GDPR, CCPA, Privacy, and Cookie Consent Management

Cookies support your customer’s experience from assisting with passwords to suggesting relevant products. Cookies also power your website analytics. However, as the regulatory landscape is constantly shifting, implementing cookies means keeping up with compliance requirements. This article provides a Cookie and Consent Management 101.

Image introducing Cookie and Consent Management in the new regulatory environments

The last decade has seen a significant shift in how companies interact with user data and in users’ rights and expectations. It is hard to believe that in the early 2000s, websites were invisibly dropping cookies on browsers without any kind of notification to the users. The way most people found out about them was through tech magazines! 

In the current digital era, it’s not only common courtesy to solicit informed consent from your users about how much data you’re collecting and what you do with it, but it is also the law in most countries. Failure to comply with regulations such as GDPR and CCPA may result in serious penalties.

Here’s a brief overview of your user’s rights:

  • Users should be given the option to opt-in or opt-out of allowing you to store personal data (including behavioral data).
  • User consent requires GDPR- and CCPA-compliant Consent Management systems to store these details. 
  • Users hold the right to request or delete the information that companies have collected or stored about them.

What Do Cookies Achieve?

Image of filing system as a metaphor for Cookie storage for consumer tracking

Companies collect user data on their website to understand more about their user’s pain points or interests; or to give visitors a personalized and meaningful user experience. A personalized experience leads to higher user engagement and satisfaction on the website and hence helps to improve conversion rates.

This data is collected through the use of cookies. Cookies are not designed to be human-readable. Once their data is collated, however, they provide interesting and useful information, especially when users visit the website again. 

Cookie Categorization

Different types of cookies perform different functions, and these may be categorized based on the type of function they perform. Let’s consider the top categories of cookies:

 

Analytics Cookies

Analytics cookies, or first-party cookies, track users as soon as they visit any website that has a valid analytics tool implemented on it. Cookies are browser-specific, so if the user returns to the website via another web browser, then a new set of cookies will be associated with that user’s browser.

For example, Google Analytics is a major player in the cookies market. It provides a  powerful and widely-used analytics tool. The beauty of this tool is that; its available for FREE (except Google’s enterprise version, i.e., GA360 version), and that’s why it’s the market leader among all the analytics tools.

So, whenever a user visits a website that’s monitored by Google Analytics, a cookie called _ga will be dropped in the browser’s storage. This cookie will collect basic details about the user who is visiting the website such as; IP address, device time, time zone, geographical location, device type (desktop, mobile, tablet), website page(s) visited, source of the traffic (direct, or search engines), and more.

As a side note, no analytics tool stores any user-specific personal details (AKA PII) unless it is specifically configured to capture such data. 

Here is the cookie created when a user visits our website, e-cens.com. 

Image shows cookies stored for a unique instance of a user for tracking customers on a website

Note, the ID highlighted in the snapshot will change, i.e. is unique for every user who will visit any specific website.

Marketing Cookies

Marketing cookies, also known as third-party cookies, track user behavior across multiple web domains. Marketing Cookies are called third-party cookies because they’re set from another service provider that doesn’t own the original website. For a long time, third-party cookies were the de facto standard for web marketing, but public opinion has shifted toward privacy rights, not to mention laws as well.

For example, Facebook’s marketing department applies third-party cookies when users visit an advertiser’s website via a Facebook ad. If the advertiser has installed a Facebook-provided code (Pixel), the third-party cookie will track the user’s actions throughout the advertiser’s website, and this user-behavior information is pushed back to Facebook’s servers. Later, Facebook will use this information to track users across the web (wherever Facebook Products are used–including the Like button or other Facebook Technologies). This allows the marketing department to push the most relevant marketing messages or promotions to that user.

This explains how Facebook uses cookies to collect the details about the choices users make on any website. However, Facebook is bound by its Data Policy when processing this data. 

