19 June 2020
In June of 2015, the marketing firm Turn Inc. was sued for allegedly tracking the browser history and app usage of "thousands or millions" of Verizon Internet subscribers in California without giving these users notice of the tracking or obtaining their permission or consent to be tracked.
Turn Inc. placed supercookies on the mobile devices and computers of the Verizon Internet subscribers to accomplish this discreet tracking.
Supercookies serve a similar function as regular cookies but are frowned upon by advocates of online privacy because they are very difficult to both detect and remove from a user's device once placed on a device.
Because users had no knowledge of these cookies being used by Turn, there was no way that users would know to go to Turn's website to attempt to turn off the tracking if they wished to.
Even worse, however, is the fact that since the cookies used were supercookies, even if users did find and remove these cookies, Turn's code would still not be removed from the user's browser.
Additionally, if a user did somehow know to go to Turn and request the tracking be stopped, Turn was not obligated to actually stop the tracking.
This is an important case for owners of websites that place cookies on their users or visitors devices because it showcases what you must do before using any cookies at all, and how to handle the issues of disclosure, consent, and revocation of cookies in a legally compliant way.
Before these files can be placed on a user's device, at a bare minimum, notice must be provided to the user, and some sort of permission or consent, whether active or passive, must be obtained.
These requirements are part of the California Online Privacy Protection Act (CalOPPA) as well as the EU Cookies Directive, both of which affect any website or mobile app that can be used by any resident of California, or any citizen of any EU country, respectively.
Because the internet is such a broad space of information, it's rightfully assumed that any website in the world can potentially be accessed by someone in California or the EU.
This means that cookies notices are a standard component of websites and mobile apps everywhere these days.
This can be done by requiring a user to check a box next to a sentence that says something about the user consenting to have cookies used, or click something that makes it clear that the user understands that clicking will be taken as consent.
Note in the example below how a user must check a box that coincides with the statement, "I accept cookies from this site" as well as click the "Continue" button.
The alternative way of obtaining passive consent is less favored and will likely be slowly phased out of being acceptable. This method counts inaction as consent.
For example, a way to obtain passive consent would be by telling a visitor to a website that by continuing to browse the site, cookies will be placed and consent will be assumed.
Here's a good general example from Engine Yard of how to obtain more active and actual consent and agreement to your Terms of Service.
The more information you provide to your users, the better. Users will be able to have more knowledge about what they are consenting to, and how cookies are actually working for their benefit.
The Cookie information is separate from the General Privacy information on the BBC website. Each section and sub-section of the Privacy and Cookies section are clearly separated, and keywords are linked to additional information. A linked summary section is on the right side of the screen to simplify and outline each section.
Include information on how a user can limit, edit, or delete which cookies are stored on their device.
Below is an example from the Cookies Policy of The Independent that shows clear information on controlling which cookies are used can be provided to users.
Note how links are provided to assist users of all of the main internet browsers. This is not necessary but is very helpful. The Independent lets users know that, "you can alter the settings of your browser to erase cookies or prevent automatic acceptance if you prefer."
When Turn Inc. left out this information and discreetly placed cookies on users' devices, they immediately violated privacy protection laws and put themselves into non-compliance.