Skip to Main Content
Main Menu
Articles

Best Practices for Using Cookies and Cookie Consent

Annie Greenley-Giudici

Websites today are rarely a single-party affair. On any given website, consumers typically interact with many third parties that collect private data about them, whether web visitors realize it or not.

Organizations that do so without first collecting cookie consent from users may find they aren’t in compliance with privacy laws.

What are internet cookies?

Internet cookies – little data files – store information in consumers’ web browsers. There are benefits for consumers who accept cookies.

For example, cookies let websites remember past interactions, website logins, shopping carts, pages visited, and more, offering more personalized and convenient website visits.

But not all cookies are the same, and there are privacy issues that businesses collecting data need to be aware of.

What are the different types of cookies?

First-party and third-party cookies

First-party cookies are stored by the website domain consumers visit. They only work on that domain.

First-party cookies make the consumer experience smoother by remembering information such as login details, cart information, and site preferences.

Third-party cookies come via external domains that aren’t the website users have visited.

They can follow consumers from site to site, with each site using the information stored in the cookies to retarget users.

Permanent cookies and session cookies

Permanent or persistent cookies stay on your browser history for an extended period of time, over multiple browser sessions.

Session cookies, in contrast, expire as soon as the browsing session is over.

What are the privacy risks if cookie consent is not managed properly?

When third parties collect consumer data through technologies not readily apparent to consumers, like cookies, it creates privacy risks because consumers are unable to make informed decisions about their data.

Government regulators around the world have established regulations and laws governing this type of data collection.

It’s important for companies to fully understand how they use cookies, what third parties collect data on their site, and how they and these third parties collect and use this data.

What are the laws and regulations around cookies?

A number of laws regulate how third parties collect data online.

In the EU, the Cookie Law (aka ePrivacy Directive) and General Data Protection Regulation (GDPR) protect consumers’ privacy rights by allowing them to choose whether to allow companies to collect, store, and use their personal information.

Together, these two laws form the world’s strictest data privacy regime. 

While there is no equivalent overarching law in the U.S., a number of states have implemented laws regulating cookie usage as it relates to their residents. These include the California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (VCDPA).

What should I know when using internet cookies?

Cookies can be an effective way to target consumers. However, it could be detrimental to your business if you don’t manage cookie consent and private data correctly.

There are a number of best-practice steps you should be aware of when choosing how to employ cookie technology on your website:

  • Classify your cookies, and use a unique domain name per technology, such as HTTP cookies, web beacons, JavaScripts, and Flash LSOs. This is to separate any online behavioral advertising practices from those that are not online behavioral advertising.
  • Have a clear and simple opt-out policy:
    • Use the same cookie name per opt-out mechanism. For example, the opt-out cookie set for the DAA opt-out mechanism has the same name as the cookie set for the NAI opt-out mechanism.
    • Cookies used to manage opt-out preferences need to have a minimum expiration date of five years to adequately honor user preferences.
    • Your opt-out mechanisms need to be tested regularly to verify that they function properly.
  • Establish strict policies around data retention:
    • Retain data only as long as needed to carry out its business purpose, or as long as legally required.
    • Where possible, use session cookies instead of persistent cookies. Give users a choice, where appropriate, to accept a persistent cookie (such as a login cookie).
    • When using persistent cookies, set an expiration date consistent with the shelf life or usefulness of the data you collect.
  • Audit, understand and review cookie use:
    • Audit the use of cookies on your site and how you use cookies on third-party sites.
    • Verify that the use of cookies is consistent with your privacy policy or the privacy policy of the third-party site where your cookies are placed.
    • Verify that third parties setting cookies on your site are authorized to do so.
    • Understand what types of third parties set cookies on your site and the purpose of those cookies.
    • Verify that third parties aren’t collecting data in a manner inconsistent with your own privacy policy.
    • Understand what data is being captured on the cookie. Cookies shouldn’t store sensitive information such as credit card numbers.

What do I need to let consumers know about cookies?

When you’re using cookies on your site, it’s important to:

  • Disclose in your privacy policy what information cookies and other technologies collect, and how that information is used.
  • Disclose the types of cookies being used on your site. Organize them by their purpose.
  • Explain what options users have when it comes to your company’s use of cookies, such as opting out of tracking.
    • You should also state what opt-out choices are available.
  • Multi-site trackers should require publishers and sites within their network to disclose via their privacy policies that a third party will be tracking a user’s activity on this and other websites.
    • They should also provide a link to an opt-out mechanism.
  • Where possible, provide notice outside of the privacy policy, using tools such as the AdChoices icon.

How do I let web visitors know about cookie use?

Your cookie consent pop-up notification message should appear when new users visit your site. Most site development tools allow you to generate cookie pop-ups, while also giving users the option to customize their data sharing.

Make sure you inform users of all the types of cookies you’ve employed previously, too.

Will internet cookies be a thing in the future?

Google has flip flopped on its announcement to phase out the use of third-party cookies in 2024. In a significant shift from previously communicated plans and strategy, on July 22nd, 2024, Google announced that it would no longer be phasing out support for third-party cookies in its Chrome browser. Find out what that means for your business.

Key Topics

Get the latest resources sent to your inbox

Subscribe
Back to Top