The following article explains the details of the General Data Protection Regulation (GDPR), ePrivacy Regulation (The Cookie Law), and California Consumer Privacy Act (CCPA) means for your cookie usage, and obtaining cookie consent.
Many modern websites have dozens of active cookies and online tracking tools in use. But, what exactly does that mean for website users’ privacy?
If you have a website with visitors from the EU and California, you need a cookie warning popup notice to become cookie law compliant.
Otherwise, you may be restricted from paying penalties up to €20 million!
Whatever, don’t get confused, we have a long way to go together, so let’s begin!
A cookie is a web file that is stored on a user’s computer to collect information about the user data.
There are essentially three types of party cookies and three kinds of primary cookies which are explained and exemplified below;
First party cookies refer to cookies constituted by the domain that a user is visiting.
For example, when you click on popupsmart.com from a browser, our web infrastructure collects your behavioral data from your browser to enable us providing a good user experience for you.
Most browsers treat first-party cookies as trustworthy by default since their primary goal is to allow customization and improve user experience.
They allow website owners to;
Gather analytical data,
Remember language settings,
Enable login without entering user information,
Third-party cookies refer to cookies created by domains other than the one a visitor is browsing on. These cookies are mainly used for tracking and digital advertising purposes.
For example, when you have had a chat via a live-chat popup, it identifies you and creates third party cookies; the next time you visit the same website and click the chatbox, it will remember your name and all the previous conversation.
Or you visit Amazon and view a product, and third-party trackers will collect information about your activities on Amazon. Then, when you visit eBay, you will be shown ads of a similar product that you have previously viewed.
Here are some other third-party services that leave cookies;
Ad retargeting service providers,
In brief, there is no real difference between first-party cookies and third-party because they both collect similar information and can perform the same functions.
On the other hand, second-party cookies are the ones that are transferred from one company to another company via some data partnership.
For instance, an airline company could sell its first-party cookies’ data to a hotel chain to enable them to reach their target audience’s browsing behavior data and advertise accordingly.
However, obtaining or selling second party cookies’ data is not an ethical way to collect information about your prospects.
Session cookies are temporary cookies that store information about your current session and disappear when your browser is closed.
They are the least likely to raise privacy concerns and fall into the “strictly necessary” category.
This is why when you log off from your bank’s website, they recommend you to close the current browser window to remove any session cookies.
Permanent cookies are placed on the hard drive of your device and not deleted when you close the current browser. They are also called “persistent cookies,” as well as “stored cookies.”
They are the type of cookies that raise much of the privacy concern over cookies.
However, they are handy for providing customized user experience, analyzing return visitor behavior, and advertising to the correct prospects because permanent cookies store information for an indefinite time.
Browser independent cookies act like permanent cookies, altering by that they are not stored on your browser.
Instead, they are stored in separate program files, which makes them trickier to delete unless a user installs a separate cookie remover.
Tracking cookies on websites can collect data about users’ browsing habits, see what types of products they view and what they purchase.
Actually, cookies are extremely useful for users because, in this way, e-commerce websites and service providers reach them quickly and customize their advertising messages according to prospects’ browsing behaviors.
It is also great for internet users because they are provided an excellent user experience like seeing customized ads, facing what they are thinking to buy and finding service solutions for their problem.
However, some website owners violate the rights of web users for their own personal gain.
Therefore, the regulators have felt internet users needed the right to understand what and how cookies are being used by the websites they visit.
Thankfully, the regulators understand this and omit cookies that are “strictly necessary” to fulfill the requests of website visitors.
The strictly necessary cookie usage is especially important for online retailers.
The exact scope of what strictly necessary cookies is not well defined. However, you may think as it is about customer expectations.
If a customer does not accept cookies but still wants to see the items on the shopping card from her previous website visit, this type of cookie can be used without user consent.
Another instance is to eliminate a perpetual login process every time a user browsing on the same website as Facebook. Would not a user want to remain logged in on every page she visits? Probably, not. So, it can be considered strictly as a necessary cookie.
Let’s have a look at the strict requirements of privacy regulators on what makes a cookie popup non-compliant or compliant.
Remember that; you only need to get cookie consent for the first time a user visits your site. Once the consent is received, cookies will be able to identify return visits and won’t ask for further permissions each time the user returns.
You can control if your cookie consent popup meets with requirements below. The popup must;
Consist of specific information about data types,
Present clear information about the purposes of cookies,
Explain tracking technologies in use on the website,
Request before the settings of cookies in users’ browsers,
Clearly state which action will signify consent,
Give users the opportunity to opt-in or opt-out of various types of cookies,
Enable users to make subsequent changes anytime,
Let users withdraw their consent whenever they want,
Don’t forget to renew your visitors’ cookie consent every 12 months to comply with the regulations of the ePrivacy Directive.
Because cookie laws do not let you install cookies before obtaining user consent, I recommend you to employ a script blocking cookies prior to user consent.
As I have said before, you don’t need to handle all of these bullet points. Hence, Popupsmart has already designed entirely compliant cookie consent popup templates that are ready to use!
Describe details about the cookie installation purpose.
