The following article explains the details of the General Data Protection Regulation (GDPR), ePrivacy Regulation (The Cookie Law), and California Consumer Privacy Act (CCPA) and what they mean for your cookie usage, and obtaining cookie consent.
Many modern websites have dozens of active cookies and online tracking tools in use. But, what exactly does that mean for website users’ privacy?
If you have a website with visitors from the EU and California, you need a cookie warning popup notice to be compliant with cookie laws.
That way you'll be safe from paying penalties up to €20 million!
But don’t get confused, we have a long way to go together, so let’s begin!
A cookie is a web file that is stored on a user’s computer to collect information about the user's data.
There are essentially three types of party cookies and three kinds of primary cookies which are explained and exemplified below;
First party cookies refer to cookies constituted by the domain that a user is visiting.
For example, when you click on popupsmart.com from a browser, our web infrastructure collects your behavioral data from your browser to enable us to provide a good user experience for you.
Most browsers treat first-party cookies as trustworthy by default since their primary goal is to allow customization and improve user experience.
They allow website owners to;
Gather analytical data,
Remember language settings,
Enable login without entering user information,
Show which items were added to the shopping cart before.
Third-party cookies refer to cookies created by domains other than the one a visitor is browsing on. These cookies are mainly used for tracking and digital advertising purposes.
For example, when you have had a chat via a live-chat popup, it identifies you and creates third party cookies; the next time you visit the same website and click the chatbox, it will remember your name and the previous conversation.
Or when you visit Amazon and view a product, third-party trackers will collect information about your activities on Amazon. Then, when you visit eBay, you will be shown ads of a similar product that you have previously viewed.
Here are some other third-party services that collect cookies;
Ad retargeting service providers,
In brief, there is no real difference between first-party cookies and third-party because they both collect similar information and can perform the same functions.
On the other hand, second-party cookies are the ones that are transferred from one company to another company via data partnership.
For instance, an airline company could sell its first-party cookies’ data to a hotel chain to enable them to reach their target audience’s browsing behavior data and advertise accordingly.
However, obtaining or selling second party cookies’ data is not an ethical way to collect information about your prospects.
Session cookies are temporary cookies that store information about your current session and disappear when you close your browser.
They are the least likely to raise privacy concerns and fall into the “strictly necessary” category.
This is why when you log off from your bank’s website, they recommend you to close the current browser window to remove any session cookies.
Permanent cookies are placed on the hard drive of your device and not deleted when you close the current browser. They are also called “persistent cookies,” as well as “stored cookies.”
They are the type of cookies that raise many privacy concerns over cookies.
However, they are handy for providing a customized user experience, analyzing return visitor behavior, and advertising to the correct prospects because permanent cookies store information for an indefinite time.
Browser independent cookies act like permanent cookies, only different in that they are not stored on your browser.
Instead, they are stored in separate program files, which makes them trickier to delete unless a user installs a separate cookie remover.
Tracking cookies on websites can collect data about users’ browsing habits, see what types of products they view and what they purchase.
Actually, cookies are extremely useful for users because, in this way, e-commerce websites and service providers reach them quickly and customize their advertising messages according to prospects’ browsing behaviors.
It is also great for internet users because they are provided with an excellent user experience like seeing customized ads and finding service solutions for their problems.
However, some website owners violate their web users' rights for their own personal gain.
Therefore, regulators have felt that internet users needed the right to understand what cookies are and how they are being used by website owners.
Not all cookies are evil. In fact, some are fundamental for both user experience and the proper functionality of websites.
Thankfully, regulators understand this and omit cookies that are “strictly necessary” to fulfill the requests of website visitors.
The strictly necessary cookie usage is especially important for online retailers.
The exact scope of what strictly necessary cookies do is not well defined. However, you may think of it as meeting and enhancing customer expectations.
If a customer does not accept cookies but still wants to see the items on the shopping cart from their previous website visit, these types of cookies can be used without user consent.
Another instance is to eliminate a perpetual login process every time a user browses the same website such as Facebook. Would a user not want to remain logged in on every page they visit? Probably. So, in this case, you can make use of strictly necessary cookies.