Safari and Firefox have already blocked the use of third-party cookies used by default, and Google’s Chrome will follow suit in a phased approach. You may have heard of ITP or Intelligent Tracking Prevention, it’s a new feature added to the Safari browser that restricts user tracking using cookies. Chrome and Firefox are also implementing their own tighter cookie-tracking policies. 

This is a major concern for companies that have adopted third-party cookies as an integral component of their marketing strategies. This will heavily limit their possibilities for tracking their users through most third-party marketing platforms. Companies must adopt alternative methods such as Customer Data Platforms or CDPs to track user behavior and build individual user profiles.

Functional Cookies

These cookies are a variant of first-party cookies. However, their major use is to support other functionalities of the website. Functional cookies are not primarily responsible for collecting user details or pushing them to any third-party platforms.

Functional cookies generally fall outside the scope of cookie regulatory compliance. In general, there is no need to request user permission, nor is there any need to describe them in your cookie policy. Best practice, however, is to solicit user consent and to describe how you use them in your cookie policy.

For example, if you visit a website that offers content language preferences and you opted for English as your preferred language, and the next time you visit, it says “Welcome Back!” and also presents you the content, by default, in English then that means the website used functional cookies to remember who you were and your language preference. 

GDPR, CCPA, POPIA – Regulatory Compliance and Requesting User Consent

Image metaphor for Regulatory Compliance of cookie management

You may be thinking more about user’s rights with regards to cookies thanks to South Africa’s Protection of Personal Information Act 2013 (POPIA), The European Union’s General Data Protection Regulation Policies 2018 (GDPR), Bahrain Law No. 30 of Personal Data Protection 2018 (PDPL), and California’s Consumer Privacy Act 2020 (CCPA). These all regulate the protection of personal information. These laws made a big media splash in the privacy space. Many other regions and countries are on their way to join the ‘defend users’ personal information and data protection’ club very soon.

However, you may not be aware that your obligation to store cookies securely and responsibly is quite old at this point – having originated in European law, the ePrivacy Directive, originally passed in 2002! 

The only cookies you don’t need consent to store are the ones mentioned above that are crucial to the functionality of the site (with the caveat that best practice is obtaining user consent as well as to describe these cookies in your cookie policy). 

As regulatory compliance around the collection of users’ personal information and data protection tightens, it’s, in practice, compulsory to implement a proper Consent Management process or tool that clearly notifies and informs users about your cookie policies.  

For example, if you have targeted an audience from the EU, you must show the user exactly what data you store about them, and you must provide them the option to opt-in or opt-out.

So, in general, you have a couple of ways that you can design your Consent Manager.

1. Never Ask

This is the “old way” of doing it, and the one that, let’s be clear, runs you the risk of a cease-and-desist in many jurisdictions. This includes wording such as “use of this site constitutes an agreement to collect and store cookies…”

2. Allow Users to Opt-out

With this method, site visits trigger a popup with a pre-checked box or something similar, saying that, in essence, cookies will be used unless the box is unchecked. Pre-checked consent boxes also fall under the designation of unacceptable privacy violations.

3. Ask Users to Opt-in

This is the method promoted by privacy advocates and mandated by GDPR – you store no cookies by default and only store them if the user checks the box allowing you to do so. Best-practice uses interfaces that provide a clear “I opt-in” or “I opt-out” selection for the user to check. 

Image shows the opt in and opt out screen for cookie consent management

How to Set Up Consent Management for Your Website

There are multiple ways to set up a Consent Manager on any desktop or mobile website and also on mobile applications. These include:

  • Build

Website owners can build their own solution to manage the collection, storage, and use of user consents on their own servers. However, this is rarely a good choice for many businesses (whether small, mid-sized businesses, or even enterprises) for myriad reasons, including cost, time, and solution quality.

  • Buy

Many Consent Management solutions are readily available in the market, and companies can buy an affordable, yet suitable, solution to address their needs and can implement the solution as-is.