Indicate and explain the type of cookies installed.
Be presented in all languages in which the website has.
Indicate all third-parties that can install cookies.
Include a link to third-party policies.
Have visible opt-out forms.
The General Data Protection Regulation, also known as GDPR, was enforced on 25th May of 2018.
GDPR is the most significant initiative regarding online data protection for more than 20 years. The latest law on the protection of personal data extends over 1995.
GDPR has strict regulations on how personal data of users must be handled, and it sets strict rules on how personal data must be handled and imposes a sanction with heavy fines (up to €20 M or 4% of global annual turnover) for those websites that fail to comply.
The primary purpose of GDPR is to keep the EU legislation up to date with the digital age while protecting personal privacy and enabling users to have control over their own personal data.
The GDPR sets out strict requirements on data handling procedures, transparency, documentation, and user consent.
All websites located in the European Union, and websites that have EU citizens as users are held responsible for complying.
Due to the new enforcement of the GDPR, simple “accept cookies,” popups are no longer considered as compliant.
Let’s look at a cookie consent popup that is compliant with GDPR;
And, have a look at a non-compliant cookie consent popup;
Here, the user has no real choice, and there is no direct information about what cookies are set on the browser, where they come from, and which purposes they serve.
Personal data in GDPR is considered as the data that is directly personal such as name, a photo, an email address, bank details, and IP address.
If you are using cookies that may track and identify personal data directly, you must either take them away or update your cookie consent under the new regulations of GDPR.
In other words, all cookies that process personal data are subject to the new regulations;
Cookies for analytics,
Cookies for advertising,
You must adequately record the users’ data coming from your website cookies. Here are what must be included in the cookies’ data folder in accordance with cookie laws;
Name of your company,
Contact details of your business,
Description of each cookie data subjects,
Categories of organizations receiving data,
The time limit for removal of data,
Employing a data protection officer is not always obligatory. It depends on the type and amount of data collection.
You need a data protection officer if you;
Process personal data to advertising through search engines and to reach the target audience by considering web users’ behavior online.
On the other hand, you don’t need a data protection officer, if you;
Send an advert to your customers once a year to promote your local business.
ePrivacy Regulation or ePrivacy Directive was established to put guidelines and expectations for digital privacy, including cookie usage.
It carries much of the same scope as the GDPR and stipulates additional requirements to protect web users’ electronic communications. Also known as “The Cookie Law.”
The Cookie Law was implemented in 2002 and had become an actual regulation in 2019. This is why cookie consent popups started to be shown increasingly on lots of websites.
These two EU laws, The Cookie Law and GDPR, both have a significant impact on the use of cookie consent banners to warn users about marketing and tracking.
According to the Directive, all websites had to ask for a cookie disclaimer from their users about the fact that they set cookies on the visitors’ browser.
The law also states that users must be given the possibility to refuse or withdraw their consent.
In case a user opts-out her consent, you can keep his previous cookie data but cannot gather further data on his next visits.
Furthermore, according to The Cookie Law, you are not required to manage consent for third-party cookies directly; this responsibility must be held by third-parties.
However, you are required to facilitate the process by leaving links to the relevant policies of third-parties. You also must indicate their categories and purposes.
The law mandates that user consent must be freely given for considering it as valid. Using coercive methods render the permission and can be detected.
Some type of cookies are exempt from cookie requirements such as;
Technical cookies like preference cookies and session cookies.
Statistical cookies that are managed by the website itself.
The Cookie Law does not require records of user consent kept in files. However, it indicates that you should be able to prove that you get users’ consent prior to install cookies.
The cookie law requires informing users before storing cookies on their device or tracking them.
Consent to cookies must be based on an explicit affirmative action like browsing, clicking, and scrolling.
You must provide detailed information about how the cookie data will be utilized over time.
The law does not require records of consent to be kept but still indicates you have to prove that users’ permission is obtained.
You need to provide an option for obtaining informed consent and a means for withdrawal of consent.
You have to state third-party cookies’ category and purpose with a relevant link to their cookie policies but are not required to list them individually.
A cookie consent banner is a cookie warning that appears on a user’s first website visit and asks for consent to collect data about the user.
The banner declares the cookies and gives the user a choice of prior consent before gathering data.
The purpose of cookie consent banners, therefore, is to alert the users of the website about the cookies and try to get consent for setting cookies.
Cookie consent banners are shown up on websites to be compliant with the EU ePrivacy Directive of 2002.
Additionally, according to the EU Court of Justice, your website’s cookie banner cannot have marked checkboxes on any cookie category except strictly necessary ones.
California Consumer Privacy Act (CCPA) is a light version of GDPR. It enshrines protections for a subset of US citizens against their data being collected and sold without their knowledge.
The CCPA takes effect on January 1, 2020.
While the federal government does not play a vital role in online privacy laws, the states are taking a strict approach to the subject.
California state regulators have enacted new legislation which will be binding from the beginning of 2020, which gives rise to cookie requirements.
The Act requires companies to give notice to California residents about their cookie data collection practices.
