Understand Cookie Policy Requirements Under CCPA, GDPR & Other Laws

Cookie Policy: What Is It & A Template to Follow

Creating a personalized browsing experience for users has long been the pillar behind most user retention and growth strategies. Cookies have played an instrumental role in that process by giving businesses access to user browsing and conversion data. Creating a personalized browsing experience for users has long been the pillar behind most user retention and growth strategies. Cookies have played an instrumental role in that process by giving businesses access to user browsing and conversion data.

However, with heightened scrutiny of data collection via cookies, and data subject rights, a comprehensive cookie policy is now essential for any business.

What is a Cookie Policy?

Cookies play an essential role in building a better browsing experience for users. Through various types of cookies, a website can collect critical information about the browsing behavior of its visitors. This information can be used to show more relevant content, products, and ads, enhancing the user's experience.

That's the positive side of cookies. However, since cookies rely on access to user data to provide businesses with these insights, there have always been questions about the ethical usage of cookies, particularly the transparency on the use of cookies by businesses.

A cookie policy is any business's best tool to communicate what kind of cookies it uses, the information it collects, how they enhance the user browsing experience, and most importantly, how users can opt-out of having these cookies installed on their devices.

A cookie policy is often considered a part of any business's overall privacy policy. However, to ensure clarity, it is recommended that businesses create a separate page on their site dedicated to their cookie policy.

Cookie Policy Example & Template

A standard cookie policy should explain what cookies a website uses and why they're only collecting data that would contribute towards enhancing the users' browsing experience. However, since each business has a different policy towards the use of cookies, it is recommended that a business make adjustments accordingly to reflect the difference in their cookie-related practices.

Here's a standard cookie policy template that any business or website can adopt:

Cookie Policy For Securiti

Assuming we are keeping cookie policy and privacy policy together, a section on cookies must include the following information:

1. Definition and generic function of cookies,
2. Information on strictly necessary cookies, their purposes, and that they will always be activated,
3. Data controller’s name and identity,
4. Data processors’ names and identities,
5. Full list of recipients or categories of recipients who will obtain personal data through the processing of cookies,
6. Cookie categories with all of the below information for each cookie category:
   • Name and domain,
   • Cookie processing purposes, features of cookies corresponding to legitimate purposes,
   • The user’s ability to withdraw and change consent,
   • Expiration date,
   • Retention period for data collected with the cookies,
   • Service name,
   • Service privacy policy (URL),
   • The place of origin of cookies (source script),
   • The parties engaged in the processing and transfer of cookies (first, second, third, and fourth parties).
7. Information on any potential risks associated with allowing third party cookies including the compilation of long-term records of individuals’ browsing histories and the use of such records to send targeted advertising,
8. Information on users’ rights to access, correct, delete and restrict the processing of personal information in connection with personally identifiable cookies,
9. Information on users’ ability to lodge a complaint with a supervisory authority against data controllers and processors,
10. Information on the use of cookies for automated decision-making and profiling, where applicable. When profiling involves decision-making automated with legal effects for the user or significantly affect users similarly, it will be necessary to inform the user on the logic used as well as the significance and expected consequences,
11. Information on any potential risks in relation to cross-border cookie transfer including any risks arising in the absence of an adequacy decision and/or inadequate data protection standards in the foreign country.

Cookie Policy Under Data Protection Laws Globally

While it was in the interest of businesses to be clear about their cookie collection practices, it started becoming a legal requirement once data privacy laws mandated them as such.

The European Union's General Data Protection Regulation (GDPR) remains arguably the most thorough piece of legislation that deals with the question of how websites can use cookies. The GDPR's regulations for websites using cookies is as follows:

• Obtain users' consent before you use any cookies except strictly necessary cookies.
• Provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received.
• Document and store consent received from users.
• Allow users to access your service even if they refuse to allow the use of certain cookies
• Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place.

Naturally, it wasn't long until other data protection laws were passed globally with varying degrees of requirements and mandates for cookies. The California Privacy Rights Act (CPRA) is another such legislation that took inspiration from the GDPR regarding the cookie policy. As far as the cookie consent is concerned, the GDPR is unequivocal in stating that the user must expressly agree to having cookies stored. Moreover, it clarifies that the following actions do not constitute as consent:

• General actions undertaken by the consumer, such as agreeing to broad terms of use that describe personal information processing alongside unrelated information;
• "Hovering over, muting, pausing, or closing a given piece of content"; or
• Using so-called "dark patterns" to manipulate or mislead consumers into providing consent (defined as "a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice").

Nearly all other major data protection laws such as the LGPD have a similar stance towards giving users a reasonably informed agreement regarding cookies. Businesses must have valid reasons for requesting user consent to enable cookies, with separate consent required for functions other than the most basic services. Businesses cannot use "consent walls" to deny users access to the site or their primary services.

How Securiti Can Help

Cookies have long proven an effective tool for businesses to learn how best to serve their users. However, privacy issues related to the data these cookies collect and global data protection laws require businesses to rethink their approach towards their cookie policy.

Securiti is a market leader in data compliance and data governance. Its artificial intelligence and machine learning-based tools can help enterprises of all sizes address their data privacy-related compliance issues, such as cookie consent management. Similarly, its privacy policies & notice management tool allow businesses to maintain a dynamic policy on their site that is regularly updated to ensure compliance with all major data protection laws.

With the sheer amount of data involved, automation is the most cost-effective solution and the most effective one.

Request a demo today and see how Securiti can help your business.