Legos are a darling to the toy world. And why not? They’re colorful, versatile, and can entertain a child for literal hours. Yes, there is the ever-present threat of stepping barefoot on one in the middle of the night, but they’re generally regarded as a core part of the modern childhood experience. 

Yet Legos come with their downsides. Ask anyone who has accumulated more than a box or two—these toys are nearly impossible to organize. There are two general schools of thought on this: meticulous organization into storage boxes or dumping them all into a bottomless bin. 

The bin method holds a lot of appeal for busy parents, but as any parent will say, it poses one substantial risk: running afoul of an angry child when they are looking for just the right Lego to complete their masterpiece. 

So what does this have to do with cookies and cookie maintenance, you might say? A lot more than you suspect.  

Much like Legos, cookies can easily proliferate. What was once a few select cookies to help your website run better suddenly becomes a storage bin full of them. And much like Legos, not keeping them organized can lead to consumer distrust and compliance violations.        

What are cookies—and what do they do?

When you visit websites, small text files called cookies are stored on your hard drive. These cookies identify you to the website, allowing for a more efficient and personalized user experience. However, cookies can also be used to create user profiles by website owners and third-party ad networks.

Key types of cookies include:

  • Necessary cookies that are essential to site functionality, such as keeping items in a shopping cart or remembering a user’s login credentials.
  • Preference or functionality cookies or functionality cookies enable a site to remember things like language preferences.
  • Statistics or performance cookies, such as those used for Google Analytics, anonymously collect information about how users interact with a site.
  • Marketing cookies collect identifiable data about an individual user’s online activity to deliver relevant advertising. 

Why you need to maintain your cookies

Almost all websites use cookies, so it’s less a matter of whether you should use them and more how you handle them. 

Privacy regulations add complexity to the matter, as well. European privacy laws have established detailed requirements (among other things) about how cookies can be used. While the United States does not have a federal law regulating the use of pixels that place cookies, it has an evolving patchwork of state-based privacy legislation that applies at different levels to businesses.

Maintaining your cookies isn’t—and shouldn’t—just be about meeting regulatory requirements. Any activity your business conducts that interacts with consumer data is an opportunity to build trust with your customers. After all, you want your customers to talk about your great products and services, not about frustrating or problematic privacy practices. 

How to maintain your cookies

With this in mind, businesses do well to dial in a strategy for maintaining their cookies in a way that serves their customers and meets privacy requirements. Here are some of our top tips for cookie maintenance. 

  • Understand what jurisdictions apply to your business—and what those requirements are

Countries and states have varying requirements for businesses to comply with consumer privacy laws. These laws have different thresholds, and most have exceptions for small businesses. Keep in mind, however, that your customers aren’t tracking the nitty-gritty details of privacy regulations—and just because you’re not technically required to comply with this law, or that doesn’t mean they don’t expect you to.  

While there are similarities and overlaps in state and country data privacy laws, there are also important differences that businesses need to be aware of. For instance, California, Colorado, and Connecticut require universal opt-out for cookies, most commonly known as global privacy control. Businesses subject to these regulations should make sure universal opt-outs are correctly set up on their site. 

More states are implementing data privacy laws each year, so it’s crucial for businesses to ensure compliance with all applicable privacy laws. 

Another caveat: if data belonging to minors is involved in targeted advertising, then opt-in may be required under the California Age-Appropriate Design Code Act.

  • Make sure you correctly set up Do Not Sell/Do Not Share in adherence with CCPA/CPRA requirements

You need to include a link that says “Do Not Sell/Do Not Share My Personal Information” on the home page (this is most commonly done with a link in the footer); you can also accomplish this by using the CCPA icon that says “Your Privacy Rights.”

This should also include a link within the privacy notice and disclosure in the notice if data is sold. 

Note cookies categorized as analytics or advertising types could be considered a share of data and should be reviewed as a potential sale or sharing of data. This is a bit of a gray area, but considering the Sephora ruling in 2022, it’s been a generally accepted interpretation that advertising and analytics is a sale of data.  This is a hot topic for the California Regulator and we recommend reviewing your website with a privacy professional to ensure compliance.

  • Take a look at the reason behind your cookies

Ask yourself:

  • Is the collected consumer data critical to my strategic goals? 
  • Is my business actively capitalizing on the collected data, or is it more of a “nice to have”?
  • Are we collecting more than we need? 

Remember: most U.S. data privacy laws require data minimization. So only take what you really need, and minimize risk for your business. 

Depending on your business and the jurisdictions you fall under, you may need to add a cookie consent banner or other solution to your website. 

There are pros and cons to implementing cookie banners on your website. Many businesses have them because they are seen as more transparent. 

That said, if you decide on a cookie banner, make sure it’s properly formatted. If you have a cookie banner for “transparency,” but then you incentivize the user to select “accept” instead of “reject” through the banner design, then you may run into some issues. Such design strategies are known as “dark patterns” that influence users’ behavior, and consent given under these circumstances would violate privacy regulations.. 

  • If you do include a cookie banner, make sure it makes sense

Your cookie banner should:

  • Be visible
  • Be easy to understand
  • Correctly state what cookies you use and the purpose for collecting that data
  • Formatted without “dark shadows,” or font/color/box shape discrepancies that would push the consumer to click “accept” rather than “reject” cookies
  • Options should be given symmetrically, like “accept” or “reject”

  • Test your cookie banner

Test your banner to make sure it works as it should. Walk through every step of the process as if you were the consumer. If a consumer hits “reject cookies,” does your system still add them? 

If so, your banner isn’t functioning like it should hit the pause button. It’s important that you troubleshoot whatever the issue is until the banner is working properly. 

  • Make sure your cookies are correctly categorized

We mentioned earlier that there are different types of cookies. Well, these types of cookies have specific parameters you need to adhere to. For example, marketing or targeted advertising cookies have different opt-in requirements in some countries than, say, cookies used to keep a user’s shopping cart intact if they click out of the site temporarily.  

Categorize your cookies accurately to avoid compliance issues. For example, if you have an “analytics” cookie categorized as a “functional” cookie, it could be perceived as deceptive.

  • Consider whether “opt-in” or “opt-out” is better for you

Each business must make its own calculations around whether opt-out or opt-in is the right fit for them, factoring in its internal processes, goals for customer relationships, and compliance requirements; for example, EU privacy regulations require that businesses use the opt-in model rather than opt-out. 

In general, opt-out places the burden on individuals to exercise their privacy preferences, whereas opt-in puts the onus on businesses to obtain consent.   

  • Make a plan to review your privacy policy every year

Build an annual review plan now to protect your business and create a sustainable privacy program, because it breaks down the update process into smaller, more manageable tasks.

Your review should include:

  • Evaluating what jurisdictions apply to your business and seeing if any new ones apply
  • Make sure your cookie banner (if you have one) and entire cookie consent settings are up to date. Cookie banners aren’t a “set it and forget it” tool. If you update the types of cookies you use, you’ll need to update the cookie consent software with the categories, your cookie policy, and potentially banner as well to reflect that information and of course that the use of these cookies meets the requirements of any relevant privacy laws. 

When in doubt, work with a privacy expert

Schedule a free consultation with Red Clover Advisors today to explore how your team can build a privacy program that’s best suited for your business.