Let’s have a look at the strict requirements of privacy regulators on what makes a cookie popup non-compliant or compliant.
Remember that you only need to get cookie consent for the first time a user visits your site. Once the consent is received, cookies will be able to identify return visits and won’t ask for further permissions each time the user returns.
You can control if your cookie consent popup meets the requirements below. The popup must:
Consist of specific information about data types,
Present clear information about the purpose of cookies,
Explain tracking technologies in use on the website,
Request for cookie consent initially in users’ browsers,
Clearly state which action will signify consent,
Give users the opportunity to opt-in or opt-out of various types of cookies,
Enable users to make subsequent changes anytime,
Let users withdraw their consent whenever they want,
Record and send the data to be stored as evidence securely.
Don’t forget to renew your visitors’ cookie consent every 12 months to comply with the regulations of the ePrivacy Directive.
Because cookie laws do not let you install cookies before obtaining user consent, I recommend that you employ a script blocking cookies prior to user consent.
As I said before, you don’t need to handle all of these rules. Hence, Popupsmart has already designed multiple fully compliant cookie consent popup templates that are ready to use!
Describe details about the cookie installation purpose.
Indicate and explain the type of cookies installed.
Present in all languages which the website has.
Indicate all third-parties that can install cookies.
Include a link to third-party policies.
Have visible opt-out forms.
Provide information on how users can withdraw consent.
The General Data Protection Regulation, also known as GDPR, was enforced on 25th May of 2018.
GDPR is the most significant initiative regarding online data protection for more than 20 years. The latest law on the protection of personal data extends until before 1995.
GDPR has strict regulations on how personal data of users must be handled, and it sets strict rules on how personal data must be handled and imposes a sanction with heavy fines (up to €20 M or 4% of global annual turnover) for websites that fail to comply with it.
The primary purpose of GDPR is to keep the EU legislation up to date with the digital age while protecting personal privacy and enabling users to have control over their own personal data.
The GDPR sets out strict requirements on data handling procedures, transparency, documentation, and user consent.
All websites located in the European Union, and websites that have EU citizens as users are held responsible for complying.
Due to the new enforcement of the GDPR, simple “accept cookies,” popups are no longer considered as compliant.
Let’s look at a cookie consent popup that is compliant with GDPR;
And, have a look at a non-compliant cookie consent popup;
Here, the user has no real choice, and there is no direct information about which cookies are set on the browser, where they come from, and which purposes they serve.
Personal data in GDPR is considered as the data that is directly personal such as name, photos, email addresses, bank details, and IP addresses.
If you are using cookies that may track and identify personal data directly, you must either remove them or update your cookie consent under the new regulations of GDPR.
In other words, all cookies that process personal data are subject to the new regulations;
Cookies for analytics,
Cookies for advertising,
Cookies for functional services like survey and chat tools.
You must adequately record users’ data coming from your websites' cookies. Here are what must be included in the cookies’ data folder in accordance with cookie laws;
Name of your company,
Contact details of your business,
Description of each cookie data subjects,
Categories of organizations receiving data,
The time limit for removal of data,
Description of security measures used while data processing.
Employing a data protection officer is not always obligatory. It depends on the type and amount of data collection.
You need a data protection officer if you;
Process personal data for advertising through search engines and reach target audiences by considering web users’ behavior online.
Process personal health data for genetics or hospitals.
On the other hand, you don’t need a data protection officer, if you;
Send an advert to your customers once a year to promote your local business.
Are a general practitioner and collect your patients’ health records.
ePrivacy Regulation or ePrivacy Directive was established to put guidelines and expectations for digital privacy, including cookie usage.
It carries much of the same scope as the GDPR and stipulates additional requirements to protect web users’ electronic communications. Also known as “The Cookie Law.”
The Cookie Law was implemented in 2002 and had become an actual regulation in 2019. This is why cookie consent popups started showing increasingly on lots of websites.
Both of these EU laws, the Cookie Law and GDPR, have a significant impact on the use of cookie consent banners to warn users about marketing and tracking.
