Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View

Understand Cookie Policy Requirements Under CCPA, GDPR & Other Laws

Download: Consent Report Q2 2024
Published January 13, 2022
Contributors

Anas Baig

Product Marketing Manager at Securiti

Maria Khan

Data Privacy Legal Manager at Securiti

FIP, CIPT, CIPM, CIPP/E

Listen to the content

This post is also available in: Brazilian Portuguese

Creating a personalized browsing experience for users has long been the pillar behind most user retention and growth strategies. Cookies have played an instrumental role in that process by giving businesses access to user browsing and conversion data. Creating a personalized browsing experience for users has long been the pillar behind most user retention and growth strategies. Cookies have played an instrumental role in that process by giving businesses access to user browsing and conversion data.

However, with heightened scrutiny of data collection via cookies, and data subject rights, a comprehensive cookie policy is now essential for any business.

Cookies play an essential role in building a better browsing experience for users. Through various types of cookies, a website can collect critical information about the browsing behavior of its visitors. This information can be used to show more relevant content, products, and ads, enhancing the user's experience.

That's the positive side of cookies. However, since cookies rely on access to user data to provide businesses with these insights, there have always been questions about the ethical usage of cookies, particularly the transparency on the use of cookies by businesses.

A cookie policy is any business's best tool to communicate what kind of cookies it uses, the information it collects, how they enhance the user browsing experience, and most importantly, how users can opt-out of having these cookies installed on their devices.

A cookie policy is often considered a part of any business's overall privacy policy. However, to ensure clarity, it is recommended that businesses create a separate page on their site dedicated to their cookie policy.

Cookie Policy Example & Template

A standard cookie policy should explain what cookies a website uses and why they're only collecting data that would contribute towards enhancing the users' browsing experience. However, since each business has a different policy towards the use of cookies, it is recommended that a business make adjustments accordingly to reflect the difference in their cookie-related practices.

Here's a standard cookie policy template that any business or website can adopt:

Assuming we are keeping cookie policy and privacy policy together, a section on cookies must include the following information:

  1. Definition and generic function of cookies,
  2. Information on strictly necessary cookies, their purposes, and that they will always be activated,
  3. Data controller’s name and identity,
  4. Data processors’ names and identities,
  5. Full list of recipients or categories of recipients who will obtain personal data through the processing of cookies,
  6. Cookie categories with all of the below information for each cookie category:
    • Name and domain,
    • Cookie processing purposes, features of cookies corresponding to legitimate purposes,
    • The user’s ability to withdraw and change consent,
    • Expiration date,
    • Retention period for data collected with the cookies,
    • Service name,
    • Service privacy policy (URL),
    • The place of origin of cookies (source script),
    • The parties engaged in the processing and transfer of cookies (first, second, third, and fourth parties).
  7. Information on any potential risks associated with allowing third party cookies including the compilation of long-term records of individuals’ browsing histories and the use of such records to send targeted advertising,
  8. Information on users’ rights to access, correct, delete and restrict the processing of personal information in connection with personally identifiable cookies,
  9. Information on users’ ability to lodge a complaint with a supervisory authority against data controllers and processors,
  10. Information on the use of cookies for automated decision-making and profiling, where applicable. When profiling involves decision-making automated with legal effects for the user or significantly affect users similarly, it will be necessary to inform the user on the logic used as well as the significance and expected consequences,
  11. Information on any potential risks in relation to cross-border cookie transfer including any risks arising in the absence of an adequacy decision and/or inadequate data protection standards in the foreign country.

Cookie Policy Under Data Protection Laws Globally

While it was in the interest of businesses to be clear about their cookie collection practices, it started becoming a legal requirement once data privacy laws mandated them as such.

The European Union's General Data Protection Regulation (GDPR) remains arguably the most thorough piece of legislation that deals with the question of how websites can use cookies. The GDPR's regulations for websites using cookies is as follows:

  • Obtain users' consent before you use any cookies except strictly necessary cookies.
  • Provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received.
  • Document and store consent received from users.
  • Allow users to access your service even if they refuse to allow the use of certain cookies
  • Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place.

Naturally, it wasn't long until other data protection laws were passed globally with varying degrees of requirements and mandates for cookies. The California Privacy Rights Act (CPRA) is another such legislation that took inspiration from the GDPR regarding the cookie policy. As far as the cookie consent is concerned, the GDPR is unequivocal in stating that the user must expressly agree to having cookies stored. Moreover, it clarifies that the following actions do not constitute as consent:

  • General actions undertaken by the consumer, such as agreeing to broad terms of use that describe personal information processing alongside unrelated information;
  • "Hovering over, muting, pausing, or closing a given piece of content"; or
  • Using so-called "dark patterns" to manipulate or mislead consumers into providing consent (defined as "a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice").

Nearly all other major data protection laws such as the LGPD have a similar stance towards giving users a reasonably informed agreement regarding cookies. Businesses must have valid reasons for requesting user consent to enable cookies, with separate consent required for functions other than the most basic services. Businesses cannot use "consent walls" to deny users access to the site or their primary services.

