Disclose Supercookies in Privacy Policy

Disclose Supercookies in Privacy Policy

In June of 2015, the marketing firm Turn Inc. was sued for allegedly tracking the browser history and app usage of "thousands or millions" of Verizon Internet subscribers in California without giving these users notice of the tracking or obtaining their permission or consent to be tracked.

Turn Inc. placed supercookies on the mobile devices and computers of the Verizon Internet subscribers to accomplish this discreet tracking.

Supercookies serve a similar function as regular cookies but are frowned upon by advocates of online privacy because they are very difficult to both detect and remove from a user's device once placed on a device.

Because users had no knowledge of these cookies being used by Turn, there was no way that users would know to go to Turn's website to attempt to turn off the tracking if they wished to.

Even worse, however, is the fact that since the cookies used were supercookies, even if users did find and remove these cookies, Turn's code would still not be removed from the user's browser.

Additionally, if a user did somehow know to go to Turn and request the tracking be stopped, Turn was not obligated to actually stop the tracking.

This is an important case for owners of websites that place cookies on their users or visitors devices because it showcases what you must do before using any cookies at all, and how to handle the issues of disclosure, consent, and revocation of cookies in a legally compliant way.

Disclose use of supercookies

Before these files can be placed on a user's device, at a bare minimum, notice must be provided to the user, and some sort of permission or consent, whether active or passive, must be obtained.

These requirements are part of the California Online Privacy Protection Act (CalOPPA) as well as the EU Cookies Directive, both of which affect any website or mobile app that can be used by any resident of California, or any citizen of any EU country, respectively.

Because the internet is such a broad space of information, it's rightfully assumed that any website in the world can potentially be accessed by someone in California or the EU.

This means that cookies notices are a standard component of websites and mobile apps everywhere these days.

How to disclose

Disclose the use of cookies on your website or mobile app by adding a banner notification or some other sort of conspicuously placed notification.

In this notification, let users know that cookies are used on your website or mobile app. Link to your Privacy Policy or, if you have one, a separate Cookies Policy, that provides more information about how these files are used and why they are used.

Below is an example of how the Thomas Cook website uses a banner notification to let visitors know immediately that cookies are used. Note the link to its Cookie Policy, and the clear and easy to understand the language used.

Thomas Cook Cookies Notification in the Header

Here is an example of a pop-up notification used by WeTransfer that works well with mobile apps. Again, note the link to its separate Cookie Policy.

WeTransfer: I agree button

Remember that it isn't necessary to have a separate Cookie Policy. You can include all of the relevant cookies information in a section within your current Privacy Policy.

How to obtain permission

The best way to ensure you obtain actual permission or consent to use cookies is to require a user to take actual action to confirm that they are OK with this.

This can be done by requiring a user to check a box next to a sentence that says something about the user consenting to have cookies used, or click something that makes it clear that the user understands that clicking will be taken as consent.

Note in the example below how a user must check a box that coincides with the statement, "I accept cookies from this site" as well as click the "Continue" button.

This makes it clear that a user who checks that box and then clicks "Continue" is absolutely giving permission and consent to use cookies.

ICO UK: I Accept Cookies Checkbox

The alternative way of obtaining passive consent is less favored and will likely be slowly phased out of being acceptable. This method counts inaction as consent.

For example, a way to obtain passive consent would be by telling a visitor to a website that by continuing to browse the site, cookies will be placed and consent will be assumed.

Below is an example of how Ticketmaster uses a passive method of obtaining consent to its Terms of Use.

Ticketmaster Terms of Use in Footer

Here's a good general example from Engine Yard of how to obtain more active and actual consent and agreement to your Terms of Service.

EngineYard - I Agree To Terms of Service

Provide information on Cookies

Your Privacy Policy or Cookies Policy is where you will outline all of the information about what cookies your website or mobile app uses, how these files are used, and why you use them.

The more information you provide to your users, the better. Users will be able to have more knowledge about what they are consenting to, and how cookies are actually working for their benefit.

The Cookie information is separate from the General Privacy information on the BBC website. Each section and sub-section of the Privacy and Cookies section are clearly separated, and keywords are linked to additional information. A linked summary section is on the right side of the screen to simplify and outline each section.

BBC: How Does BBC Use Cookies

If you have a separate Cookie Policy, make mention of the Cookie Policy in your Privacy Policy and provide a link to this separate policy.

See below for how Lonely Planet briefly references their Cookies Policy within their Privacy Policy.

Lonely Planet: Cookies Policy Reference

Include information on how a user can limit, edit, or delete which cookies are stored on their device.

Below is an example from the Cookies Policy of The Independent that shows clear information on controlling which cookies are used can be provided to users.

Note how links are provided to assist users of all of the main internet browsers. This is not necessary but is very helpful. The Independent lets users know that, "you can alter the settings of your browser to erase cookies or prevent automatic acceptance if you prefer."

The Independent: Cookies Settings Section

If you give users notice that you use cookies, provide them with access to detailed information about your usage of these files, and provide information about and a method of deleting, limiting, blocking and/or removing cookies, you should be compliant.

When Turn Inc. left out this information and discreetly placed cookies on users' devices, they immediately violated privacy protection laws and put themselves into non-compliance.

Sara P.

Sara P.

Law school graduate, B.A. in English/Writing. In-house writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.