  • Customize

Alternatively, companies may buy a readily-available Consent Management solution and then customize the solution based on their own business or UX/UI needs.

Whatever route you choose, the process you follow to make your Consent Manager Implementation project successful will probably follow this typical path: 

As this path represents the actual process you are likely to need to undertake, we will consider those factors that are vital to your success.

Consent Manager Solution Selection

This is THE MOST IMPORTANT phase in the Consent Manager implementation process, as all planning and decision making for all What, Where, When, How, and For Whom questions will be made in this phase.

“Greater and in-depth planning brings satisfactory results with minimum efforts.” – by Unknown

While dealing with data privacy issues, it’s advisable to work with an experienced partner or vendor who has prior experience (typically a Consent Manager in this case).

Set up Front- and Back-ends

Front-end set up refers to modifying what is being presented to the users of the website/application. This can be as simple as a banner informing visitors of their opt-in and opt-out choices for cookies. Or as complex as an analytics panel displaying real-time analytics empowering you to observe metrics on users’ behavior.

The back-end is what users never have to look at – it is the core code and functionality of the Consent Management system as it integrates with your own website or application. 

Naturally, during this setup process, it is critical that your solution consultants work closely with your developers.

As a standard practice, whole Content Management solutions should be first implemented and tested in the staging or development environments. Only after the robust testing is fully completed should you consider pushing the Consent Management system to the production environment.

Consent Data Storage

This is another important step of the Consent Manager Implementation. You need to properly and securely save the user consent data for any future needs. Under most data privacy laws, users have the right to ask companies about what data and information the business stores about them and to demand that it is removed. In such scenarios, you will be able to address their needs only if you have properly stored and structured the user consent data.

Testing and Validation 

Testing and validation are undoubtedly one of the most important phases of any solution implementation. It is vital to ensure whether the solution implementation meets business needs. Robust testing is required of both the front- and back-end set-ups of the Consent Management system as well as of the consent data storage and processing infrastructure.

And Finally

As Consent Management tools go through regular cycles of product enhancements and updates, you must stay current. Vendors upgrade their Consent Manager implementations to meet the latest regulatory standards, empowering you to remain compliant.

Conclusion

Correctly implementing cookies on your website requires a well-thought-out strategy that meets your business requirements and should be supported with robust tools. 

When utilized properly, cookies can add to a meaningful user experience without broaching on a user’s rights to privacy. Cookie mismanagement can lead to significant penalties or loss of revenue. Consider the famous example of the Los Angeles Times who blocked readers from the European Union because they failed to set up the consent infrastructure in time to comply with GDPR.

Stay current, stay safe, and keep your cookie jar full.

 

Disclaimer – Declaration of interest

We are not impartial observers of this process, here at e-CENS, we are Consent Management specialists, offering expertise in selecting and tailoring Consent Management solutions on behalf of our clients. 

Identifying the right tool for you

We understand our client’s Consent Management needs and help companies choose the solution that is the best fit for them.

Identifying the regulatory environment

We have a deep understanding of the regions our clients’ target and the unique regulatory environments of each.

Integrating with existing infrastructure

We understand our clients’ existing data-sources, tools, and technological infrastructure. Implementing a Consent Manager is not always a simple process that immediately works with every technology – we analyze your website or mobile application’s structure and determine how to best integrate your Consent Manager.

Managing your user data

Next, we reach an understanding of how the user consent data will be stored and for how long. This data is a critical part of the privacy equation and needs to be handled with care.

Would you like support? We are here to assist with your Consent Management. e-CENS can help you apply best practices and solutions to store, structure, and process user consent data, and make it GDPR and CCPA compliant.

When you put your Consent Management into the hands of our professional team here at e-CENS, you get the best implementation in place. You won’t risk serious fines through non-compliance. You won’t have to wrestle with a management system that doesn’t integrate well with your website or business needs. We are here to smooth your Consent Management journey.