How Securiti Can Help

Cookies have long proven an effective tool for businesses to learn how best to serve their users. However, privacy issues related to the data these cookies collect and global data protection laws require businesses to rethink their approach towards their cookie policy.

Securiti is a market leader in data compliance and data governance. Its artificial intelligence and machine learning-based tools can help enterprises of all sizes address their data privacy-related compliance issues, such as cookie consent management. Similarly, its privacy policies & notice management tool allow businesses to maintain a dynamic policy on their site that is regularly updated to ensure compliance with all major data protection laws.

With the sheer amount of data involved, automation is the most cost-effective solution and the most effective one.

Request a demo today and see how Securiti can help your business.

Schedule Your
Personal Demo

Learn how you can leverage Securiti’s Data Command Center to address data security, privacy, governance, and compliance.

See a demo
Schedule your demo today
Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share

More Stories that May Interest You

Take a
Product Tour

See how easy it is to manage privacy compliance with robotic automation.

Videos
View More
Mitigating OWASP Top 10 for LLM Applications 2025
Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...
View More
Top 6 DSPM Use Cases
With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...
View More
Colorado Privacy Act (CPA)
What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...
View More
Securiti for Copilot in SaaS
Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...
View More
Top 10 Considerations for Safely Using Unstructured Data with GenAI
A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....
View More
Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes
As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...
View More
Navigating CPRA: Key Insights for Businesses
What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...
View More
Navigating the Shift: Transitioning to PCI DSS v4.0
What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...
View More
Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)
AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...
AWS Startup Showcase Cybersecurity Governance With Generative AI View More
AWS Startup Showcase Cybersecurity Governance With Generative AI
Balancing Innovation and Governance with Generative AI Generative AI has the potential to disrupt all aspects of business, with powerful new capabilities. However, with...

Spotlight Talks

Spotlight 11:29
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Watch Now View
Spotlight 11:18
Rewiring Real Estate Finance — How Walker & Dunlop Is Giving Its $135B Portfolio a Data-First Refresh
Watch Now View
Spotlight 13:38
Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines
Sanofi Thumbnail
Watch Now View
Spotlight 10:35
There’s Been a Material Shift in the Data Center of Gravity
Watch Now View
Spotlight 14:21
AI Governance Is Much More than Technology Risk Mitigation
AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3
You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge
Watch Now View
Spotlight 47:42
Cybersecurity – Where Leaders are Buying, Building, and Partnering
Rehan Jalil
Watch Now View
Spotlight 27:29
Building Safe AI with Databricks and Gencore
Rehan Jalil
Watch Now View
Spotlight 46:02
Building Safe Enterprise AI: A Practical Roadmap
Watch Now View
Spotlight 13:32
Ensuring Solid Governance Is Like Squeezing Jello
Watch Now View
Latest
View More
Databricks AI Summit (DAIS) 2025 Wrap Up
5 New Developments in Databricks and How Securiti Customers Benefit Concerns over the risk of leaking sensitive data are currently the number one blocker...
Inside Echoleak View More
Inside Echoleak
How Indirect Prompt Injections Exploit the AI Layer and How to Secure Your Data What is Echoleak? Echoleak (CVE-2025-32711) is a vulnerability discovered in...
What is AI Security Posture Management (AI-SPM)? View More
What is AI Security Posture Management (AI-SPM)?
AI SPM stands for AI Security Posture Management. It represents a comprehensive approach to ensure the security and integrity of AI systems throughout the...
View More
Data Security & GDPR Compliance: What You Need to Know
Learn the importance of data security in ensuring GDPR compliance. Implement robust data security measures to prevent non-compliance with the GDPR.
Beyond DLP: Guide to Modern Data Protection with DSPM View More
Beyond DLP: Guide to Modern Data Protection with DSPM
Learn why traditional data security tools fall short in the cloud and AI era. Learn how DSPM helps secure sensitive data and ensure compliance.
Mastering Cookie Consent: Global Compliance & Customer Trust View More
Mastering Cookie Consent: Global Compliance & Customer Trust
Discover how to master cookie consent with strategies for global compliance and building customer trust while aligning with key data privacy regulations.
Understanding Data Regulations in Australia’s Telecom Sector View More
Understanding Data Regulations in Australia’s Telecom Sector
Gain insights into the key data regulations in Australia’s telecommunication sector. Learn how Securiti helps ensure swift compliance.
Top 3 Key Predictions on GenAI's Transformational Impact in 2025 View More
Top 3 Key Predictions on GenAI’s Transformational Impact in 2025
Discover how a leading Chief Data Officer (CDO) breaks down top predictions for GenAI’s transformative impact on operations and innovation in 2025.
Gencore AI and Amazon Bedrock View More
Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock
Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...
DSPM Vendor Due Diligence View More
DSPM Vendor Due Diligence
DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...
What's
New