Last updated on 01 July 2022 by William Blesch (Legal and data protection research writer at TermsFeed)
Many websites actually insert more than one cookie, and sometimes that number can even be in the hundreds.
Although not all cookies are tracking cookies, many of them are. Tracking cookies are a kind of cookie often used by commercial websites to track user behavior and see things such as specific products a user has viewed, what pages were visited, the name of the website, and even the user's browsing history.
Regardless of the type, the user may give up an incredible amount of information to the website placing the cookie.
In this cookie consent FAQ we'll go over some of the most common questions you may have regarding the law, consent, notices, and how to ensure that your company is compliant.
There are two kinds of consent which are considered acceptable under various laws. These types of consent are "implied" and "active."
Implied consent works on an "opt-out" basis. As a website owner that places cookies in a user's browser, this means it's acceptable for you to infer consent as long as the user doesn't actively say otherwise.
As of 2020, three laws allow implied consent, and two of them are Canadian. Specifically, these are Canada's Anti-Spam Legislation and the Personal Information Protection and Electronic Documents Act (PIPEDA), also from Canada.
There are two laws, which demand active cookie consent. Both of them originated in, and are governed by, the EU.
The first of these is the EU's ePrivacy Directive, which was enacted before the more robust General Data Protection Regulation (GDPR). Both remain in force today.
According to the ePrivacy Directive, if your website is based in an EU country, you must obtain a user's consent before inserting a cookie on that individual's browser. Basic cookies used for site functionality are exempt.
Under the GDPR, cookies count as personal information if it can combine with other data, which results in personally identifiable information, or if it contains data about a specific, identifiable person.
The United States' Children's Online Privacy Protection Act (COPPA) is the only law outside the EU to flat out ban the use of certain types of cookies if you know the user is under 13 years of age.
This law applies to businesses within the U.S. and was enacted in 1998 to help safeguard the online privacy of minors 13 years old and under.
According to COPPA, it's forbidden for you to use persistent cookies (cookies that remain on the recipient's computer after a session is finished) or other persistent identifiers if you know that the user is a minor under 13.
How you obtain cookie consent depends largely on where you're doing business. With that said, there are browsewrap and clickwrap methods you can use.
There are a few ways to use this method. For example, you can have:
Bank Australia uses the browsewrap method by placing a cookie statement in its header, as seen below:
Here's a close-up of the short, to-the-point cookie statement that links to further information:
The Australian Securities Exchange does it differently by forcing users to click the cookie statement to continue using the website:
This method is not recommended since it doesn't meet the strict consent requirements of some laws, and is also sometimes not upheld in court as being adequate notice to users of your cookies practices.
This next method is what we recommend you use.
The UK's Standard Chartered ensures that users cannot continue on to the full website unless they accept all cookies or decide which cookies they will or won't accept:
It's important to emphasize again that this method is now recommended as a cookie consent standard across the board. Not only is it required by the GDPR, but most countries are moving in the same direction as the EU when it comes to online privacy and the rules that regulate it.
As a business owner, whether you do business in the EU or not, a fair question is why not just go ahead and make your online practices compliant with the strictest set of laws? It's forward-thinking and means that you'll likely always be prepared.
Not if you want to be compliant with the GDPR. You have to provide users with the ability to make a freely given choice.
Although there are sites out there that continue to use cookie walls, which make cookie acceptance mandatory before users can access them, this method of acquiring consent is no longer valid as of 2020.
Use of a cookie wall therefore breaches the GDPR since it doesn't give the user a real choice.
This is an important question, again mostly for companies doing business in the EU. The rules as stipulated by the EU's ePrivacy Directive demand that websites must get explicit consent for cookies unless those cookies are necessary. But, what does that even mean?
Essentially, you don't have to get permission to place cookies in someone's browser that are essential for your site to run. This may be for specific tasks that users want to perform, or it might also be for your site's overall general operation.
One example might be an ecommerce store which needs to place a cookie in a user's browser so the user is able to keep an item in a virtual shopping basket while they continue shopping.
Other examples of necessary, essential cookies include:
It's vital to recall that when it comes to a cookie being "necessary" or not has everything to do with providing a function or service, which the user may choose to access. In other words, "necessary" has to do with the user's experience and not with your business interests.
Lots of businesses use third party cookies. These kinds of cookies are created by other domains than the one the user is currently visiting. They're used mostly for online advertising and tracking purposes.
In light of that fact, it's obvious that they are not strictly necessary.
The guiding principle here is that the third party (such as Facebook with its tracking pixel or Google) is also responsible, along with the website owner, for obtaining consent.
However, the bottom line is that the business using the third party cookie has far greater control over how a cookie consent request is presented than the cookie's creator.
Therefore, the party providing the cookie (like Facebook or Google) will most likely demand a legally binding agreement, which says the website owner in question must abide by all relevant cookie consent laws.
It's important to recall that according to the GDPR, you have to store and secure data. That includes the cookie consent you obtain. You'll want to be able to retrieve this data if the EU's Data Protection Authorities ever audit you.
At the very least, these cookie consents ought to include the choices presented to users as a part of your consent mechanism. They should also include the text of the consent and a record of the time and date the user gave consent.
By default, your data storage needs to include cookie consents that were declined as well. Finally, according to the law, you must store this information for a minimum of five years.
The question's answer largely depends on what the cookie is used for. They're usually broken up into two categories:
Session cookies are those that are classed as "strictly necessary." They don't require consent, and they expire when the user leaves your website.
Persistent cookies are exactly what their name implies. There aren't any hard rules about how long these cookies can last in a user's browser. However, the consensus is that they should only last long enough to fulfill their purpose. In this way, you won't essentially be overstaying your welcome.
You do want to make sure that any consent you've gained is still valid. That's a hard sell if the user visited your site a year ago, and you're still tracking them even though they've not returned to your site since.