At Red Clover Advisors, we’ve been collaborating with clients on privacy strategies since Day 1. It’s our goal to make privacy, clear and actionable for your business without the cost of doing the work in-house.
We bring specialized focus on guidance and strategy so you can be confident in your compliance. We provide cookie audits that help keep your data collection and marketing programs intentional and risk-aware.
Cookie consent planning
There’s plenty of cookie banner software on the market. The issue lies in making sure you’re properly classifying the cookies and only using the ones you really need to be. We walk clients through all the questions that follow:
A quick refresher, please! What is the deal with cookies?
Lots of people have heard of cookies. They've probably even used the term in conversation. But what is a cookie, really? A cookie is a small text file that is stored on your hard drive by the websites you visit. A cookie identifies you to the website so it recognizes you. Cookies help websites run more efficiently and in general improve user experience. In exchange for this, cookies can be used to create user profiles by website owners or the third-party ad networks they're a part of.
Let’s take a moment to acknowledge that cookies are a complex topic. They’re used in a lot of different ways and their use is impacted by not just GDPR, but also from the ePrivacy directive and the CCPA. Moreover, there’s guidance on how cookies should be implemented for different countries. We always recommend that companies work with a professional to guide their cookie banner implementation.
It should be noted that not all cookies are the same. Being familiar with the variety of cookies out there and how they can be used will help you figure out what cookies are firing at what time in the EU.
Some cookies, known as session cookies, are temporary and only run during a single browsing session. They aren't stored on your hard drive and are deleted when your session is done. On the other hand, permanent cookies are used to identify you over multiple sessions. Permanent cookies can be used for marketing and analytics or to improve your user experience by saving login information and analyzing performance data.
Another type of cookie is called an essential, or strictly necessary, cookie. These can be used for fraud detection and other important functional purposes. Last but not least, there are Flash cookies. These cookies are created and stored solely in the Adobe Flash browser app. Flash cookies can be problematic because they're not deleted when a user clears their browser cookies.
What are my options for cookie consent?
There are four different types of cookie consent that you can implement on your cookie banner. Each one has its benefits, but it’s important to seriously consider drawbacks when weighing your options. Taking a shortcut now might seem appealing – there’s a lot to tackle when you’re working on compliance. However, it works against you in the long run when you’re trying to achieve compliance with GDPR, CCPA, and other regulatory requirements.
The simplest approach to cookie consent. When you use the “Notice Only” approach, your banner informs users that you're using cookies but doesn't give them the chance to opt-in or out. Not surprisingly, this approach isn't GDPR compliant. (Or compliant for other regulations, for that matter.)
When you take an opt-out approach on your website, you drop all your cookies when your users arrive. However, your cookie banner lets users choose to opt-out if they prefer. Opt-out can be simpler to implement, but it can risk running afoul of General Data Protection (GDPR) compliance requirements.
When you use the “Implied Consent” approach, your website will only automatically activate cookies that are categorized as “strictly necessary.”. The banner either asks the user to click through to continue or informs them that any other cookies will be activated if they continue using the site.
Opt-in consent is the compliant-oriented approach to cookie consent. With the opt-in approach, strictly necessary cookies are dropped upon visits, but the banner provides a clear and detailed explanation of the additional cookies. Users must complete a specific action, clicking “Accept” or “Okay,” for the rest of the cookies to drop.
Because this approach requires intentional actions by the user, it’s more likely that a business might lose website visitors. However, you’re less likely to end up facing compliance issues either.
Should I have the same cookie banner in the US as I do in the EU?
There’s no textbook, one-size-fits-all approach to this question. The likely answer is no, because EU limitations can have a negative impact on your business in the US. However, this is in no way definitive. You should always analyze your business needs along with the benefits and risks of any given approach and the software you’re using. (A big benefit of cookie banner software is that it can make international compliance requirements easier to achieve.)
What should cookie consent include?
When you collect cookies, you have to inform the user as clearly and explicitly as possible which cookies are running on your site and what their purpose is. You also have to inform the user that they have the right to accept OR refuse consent and explain how they exercise that right. This is known as active valid consent.
In short, cookie consent has to be: 1) Informed; 2) Explicit; 3) Given through an unambiguous opt-in action.
Okay, so how do you do this?
To give your users the opportunity to give valid active consider, you must:
- Displace a visible cookie banner or notice upon a user’s first visit.
- Block all non-exempt cookies and/or scripts from running until after user consent is given
- Collect user consent through an explicit opt-in action
And remind me again why I need a cookie consent banner in the first place?
The most basic and obvious reason to have a cookie banner is that you need one to stay in compliance with privacy regulations. Not complying can carry significant fines, up to up to €20 million or 4% of the annual turnover or whichever is higher.
Being in compliance isn’t just good for legal reasons – it demonstrates your values as an organization and it boosts your website’s credibility. If your website – and by extension, your company – doesn’t take privacy and transparency seriously, you’ll have an increasingly hard time establishing trust with users.
Do I need to list the name of each specific cookie (including third-party cookies) used on our website?
Specific cookie listing requirements are nuanced and vary by type of regulation, but the short answer is yes, you should list all your cookies. It’s industry best practice to use a cookie banner or software that lists each of them and that details types of consent and/or a cookie notice. (Your approach will depend on how extensive your list is, of course)
What are the types of cookies consent? (I thought you’d never ask!) They include:
- Strictly necessary
Your compliance needs will dictate how you approach cookie consent. For GDPR, your user must give prior consent before any cookies besides those in the “strictly necessary” category are processed. Under CCPA, you have to provide notice at or before the time of collection. Hence the popularity of banners – it helps meet cookie requirements in an efficient manner.
Invest in privacy now
When it comes to personal data, cookies, and consent, compliance can't be an afterthought. You need a strategy for tomorrow to get all the details right for today.
Give your customers the ability to consent that they deserve. Reach out to our team at Red Clover Advisory today.