According to the Directive, all websites have to ask for a cookie disclaimer from their users about the fact that they set cookies on the visitors’ browsers.
The law also states that users must be given the possibility to refuse or withdraw their consent.
In case a user opts-out their consent, you can keep their previous cookie data but cannot gather further data on their future visits.
Furthermore, according to The Cookie Law, you are not required to manage consent for third-party cookies directly; this responsibility must be held by third-parties.
However, you are required to facilitate the process by leaving links to the relevant policies of third-parties. You also must indicate their categories and purposes.
The law mandates that user consent must be freely given to be considered valid. Using coercive methods render the permission null and can be detected.
Some type of cookies are exempt from cookie requirements such as;
Technical cookies like preference cookies and session cookies.
Statistical cookies that are managed by the website itself.
Anonymized statistical third-party cookies like Google Analytics and Google Tag Manager.
The Cookie Law does not require records of user consent to be kept in files. However, it indicates that you should be able to prove that you acquire users’ consent prior to installing cookies.
The cookie law requires informing users before storing cookies on their device or tracking them.
Consent to cookies must be based on an explicit affirmative action like browsing, clicking, and scrolling.
You must provide detailed information about how the cookie data will be utilized over time.
The law does not require records of consent to be kept but still indicates that you have to prove that users’ permission is obtained.
You need to provide an option for obtaining informed consent and a means for withdrawal of consent.
You have to state third-party cookies’ category and purpose with a relevant link to their cookie policies but listing them individually is not required.
A cookie consent banner is a cookie warning that appears on a user’s first website visit and asks for consent to collect data about the user.
The banner declares the cookies and gives the user a choice of consent prior to gathering data.
The purpose of cookie consent banners, therefore, is to alert website users about the cookies and attempt to get consent for setting cookies.
Cookie consent banners need to be shown on websites in order to be compliant with the EU ePrivacy Directive of 2002.
Additionally, according to the EU Court of Justice, your website’s cookie banner cannot have marked checkboxes on any cookie category except strictly necessary ones.
The California Consumer Privacy Act (CCPA) is a shorter version of the GDPR. It enshrines protections for a subset of US citizens against the collection and selling of their data without their knowledge.
The CCPA takes effect on January 1, 2020.
While the federal government does not play a vital role in online privacy laws, the States are taking a strict approach to the subject.
California state regulators have enacted new legislation which will be binding from the beginning of 2020, that gives rise to cookie requirements.
The Act requires companies to give notice to California residents about their cookie data collection practices.
CCPA gives customers the right to demand that website owners not sell their personal information to third parties. Then, the business is prohibited from selling the visitors’ personal information to comply with the law.
Companies that are non-compliant with the CCPA may be issued penalties from $2.500 to $7.500 per violation.
The law requires businesses over a specific user base and revenue threshold to disclose;
What personal data they collect,
The purpose they intend to use this data for,
Third-parties that cookies will be shared with,
Third-party cookie disclosure reasons.
According to CCPA, all businesses providing service to Californians must provide a clear link on their website with the title of “Do not sell my personal information.” Moreover, the link must not require customers to create an account to opt-out.
If a customer chooses to opt-out from the distribution of their data to third parties, that business is not allowed to charge different prices for its services, deny giving customer support or provide a different level of quality for services.
Customers have the right to access and obtain a copy of their personal information, which has been gathered by the business in the past 12 months.
Website users also have the right to request personal data deletion. In this case, the company which gathers the data of a visitor who claimed deletion must permanently clear all personal data except the strictly necessary ones.
Furthermore, businesses cannot sell the personal information of customers under the age of 16 unless parents first authorize them in the first place.
In the CCPA, a business is defined as companies, partnerships, legal entities, and associations that are operated for the financial benefits of stakeholders.
To be bound by the CCPA, a company has to meet at least one of the attributes below;
Generate an annual gross revenue exceeding $25 million.
Obtain 50% or more of its revenue from selling customers’ personal information.
Purchase, receive, and sell the personal information of more than 50.000 Californians a year.
