Cookies are small text files placed on a user’s device that are meant to collect data from consumers and help companies and third-party advertisers understand their online behavior.
In general, users have the right to know how their data is being used as well as have the option to either disable or delete Cookies if they are concerned about their online privacy and safety.
The following information has been compiled to help website owners, managers, directors, and company administrators become aware of the latest policies. This guide aims to inform you on whether you need to implement a Cookies pop-up as well as the correct legal jargon to use if you chose to write one.
What’s the ‘Cookie Law’ and Policy Surrounding Cookies?
For starters, what is the law concerning Cookies, and how do you know if your company needs a disclaimer explaining which Cookies are used while giving you the option to disable them?
The Cookie Law, also known as the ePrivacy Directive, went into effect in 2002 in an effort to protect and ensure EU user privacy.
So does your US-based company need to comply? The short answer is no, but there is some grey area that might require you to comply with EU guidelines.
Media Genesis reports: “the majority of United States websites won’t need to comply with any regulations related to the Cookie Law unless you have a target audience in Europe.” This means that if your target audience is EU clients, you should defer to complying with the EU Cookie Law even if you are a US-based company.
Companies in the EU, or those doing business in the EU, must first provide consent to users and address, in detail, why they are using Cookies. Users must review the consent information and understand that Cookies are being used to track information, according to Media Genesis.
You can go through this checklist to find out if you are complying with the law:
- Companies must explain what Cookies (if any) are being used.
- Explain the purpose of the Cookies on your site and what information it’s generating.
- Must get the user’s consent so that your company can proceed to store a Cookie on their mobile device/computer.
Examples of EU Companies with Cookie Policies and Pop-Ups
One example of a Cookie pop-up notification and page is the European company Exor. If you visit their homepage and scroll to the bottom, you’ll see a message that says,
We’ll go over the policy one more time in case you missed it:
- An explainer of what Cookies are and the types of Cookies being used on your site or app.
- An explainer on the types of Cookies your site is using.
- How your site is using the Cookies.
- How your customers/users can disable or manage the cookies either on their laptop or a mobile device.
When discussing Cookie policies, it is important to mention that it is also best practice to make sure you highlight the types of Cookies you are using on your site. Transparency is key. The three different types of Internet Cookies as compiled by Rocket Lawyer include the following:
- Session Cookies – these are typically known as temporary Cookies that help websites track user activity during a specific session. If the user drifts or goes to another website, the cookies are deleted. They are also commonly used on ecommerce sites.
- Persistent Cookies – These are also known as “permanent Cookies.” Think of it as a more long-term Cookie that stays even after you close the website. It can remember login information so a user doesn’t have to constantly type out everything all the time.
- Third-Party Cookies – These are generally installed by third parties (advertisers) that hope to learn more from users in terms of online behavior, spending habits, etc.
- Flash Cookies – These Cookies generally stay on a user’s computer permanently. They can stay on a user’s device even far after all cookies have been deleted.
- Zombie Cookies – These Cookies can be a nuisance to some users. The Cookie can be created again even after a user disables or deletes them, making them difficult to manage.
Although the Cookie Law applies specifically to EU companies, you should always err on the side of caution. It doesn’t hurt to set aside some time with your team to discuss the Cookies that are being used and whether a web developer can create a page explaining Cookie Policies to users.
If you’re a EU company, you can check to see if your website is compliant with Cookies and Online Tracking procedures here. Take a look at Shell’s Global Privacy Page here, which shows what the company does with personal data.
As a company, you can consider installing a pop-up Cookie consent notification that can be easily located at the bottom or top of the homepage, depending on your preference. According to Cookiebot, a Cookie consent banner is “the cookie warning that pops up on websites when a user first visits the site.” The consent banner should be simple and easy to find, with wording that is uniquely generated and not copied from another site.
Examples of Pop-up Notifications
An example of another pop-up notification warning for Cookies is seen on the US Shell website. Notice that pop-up notifications for Cookies immediately come up and are visible and easily accessible on the main homepage. There should be a quick paragraph explainer about how the Cookies on your page are used, including a link to Cookie Consent along with a button to “Accept” where users can click to approve and send in their consent.
In a nutshell, the Cookie warning lets the user knows that there are Cookies and Tracking in place on a website or app. Of course, the warning also lets users review the Consent page and click to consent to their data.
Cookiebot reports that consent banners initially began showing up on every EU company website after the “Cookie Law” went into effect shortly after 2002.
If you are a U.S. company, it is truly up to you as to whether you would like to model the disclaimers that other EU sites use (you will have to create your own, non-technical wording. You can use other sites as models, but do not copy the text).
It could help boost company morale and help users feel more at ease if you show transparency about data if you decide to create a policy page. Understand that if you are a US company, you don’t have to worry about the Cookie law unless you start to have an audience or traffic from EU users.
Not Complying or Reading up on the EU Cookie Law
Remember, if you are a US business or company that receives traffic or stores data from EU visitors, you are required to follow GDPR requirements and protocol. If you do not properly disclose this, your US website might risk financial or legal penalties and fines, according to CMDS Online. Make sure you ask and post a Cookie consent pop-up if your website is receiving traffic or targetting EU visitors.
CMDS Online writes, “the physical location of an organization does not impact GDPR compliance; it is the physical location or the individual whose data is being collected, processed, or stored that matters. Even if you’re a US company, chances are probably that you have European Union residents in your database.”
Additionally, please remember that GDPR or the General Data Protection Regulation applies “to any organization that collections and stores personal data on European Union users on their websites.” This law went into effect on May 25, 2018.
According to CMDS Online, any US websites that are found collecting information or data from EU citizens will be held accountable. This is why it’s crucial to read up on the Cookie Law and figure out if your website is storing data from EU residents. If so, you need to comply and make sure you:
1.) ask for consent
3.) Create a space where users can disable or delete Cookies.
So in a nutshell, just because your business or company is not physically in the EU, it doesn’t necessarily mean that these laws do not apply to you. Make sure you do your research and consult with your web development and legal team for more information on how to protect your company from legal fines and penalties.
Last week we spoke with Georgiy Slobodenyuk, Software Architect at…