When most people think “cookies,” data privacy is probably the furthest thing from their mind. But anyone who understands data privacy knows that cookies are anything but sweet treats. Cookies can present a bit of a chore, especially considering what they mean for a company’s online presence.

When it comes to data privacy, cookies can be a bit like modern heating, ventilation, and cooling (HVAC) systems. They are common, do a great job, and make life better. However, they both require regular maintenance and service to stay in good working order. In fact, without a qualified technician taking a good look at your HVAC – or data cookies, for that matter – at regular intervals, you can bet that marvel of modern technology will break down and get you into trouble.

In HVAC “trouble” means spending big money on a new system. In data privacy, that means spending money on fines, dealing with inquiries from regulators, or losing money via unhappy customers.  – especially as more and more states pass data privacy legislation.

Where HVAC and data cookies diverge is how often to assess them. In HVAC, you better look at any heating and cooling system twice a year (every six months). But are there any rules for a cookie review?

There are plenty. And we’re here to help you figure out which of those works best for you. But before we go any further, let’s go over some basics and make sure you’re ready for the path ahead.

What are cookies and how do they work?

A “cookie” is a bit of information that a website or social media platform leaves on your computer/mobile device when you visit. The cookie enables your browser to send information to that site or platform when you revisit it.

The information that cookies help compile can be used for countless purposes. Mainly, cookies are used to help the website or platform personalize your visit. For instance, it can use the information compiled to make suggestions or steer you toward purchases that are similar to ones you’ve made in the past. Cookies also remember the types of questions you’ve asked, or the teams or music that you’ve watched or listened to and can point you toward similar teams or styles.

Cookies are sometimes used to create a profile of your interests based on the sites you visit and the things you do there. Advertisers on participating sites can then tailor online advertising to your interests and buying habits. (When in doubt, always check a website’s privacy policy.) There are of course other use cases too like analytics, fraud, and more.

How many types of cookies are there?

While cookie is a universal term, there are many types of cookies. And you should familiarize yourself with each, including:

  • Strictly necessary cookies – Are critical to the function or core operation of the site.
  • Performance  cookies – Are used for analytics and monitoring site metrics. 
  • Functional cookies – Are not critical to the core operation of the site but provide some enhanced function.
  • Targeting/Advertising cookies – Are used in tracking users to serve targeted ads or personalize content.

Targeting/Advertising and performance cookies are the types of cookies that tend to give some users or some companies trouble. Cookies are largely invisible to the user. That said, most websites that you visit nowadays also tell you that they use cookies. And many ask if you will accept them. Why is that?

Why cookies are mentioned on websites

When you log onto a website, you’ll likely see a pop-up or “banner” that mentions cookies and asks you to accept them or opt out of them. At the very least you can expect a site to notify you that cookies are in use.

The reason for this is new legislation regarding data privacy law. These practices first took root in Europe but are becoming more common in the United States. There are currently data privacy laws on the books in nearly two dozen states – and counting.

Data privacy laws are designed to protect the consumer to provide transparency and choice. 

The trick, however, is that – according to some state laws, including Texas, Oregon, Montana, Delaware, New Hampshire, New Jersey, California, Colorado, and Connecticut  – selling to a third party does not always mean that you conduct a monetary transaction over consumer data. It could mean that you shared data in exchange for getting a service for free, such as sharing personal information for free analytics. While the laws don’t explicitly say it, adtech, which includes advertising and analytics is frequently regarded as a form of “sale” within the scope of these laws. Other state laws, such as those enacted by Iowa, Tennessee, Indiana, Virginia, and Utah say a “sale” is only defined by monetary consideration.

However designed, many of these laws have teeth. For instance, Sephora was fined $1.2 million in 2022 by the state of California when they used pixels that were deemed by that state as a sale of data. Sephora did not have the right notice and opt-out links as required by CCPA.

To make sure consumers know about this right, the Attorney General of California created a recognizable opt-out icon that businesses can use on the homepage and footer section of their websites with the addition of text that says “Do Not Sell or Share My Personal Information” or “Your Privacy Choices.” It is also strongly recommended to include the following alternative text “California Consumer Consumer Privacy Act (CCPA) Opt-Out Icon” to comply with ADA compliance standards.

This enables consumers to:

  • Opt out of the sale or sharing of Personal Data for targeted advertising
  • Opt out of targeted advertising
  • Take action regarding their individual rights

When you consider that surveys have shown that 73% of customers “would spend significantly less” for products or services from a business that lost their trust, you can see why a cookie review is a must for any business.

What is Global Privacy Control?

Many companies use cookie consent tools to easily manage their cookie consent requirements however, new regulations require companies to recognize universal opt-out mechanisms (UOOMs). One widely recognized UOOM option is the Global Privacy Control (GPC), which operates as a browser extension enabling consumers to opt out of cookies and communicate their preferences to each visited website. Companies must ensure their cookie consent tools not only handle standard cookie consent requirements but also respect the GPC tool.

What are dark patterns?