If you do not meet one of the requirements above, the CCPA does not apply to your business. However, if you share common branding with a company meeting one of the above thresholds, your business is subject to CCPA compliance.
“Information that identifies, relates, describes, or is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Personal information may include;
Biometric data like fingerprints, DNA, and voice recordings.
Data regarding personal characteristics, religion, and sexual preferences.
Geo-locational data, such as browsing history and location history via devices.
Identifier data like IP addresses account names, cookies, and pixel tags.
A description of customer rights and how to exercise these rights,
A list of categories of personal information that your website collects sells and discloses.
The list of personal data categories must be updated every year.
You can think of the GDPR as prevention, whereas the CCPA signifies transparency.
According to the GDPR, the personal data of a website visitor cannot be collected until the user gives their consent to do so, whereas the CCPA does not require prior consent to handling personal information but grants the user the right to request disclosure and deletion.
In other words, the main difference between GDPR and CCPA is the opt-out opportunity and prior consent necessity.
GDPR’s obligations comprise of a broader area. Even though GDPR seems to affect only websites in Europe, it has an extra-territorial scope since any website may offer services to European visitors. On the other hand, CCPA laws are only binding to sites that sell Californians' personal data.
EU data protection authorities have investigatory powers for non-compliant websites, yet CCPA violations are solely left up to the Attorney General for investigations to be launched.
GDPR is a broader privacy law that forms a data protection framework under the EU, in comparison to CCPA, which is a smaller and more sectoral law.
The General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and ePrivacy Regulation (ePR) affect how you get and store cookie consent from your visitors.
To comply with these requirements, you must have a thorough and compliant setup for managing consent for cookie usage on your website. You may start by identifying what cookies are on your website, then evaluate their compliance levels.
We like sharing our knowledge with our visitors! You are very welcome to use infographics on your website for presenting an excellent visual about how to make your website compliant with cookie laws!
Believe me, paying heavy penalties is more sorrowful than losing some visitors who do not care about their own privacy.
In fact, lots of well-known companies continuously show a cookie consent popup notification to their users. Let’s look at some companies which insistently ask for cookie consent;
2. Jet Brains
Jet Brains chose to show a plain text-only prompt and included balanced options to opt-in or opt-out of cookies.
Nielsen Norman Group has grouped all of its cookies in one popup. The popup states that necessary cookies cannot be opted out of while other groups of cookies can be disabled with a few taps.
MailChimp has tabbed cookies as groups and enables its visitors to opt-out from any group of cookies they want, except the strictly necessary ones.
5. Daily Mesh
Daily Mesh provides an option to customize privacy settings to accept or reject some type of cookies. Also, there are “Accept All” and “Reject All” options to ease visitors’ cookie choice selection process.
6. Indie Web Camp
Indie Web Camp chooses to display cookie settings in a dashboard and explains all the patterns of cookie usage, which increased the transparency of their data collection process.
Fandom presents a cookie consent popup to its users when visitors first enter the website. The popup explains which type of cookies are in use and for what purpose they are used.
8. Jamie Oliver
Jamie Oliver sets all options off by default to be on the safe side and allows visitors to adjust cookie usage settings as they please - even as much as to turn them on.
Iamsterdam allows its website visitors to alter cookie settings, and explains all the types of cookies, what they are used for and how they process information.
Osano has used a tab cookie popup to enable website users to adjust their level of cookie consent however they want.
It is easy to get lost or confused when trying to keep track of the many privacy-related rules. In this case, please feel free to communicate with us via live chat, and our data protection officer will gladly help you.
I hope this guide on Cookie Laws and how to make your website cookie usage compliant with those policies would prevent you from facing massive fees.
If you have website visitors located in countries that are not a member of the European Union, it is safe to have a simple cookie consent popup on your website by using Popupsmart’s free tool.
Lastly, remember that Popupsmart has cookie popups and cookie banners that are ready-to-use, utterly compliant with Cookie Laws, and professionally designed. What’s more, you don’t need to have any coding or design expertise to build one of our popups.
Don't forget to consider UX while making an announcement or displaying cookie consent popups. Here's how; How to announce something effectively on your website without making a UX mistake?