Cookies are small files that are temporarily stored inside a user’s computer. They are designed to store data that is connected to a particular user or a website, along with enabling certain functions on the website. For more information check our article on the subject matter.
There are different types of cookies, with different purposes. Some are purely for the running of the website, and without them, the website would not function. Then there are analytics and marketing cookies, which are a bit more invasive and are designed to track user behaviour and collect data.
In contrast to general consent, this form of consent is where the user will alter their preferences as to what cookies they will consent to being used, such as being able to disable analytics and tracking cookies, while leaving the essential cookies running.
Cookie consent is governed by the ePrivacy Directive (2002/58/EC) at the EU level, with it being implemented by the member states in different forms. It was implemented in the UK under the Privacy and Electronic Communications Regulations 2003 (PECR). Under regulation 6, it sets out that there needs to be a disclosure of relevant information along with providing the user with an opportunity to refuse the storage or access of data.
Alongside PECR, there are the requirements for consent under Art. 7 of the GDPR to take into account, under this provision to consent to the processing of personal data and information, the data subject must be informed, then the consent must be freely given and separate from any agreement to the terms and conditions of service.
In the USA, the data protection and privacy laws are not exactly cohesive. One law to focus on however is the California Consumer Privacy Act (CCPA) which was recently passed. Under the CCPA, there is a requirement to provide the user with the ability to opt-out of their information being collected and sold, along with disclosure requirements relating to the use and purpose of the information that will be collected. This opt-out is also required to be offered to users at the first opportunity through a button on the website in accordance with $1798.102 of the California Civil Code, which was introduced under the CCPA. Cookies however are not necessarily dealt with under the CCPA, leaving the consent requirements for cookies uncertain.
Privacy in the US, is regulated at the Federal level by the Federal Trade Commission (FTC), who are responsible for the enforcement of privacy and security online. The rules enforced by the FTC however are an extremely light touch in relation to cookies and the tracking. Though following the passing of the CCPA, there has been quite a few developments at the state level, with various states currently going through the process of passing Data Protection and Privacy Laws.
In Nevada, Senate Bill 220 was passed which implemented new rules regarding privacy on the Internet. Under Section 2 of the Act, they have established that companies that will be processing data need to provide consumers with the ability opt-out of the processing and sale of their data. However, in contrast to the CCPA, they are not required to place an opt-out button at the first opportunity.
The other US State to have passed legislation on the matter of Privacy Online was Maine, under Section 3 of their Act, they establish that for the processing and sale of a consumer’s data, that a customer should be able to refuse consent for data being processed and not be refused service.
Though like the Californian Act, these positions are not necessarily clear as to how they apply to cookies. It is recommended that the best practice for the US should be providing upfront information regarding their use and the ability to opt-out of cookies at this first opportunity.
Privacy online in Australia is governed under the Privacy Act 1988, which established the Australian Privacy Principles (APP). Under these principles, there is a requirement to disclose information regarding the purpose of the processing of data, along with the requirement to obtain consent from the data subject. However, this would seem to be a general requirement for the processing of personal data, the Information Commission provides slightly different guidance on its application to cookies, indicating that it may not necessarily be required if the cookies are not collecting personal data.
The duration of the validity of consent, is something that has not been clearly set out under the law.
As there are differing positions held by different regulatory bodies as to the duration of the cookies. The guidelines provided by CNIL is that analytic cookies cannot exceed 13 months and information collected through trackers can only be kept for a maximum of 25 months, while all others are not subject to these requirements. The ICO’s guidance on this, is that the duration of the cookies must be proportionate in relation to achieving their purpose.
While the more general rule is that it will be valid until consent is withdrawn, or there has been a dramatic change in the purpose that invalidates the original consent. On this basis, the validity of the consent is uncertain for prolonged periods of time, however with our tools you can have it set to have the consent reviewed over a period of your choice.
Much like the answer to the question regarding the duration for the validity of consent, it is not necessarily clear. Depending on how information relating to cookies is set out in the policy, will impact the answer to what would be the best practice. If you are merely providing a general list of cookie Categories that are being used and not actively scanning the cookies, updating the policy will only be required when a new type of cookie is being used that doesn’t fall into any of the categories that have been listed in order to provide adequate information to satisfy the transparency requirements.
However, if there is table, which contains information on the individual cookies that are being used, updating the information would have to be done every time a new cookie is added requiring regular scans of the website.
In relation to the storage, collection and processing of data via apps on mobile devices, there is a degree of uncertainty as to whether the same rules of disclosure and consent apply. Under the guidance from the ICO, there is a belief that the rules would apply and that they would have to provide all details and information regarding the data that would be collected, and options to enable the user control over the level of privacy.
This can lead to some confusion, in what would constitute standard practice, let alone what should be the best practice. To ensure compliance in as many jurisdictions as possible, the highest bar should be the one that is adhered to. The best practice is as follows: when a user arrives on the website, they should be greeted with a pop-over that explains that cookies are being used for various purposes, along with a link to the in-depth policy. This will be followed by providing three options to the user, to accept, reject or edit preferences regarding the cookies. Also, when selecting preferences, all boxes should be unticked, as Opt-in should be considered the standard. This might seem complicated, however implementing the best practice has never been easier with the cookie consent tools provided by Seers.