn't require active consent, is California's Online Privacy Protection Act (CalOPPA). If you do business in California, this law applies to you. When it comes to cookie consent, you must let users know how you use cookies, and that information must be placed in your Privacy Policy. Other than that, CalOPPA doesn't demand cookie consent.

Active Consent Cookie Laws

There are two laws, which demand active cookie consent. Both of them originated in, and are governed by, the EU.

The EU's ePrivacy Directive

The first of these is the EU's ePrivacy Directive, which was enacted before the more robust General Data Protection Regulation (GDPR). Both remain in force today.

According to the ePrivacy Directive, if your website is based in an EU country, you must obtain a user's consent before inserting a cookie on that individual's browser. Basic cookies used for site functionality are exempt.

However, note that the ePrivacy Directive also covers the use of cookies, which don't produce or contain personal information.

The General Data Protection Regulation (GDPR)

The second EU law that demands active cookie consent is the GDPR. As noted above, this law is more robust and more strict than any other cookie consent law currently in existence. It demands that it must be absolutely clear that a user has given active consent before you're allowed to collect or use any personal data, which includes the use of cookies.

Under the GDPR, cookies count as personal information if it can combine with other data, which results in personally identifiable information, or if it contains data about a specific, identifiable person.

If your site, data processing location, or the user is based in an EU country, then the GDPR applies to your use of cookies.

COPPA and Cookies

The United States' Children's Online Privacy Protection Act (COPPA) is the only law outside the EU to flat out ban the use of certain types of cookies if you know the user is under 13 years of age.

This law applies to businesses within the U.S. and was enacted in 1998 to help safeguard the online privacy of minors 13 years old and under.

According to COPPA, it's forbidden for you to use persistent cookies (cookies that remain on the recipient's computer after a session is finished) or other persistent identifiers if you know that the user is a minor under 13.

How Can a Business Acquire Cookie Consent?

How you obtain cookie consent depends largely on where you're doing business. With that said, there are browsewrap and clickwrap methods you can use.

The Browsewrap Method

When you use the browsewrap method, you simply have to place a notice somewhere on your site, which states that users consent to the use of cookies if they continue to use your website.

There are a few ways to use this method. For example, you can have:

• A statement within a legal agreement or Privacy Policy
• A header, which users can scroll past
• An overlaid window or popup that the user must actively click to dismiss

Bank Australia used to use the browsewrap method by placing a cookie statement in its header, as seen below:

Here's a close-up of the short, to-the-point cookie statement that links to further information:

The Australian Securities Exchange does it differently by forcing users to click the cookie statement to continue using the website:

This method is not recommended since it doesn't meet the strict consent requirements of some laws, and is also sometimes not upheld in court as being adequate notice to users of your cookies practices.

This next method is what we recommend you use.

The Clickwrap Method

This method requires the user to provide you with explicit consent. Before the user is able to access your site, that individual must actively demonstrate that they're aware of and either agree to or refuse the use of cookies.

With the clickwrap method, you will almost always provide a statement that says your website uses cookies. You'll also give a link to your website's complete Privacy Policy as well as buttons that allow the user to confirm or deny permission. Some clickwrap uses a combination of a confirmation button and a checkbox or toggle button.

The UK's Standard Chartered ensured that users cannot continue on to the full website unless they accept all cookies or decide which cookies they will or won't accept:

It's important to emphasize again that this method is now recommended as a cookie consent standard across the board. Not only is it required by the GDPR, but most countries are moving in the same direction as the EU when it comes to online privacy and the rules that regulate it.

As a business owner, whether you do business in the EU or not, a fair question is why not just go ahead and make your online practices compliant with the strictest set of laws? It's forward-thinking and means that you'll likely always be prepared.

Should You Make it Mandatory to Consent to Cookies?

Not if you want to be compliant with the GDPR. You have to provide users with the ability to make a freely given choice.

Although there are sites out there that continue to use cookie walls, which make cookie acceptance mandatory before users can access them, this method of acquiring consent is no longer valid as of 2020.

Specifically, the European Data Protection Board (EDPB) put out guidance on this issue since there was exceptional criticism to the practice of putting up cookie walls. The new guidance notes that permission to use cookies must be "freely given," as seen in the EDPB response to the letter of 13 July 2020 from News Media Europe and others regarding cookie walls.

Use of a cookie wall therefore breaches the GDPR since it doesn't give the user a real choice.

What are Necessary Cookies?

This is an important question, again mostly for companies doing business in the EU. The rules as stipulated by the EU's ePrivacy Directive demand that websites must get explicit consent for cookies unless those cookies are necessary. But, what does that even mean?

Essentially, you don't have to get permission to place cookies in someone's browser that are essential for your site to run. This may be for specific tasks that users want to perform, or it might also be for your site's overall general operation.

One example might be an ecommerce store which needs to place a cookie in a user's browser so the user is able to keep an item in a virtual shopping basket while they continue shopping.

Other examples of necessary, essential cookies include:

• Cookies for providing streaming services, such as video or audio. (Cookies that track viewing habits are not essential.)
• If your site requires a log-in, then single-session authentication cookies are necessary.
• Security cookies
• Cookies that balance demand across servers.

It's vital to recall that when it comes to a cookie being "necessary" or not has everything to do with providing a function or service, which the user may choose to access. In other words, "necessary" has to do with the user's experience and not with your business interests.

For instance, you might think you need analytics, which use cookies so that you can know what things users are doing on your site and thus boost sales. Yet, those cookies don't have a direct bearing on any function a user might request. Therefore under the ePrivacy Directive, they're not considered "necessary."

Are Third Party Cookies Acceptable?

Lots of businesses use third party cookies. These kinds of cookies are created by other domains than the one the user is currently visiting. They're used mostly for online advertising and tracking purposes.

In light of that fact, it's obvious that they are not strictly necessary.

The guiding principle here is that the third party (such as Facebook with its tracking pixel or Google) is also responsible, along with the website owner, for obtaining consent.

However, the bottom line is that the business using the third party cookie has far greater control over how a cookie consent request is presented than the cookie's creator.

Therefore, the party providing the cookie (like Facebook or Google) will most likely demand a legally binding agreement, which says the website owner in question must abide by all relevant cookie consent laws.

How Should Cookie Consent Be Stored?

It's important to recall that according to the GDPR, you have to store and secure data. That includes the cookie consent you obtain. You'll want to be able to retrieve this data if the EU's Data Protection Authorities ever audit you.

At the very least, these cookie consents ought to include the choices presented to users as a part of your consent mechanism. They should also include the text of the consent and a record of the time and date the user gave consent.

By default, your data storage needs to include cookie consents that were declined as well. Finally, according to the law, you must store this information for a minimum of five years.

How Long Should Cookies Be Stored?

The question's answer largely depends on what the cookie is used for. They're usually broken up into two categories:

• Session cookies
• Persistent cookies

Session cookies are those that are classed as "strictly necessary." They don't require consent, and they expire when the user leaves your website.

Persistent cookies are exactly what their name implies. There aren't any hard rules about how long these cookies can last in a user's browser. However, the consensus is that they should only last long enough to fulfill their purpose. In this way, you won't essentially be overstaying your welcome.

You do want to make sure that any consent you've gained is still valid. That's a hard sell if the user visited your site a year ago, and you're still tracking them even though they've not returned to your site since.