When you’re creating a banner or pop-up to notify your consumer of cookies, it should make it easy for the consumer to understand. If your banner is confusing or unclear, it could fall into a “dark pattern,” which could lead to legal problems.

Examples of dark patterns:

  • A banner that blocks the whole page
  • Forcing consumers to manually opt out of cookies at every possible category
  • Misleading colors (accept in red, reject in green)
  • Unequal options (accept as a button, reject as a link)
  • Banners that continue to prompt until a user accepts

The best question to ask yourself is: Am I trying to encourage a user to do what is in the best interest of my company as opposed to what’s in the best interest of the user? If it favors the company, you are trending toward a dark pattern.

The best way to avoid a dark pattern is by using symmetry in your notifications and opt-out banners. Choices need to be completely equal so that we’re not guiding someone along the way. For example, do you have a button in a particular color that is highlighted? Do you have the button a different size? Are the fonts the same? Everything needs to be completely equal so that you’re not guiding someone along the way at all.

Also, make sure that you’re not forcing someone to interact with the banner (you should be able to make the banner go away, especially here in the United States where it’s an opt-out philosophy).

Downloadable Resource

Cookie Management Roadmap

How to conduct a cookie review

Conducting a cookie review requires a thorough knowledge of the inner workings of your online presence, including website, social media, etc., as well as a complete understanding of data privacy law.

It is a multi-layered and painstaking process, but it can be done if you have the right people involved.

And the place to start is by creating a team to tackle this task.

Dos and don’ts for a cookie review

When looking through all your cookie usage, here are some tips to help your team out. Your consumer/visitor should be able to look at your page and see:

  • A clear explanation of the type of cookie being used.
  • A clear explanation of all options like accept, reject and how to manage cookie settings.
  • An opt-in should have the same number of steps to opt-out as an opt-in.
  • A banner and cookie notice disclosure that explains the company’s use of cookies. 
  • Make sure your website cookie acknowledgment banner and cookie consent settings are working (e.g. if the user rejects cookies, they should not fire, the Global Privacy Control (GPC) is working properly).
  • Categorize all your cookies properly.
  • Create a cookie policy and plan to perform regular cookie reviews. 

Who is on the cookie review team?

A cookie review team can keep you out of trouble. However, it is critical to cover all aspects of data privacy when building this team.

If you have employees working in privacy and legal departments, as well as marketing, a representative of these departments should take part in cookie reviews.

Web development and potential IT teams need to understand the cookie review as well. That is because sometimes marketing doesn’t own the placement of the cookies or how they are set up. So, you’ll need the departments that own the cookie consent tool for your organization.

Marketing should be involved because many ad agencies have access to what’s called a container tag on your site. And if your cookie team is not aware of what is happening or how often, then that could increase the risk for the company. In other words, you could be liable for something you don’t even know is there.

What does the cookie review team do?

In order to determine that your cookie consent is fully compliant, have your review team ask these questions:

  • Are our cookie-related sections easy for users to understand and act upon?
  • What are the geolocation settings? (Not all cookie law requirements are the same. Some are opt-in and some are opt-out. Some organizations have geolocation settings “on,” and some treat them all the same.)
  • How can you scan the site for any new cookies that are dropping in, making sure that you have the right level of information?
  • How can you categorize these cookies and how many cookies do you have on the site that will require categorization?
  • Do you have marketing cookies, analytics cookies, strictly necessary cookies, unknown cookies, etc.? Are they categorized?
  • Do you have the right “opt-out” links?
  • Did you avoid “dark patterns?”

How often should the cookie team conduct a review?

There is no hard and fast rule for how often you should look at your website and its cookie usage, but it is certainly advisable that you do it at least once a quarter.

Some companies conduct a cookie review once a week, some once a month, and some once a year. The more you can take a look at your website, the more certain you will be, but that requires a determined commitment from the top down.

There are also triggers beyond scheduled cookie reviews. That includes any time a new piece of data privacy legislation is passed. Learn the ins and outs of that legislation and check to be sure that you are meeting its standards.

Do you need help with your cookie review or cookie policy?

Keeping up with and understanding all aspects of cookie policy and how it pertains to data privacy law requires dedication and an understanding that is beyond the job description of many.

Going back to the HVAC analogy, would you work on your air conditioner? The answer is only if you know exactly what you’re doing. And yet it must be done – just like reviewing your cookie status and policy.

Do you have the organization and employee wherewithal to handle cookie policy establishment and review? If not, the good news is that there are companies that specialize in lending expertise and action to keep you secure.

At Red Clover Advisors, we make it our job to offer that expertise to you and make it work – to keep your organization safe from data privacy prosecution in a manner that serves your budgetary requirements.

If you need help establishing and conducting a cookie policy or cookie review, we are ready for you. From startups to Fortune 500 companies, we have a proven record of partnering with organizations to help them ensure all manner of privacy compliance. 

Our certified privacy professionals (CIPP/US/E/A), data analytics, data governance, and privacy legal expertise, integrate all the practitioner-level knowledge required to deliver sustainable privacy program outcomes.To learn more, schedule a call with Red Clover Advisors today!