CCPA gives customers the right to demand website owners not to sell their personal information to third parties. Then, the business is prohibited from selling the visitors’ personal information to comply with the law.
Companies that are non-compliant with the CCPA may be issued penalties from $2.500 to $7.500 per violation.
The law requires businesses over a specific user and revenue threshold to the disclosure;
What personal data they collect,
The purpose they intend to use this data for,
Third-parties that cookies will be shared with,
According to CCPA, all businesses providing service to Californians must provide a clear link on their website with the title of “Do not sell my personal information.” Moreover, the link must not require customers to create an account to opt-out.
If a customer chooses to opt-out from selling of her data to third parties, that business is not allowed to charge different prices for its services, deny giving customer support or provide a different level of quality services.
Customers have the right to access and obtain a copy of their personal information, which has been gathered by the business in the past 12 months.
Website users also have the right to request personal data deletion. In this case, the company which gathers data of a visitor claimed deletion must permanently clear all personal data except the strictly necessary ones.
Furthermore, businesses cannot sell the personal information of customers under the age of 16 unless parents first authorize them in the first place.
In the CCPA, a business is defined as companies, partnerships, legal entities, and associations that are operated for the financial benefits of its stakeholders.
To be bounded by the CCPA, a company has to meet at least one of the attributes below;
Generate an annual gross revenue exceeding $25 million.
Obtain 50% or more of its revenue from selling customers’ personal information.
If you are not meet one of the requirements above, CCPA does not apply to your business. However, if you share common branding with a company meeting one of the above thresholds, your business is subject to CCPA compliance.
“Information that identifies, relates, describes, or is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Personal information may include;
Biometric data like fingerprints, DNA, and voice recordings.
Data regarding personal characteristics, religion, and sexual preferences.
Geo-locational data, such as browsing history and location history via devices.
A description of customer rights and how to exercise these rights,
The list of personal data categories must be updated every year.
You can think as GDPR is prevention, whereas the CCPA is transparency.
According to GDPR, personal data of a website visitor cannot be collected until the user gives her consent to do so, whereas CCPA does not require prior consent to handle personal information but grants the user the right to request disclosure and deletion.
In other words, the main difference between GDPR and CCPA is the opt-out opportunity and prior consent necessity.
GDPR’s obligations comprise a broader area. Even though GDPR seems to affect only websites in Europe, it has an extra-territorial scope since any website may offer services to European visitors. On the other hand, CCPA laws are only binding to sites that sell the personal data of Californians.
EU data protection authorities have investigatory powers non-compliant websites, yet CCPA violations are solely up to the Attorney General to start investigations.
GDPR is a broader privacy law that forms a data protection framework under the EU, in comparison to CCPA, which is a smaller and more sectoral law.
The General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and ePrivacy Regulation (ePR) affect how you must get and store cookie consents from your visitors.
To comply with these requirements, you must have a thorough and compliant setup for managing the consents for cookie usage on your website. You may start by identifying what cookies are in action on your website, then evaluate their compliance levels.
We like sharing our knowledge with our visitors! You are very welcome to use our infography on your own website for presenting a excellent infographic about how to your website cookie laws compliant!
In fact, lots of well-known companies continuously show up a cookie consent popup notification to their users. Let’s look at some companies which insistently ask for cookie consent;
2. Jet Brains
Jet Brains chose to show up a plain text-only prompt and included balanced options to opt-in or opt-out of cookie consent.
Nielsen Norman Group has grouped all cookies. The popup says necessary cookies cannot be opted out while other groups of cookies can be disabled within a few taps.
MailChimp has tabbed cookies as groups and enabled its visitors to opt-out from any group of cookies they want, except the strictly necessary ones.
5. Daily Mesh
Daily Mesh provides an option to customize privacy settings to accept or reject some type of cookies. Also, there are “Accept All” and “Reject All” option to ease visitors’ cookie choice process.
6. Indie Web Camp
Indie Web Camp choose to display cookie settings in a dashboard and explains all the patterns of cookie usage, which increased the transparency of the data collection process.
Fandom presents a cookie consent popup to its users when visitors first entered the website. The popup explains which type of cookies are in use and for what purpose they are used.
8. Jamie Oliver
Jamie Oliver sets all options off by default to be safe from the regulator cookie laws until a visitor adjusts cookie usage settings as on.
Iamsterdam allows its website visitors to alter cookie settings, and explains all types of cookies, what they are used for and how they proceed information.
Osano has used a tab cookie popup to enable website users to adjust their level of cookie consent whenever they want.
It is easy to get lost, trying to keep track of the many privacy-related rules or get confused. In this case, please feel free to communicate with us via live chat, and our data protection officer will gladly help you.
I hope this guide on Cookie Laws and how to make your website cookie usage compliant with those policies would prevent you from fining massive fees.
If you do not have website visitors located in countries that are not a member of the European Union, it is safe to have a simple cookie consent popup on your website by using Popupsmart’s free tool.
Lastly, remember that Popupsmart has cookie popups and cookie banners that are ready-to-use, utterly compliant with Cookie Laws, and professionally designed. What’s more, you don’t need to have coding and designing expertise to build one of our popups.