You’ve probably heard the saying “A balanced diet is a cookie in each hand.”
It’s proof of a global obsession with tiny balls of butter, flour, sugar, and eggs. While the flavors and shapes vary by region, every culture has a seemingly never-ending repertoire of cookie recipes.
Culinary historians think cookies started simply as a way for bakers to test the heat inside their wood-fired ovens. If the tiny piece of dough or batter they put on the hearth or in the brick/clay interior scorched, the fire was too hot. If it stayed raw, the fire wasn’t hot enough. Dry and small, these test bakes took a long time to spoil and were saved by kitchen staff for days when there wasn’t enough food.
Because they required fewer ingredients and less technical skill than bread or cake, could be produced en masse with relative ease, and lasted a long time, all it took for these “koekjes” (“little cakes” in Dutch) to go from leftovers to the star of the show was the introduction of sweeteners like honey and sugar.
But wait! You’re reading a privacy blog, not a history of cookies!
There’s a point to our baking history lesson, we promise.
What’s the big deal about cookies?
Just like edible cookies, digital cookies started as a simple tool meant to improve outcomes and efficiency for a bigger task—namely, browsing the internet. But, like bakers of old, marketers quickly realized web cookies were much more versatile and toothsome than their initial use implied.
Sites originally used cookies to store a search history or keep an online cart full across multiple visits. While this development was necessary to expand the capabilities of ecommerce, it didn’t take long for ad tech companies to develop third-party cookies that were capable of building highly specific user profiles by tracking individuals across the internet.
These digital profiles spawned a multi-billion-dollar data brokerage industry that traded and sold all kinds of personal information, some of it very sensitive, about people who had no idea their names, birthdays, phone numbers, and browsing histories were making some people very rich.
This massive, unwieldy amount of data also created new opportunities for hackers, who increasingly found ways to exploit network weaknesses and expose the sensitive personal information of millions of people to identity thieves each year.
This all culminated in 2016 with privacy advocates successfully lobbying for the passage of the world’s first comprehensive data privacy law, the European Union’s General Data Protection Regulation, known as the GDPR.
How the GDPR changed cookie recipes everywhere
The GDPR was the first attempt by a government to balance the very real benefits that cookies provide businesses and consumers with the profound risk they present to individual privacy.
The GDPR established three different cookie classifications and set compliance requirements for each type.
- Duration refers to either session cookies, which expire once a browser is closed, or persistent cookies, which stay on a hard drive until a user erases them or they expire.
- Provenance refers to either first-party cookies, which are intentionally set by the site being visited, or third-party cookies, which are placed by advertisers or analytics systems that piggyback on other websites.
- Purpose refers to four types of cookies:
- Strictly necessary cookies are essential to site functionality. These are the cookies that keep items in a shopping cart or remember login credentials.
- Preference cookies, also known as functionality cookies, allow a site to remember things like language preferences, region settings, etc.
- Statistics cookies, sometimes called performance cookies, anonymously collect information about how users interact with a site (Google Analytics, for example, are statistics cookies).
- Marketing cookies collect identifiable data about an individual user’s online activity in order to deliver relevant advertising.
Because persistent, third-party marketing cookies present the biggest threats to an individual’s online privacy, the GDPR set aggressive limits on how these cookies can be used. According to the GDPR website, GDPR compliance requires sites to:
- Obtain user consent before setting any cookies except strictly necessary cookies
- Provide users with accurate and specific information about what each cookie tracks and why before consent is obtained
- Document and store a record of consent after it’s received
- Allow users to access a service even if they refuse cookies
- Make it as easy for users to withdraw consent as it was to give it
Enter cookie consent managers, the best new cookie cookbook
While the GDPR only applies to businesses that operate in the EU or collect information from EU residents, keeping up with GDPR cookie consent requirements suddenly took more technical skill than most businesses had on hand.
Not only were sites now responsible for informing users about their data collection practices, but they also had to make sure that they were firing a consent banner for cookie at the right time, figure out how to collect consents and store them long-term, and keep the site functional regardless of which cookies the user accepts.
And that is how the cookie consent management platform (CMP) was born.
A cookie management system is a consent tool that automates cookie consent processes by:
- Launching user notifications regarding the types of personal data being collected and their collection purpose
- Preventing use of all tracking cookies until consent is received
- Collecting and storing user consent
- Allowing users to withdraw their consent at a later date
A good cookie management system will do all of the above as well as:
- Offer segmentation based on applicable laws (GDPR vs. CCPA, for example)
- Offer analytic tools that can help you optimize your consent strategies
- Find hidden cookies that are embedded inside other trackers on your site
- Have multiple cookie notice options (banner, widget, pop-ups, etc.)
- Deliver a clear trail of consent history
Because information collected from cookies has traditionally played a key role in marketing, it’s also critical for a CMP to easily communicate consent settings with any digital marketing platforms you use.
CMPs are truly an excellent consent tool. But, and this is a big but, they have some serious limitations. Deploying an off-the-shelf CMP isn’t a guarantee that your site will achieve compliance with privacy regulations.
A new recipe for consent solution
A basic chocolate chip cookie doesn’t take a lot of skill to make.
A delicate French macaron is another story.
Just like some types of cookies are easier to make than others, cookie consent managers may fall flat and burn if they aren’t set up properly by someone who understands the details of privacy laws like the GDPR or CCPA (and soon to come CPRA).
Having a privacy consultant on board while installing a CMP will ensure you properly classify your cookies, establish consent parameters, and incorporate your cookie policy into your privacy policy. Those choices may seem small, but a mistake in any one of them can be the difference between compliance and fines.
At Red Clover Advisors, we’ve helped clients avoid common pitfalls and optimize how they use their CMP. With years of experience and a passion for practical, cost-effective privacy solutions, our team’s expertise allows our clients to become privacy thought leaders in their industries.
If you need help selecting, implementing, or optimizing a cookie consent manager, let us show you how we can help.