This document provides an overview of cookie consent and compliance with cookie laws around the world. It discusses what cookie consent is, the different types of cookies and technologies that collect data, how to implement cookie consent on a website, dos and don'ts of cookie banners, penalties for non-compliance, and how a consent management platform can help businesses easily achieve compliance.
2. 1
The advent of cookies since the inception of the
internet has particularly helped marketers and
advertisers to cash in on much profit through online
users' personal data. But this is the competitive edge
that only a handful of companies can enjoy anymore.
With so much on the plate for your business, be mindful
of how you want to start attending to your company's
data governance system and building a relationship
with your customers. And this could be achieved only
through one thing: Cookie consent.
Everythingaboutcookieconsent
Requesting your customers to either accept or reject
the usage of cookies on their devices when they visit
your website through a cookie banner or cookie policy
is referred to as cookie consent. Different ways to
obtain cookie consent:
• Browsers can prompt users to accept or reject
cookies when they visit your website for the first
time.
• Website operators can notify customers of the use
of cookies and also link to the privacy policy page
for further information.
• Some websites can redirect to a different page
where the user can choose specific types of
cookies they want to allow.
A-ZGuidetoCookieConsentandCookie
LawsAroundtheWorld
3. 2
Cookies:AMarketer’sLifeline
Cookies provide valuable insights that help businesses build tailored content
and products and services that people would love to buy. This enhances their
user experience, thus, their trust in the brand.
'Session' and 'Persistent' cookies
When cookies expire as soon as the user exits their browser (at the end of the
browser session), they are called 'session cookies.'
When cookies are stored for more extended periods, they are 'persistent
cookies.’
Types of data that cookies can collect:
Cookies:Thegood,thebad,theugly
TheGood
• Online activity and habits
• Hobbies and interests
TheBad
• Sharing Data without consent
• Irrelevant Adverts
TheUgly
• Exposing sensitive personal data
• Online platform addiction through
in-depth behavior profiling.
4. 3
'First-party'and'Third-party'cookies
First-party cookies are deployed on the users' devices
directly by the website, i.e., the URL displayed in the
browser's address bar.
Third-party cookies are deployed by domains other than the
website the user visits.
Similartechnologies
'Similar technology' means another way of collecting digital
data with the same functionality as a cookie. This may include
specific characteristics to identify devices so that visits to a
website can be analyzed.
These similar technologies include:
• Fingerprinting techniques
• HTML5 Local storage
• Local shared objects
• scripts
• tracking pixels
Cookies:AMarketer’sLifeline
Some examples of device fingerprinting:
• CSS information
• JavaScript information
• HTTP header information
• Data exposed by specific network
protocols
• Data derived by device configuration
• installed plugins within the browser
• installed fonts
• Clock information
• TCP stack variation
• Use of any APIs
5. Not all cookies require consent. Like essential cookies, mandatory for
smooth and effective website operation.
Nonessential Cookies require Consent. They are:
• Performance Cookies
• Analytical Cookies
• Advertising Cookies
• Social Media Cookies
• Unclassified Cookies
Data from these nonessential cookies are later used for behavioral
profiling and targeted advertising.
Top10CookieConsentMustHaves
1. Inform your users of cookies
2. Collect consent by cookie purpose
3. Allow users to reject cookies
4. Collect active consent (no scrolling/swiping for consent)
5. Respect your users’ privacy choices
6. Pre-ticked boxes must be set to opt-out
7. Nudging for consent is not allowed
8. Make it easy to withdraw or change consent
9. Collect consent before using cookies
10. Store all user consents for 5 years
Whattypeofcookieneedsconsent?
6. 5
1. Display a cookie banner on a user's first visit
2. Inform users of the cookies and their purposes.
3. Collect users' active consent
4. Provide users with 'accept' or 'reject' cookies button.
5. Give users the option to opt-in to specific cookie categories.
6. Provide detailed information – the name of the cookie provider,
description, and cookie duration
7. Give users a user-friendly option to withdraw consent.
8. Do not use cookie walls that prevent access to the website unless the
user accepts cookies.
9. Do not use pre-ticked boxes
10. Block third-party cookies until the user’s consent
11. Record cookie consents for proof of compliance
12. Do not set cookies if the user is scrolling or continuing to use a website.
Cookie wall vs. paywall, what's the difference?
A cookie wall is a mechanism wherein a user has no option other than to
accept the processing of cookies to get access to the website.
Advertisers monetize content for the user to access it by either a paid
subscription or subscribing with email. This is paywall.
Austrian and French DPAs have already concurred that the paywall system
is valid as long as the subscription to the site gives away the content at a
modest and fair cost so that users' free choice doesn't constrain.
ChecklisttocomplywithEUcookielaw
7. 6
Cookie and data ethics
Data Ethics experts Pernille Tranberg and Gry Hasselbalch discuss how
companies can look at the economic advantage of privacy driven by the
competitive edge.
"Being eco-friendly has become an investor demand, a legal
requirement, a thriving market, and a clear competitive
advantage. Data ethics will develop similarly – just much
faster.."
– (Tranberg Data Ethics, 2016, p.9)
Cookie Banner
A "Cookie banner" is a pop-up or a splash page that the website owner places on
their website/mobile app to take the consent of cookie usage from the user
visiting the website/mobile app.
Types of the cookie banners
Notice Only banner:
This banner simply informs the user of the cookie usage by the website
Notice + Opt-out consent:
This cookie banner informs the website visitor of the cookie being
deployed and provides a disabling mechanism for cookie usage
Notice + Opt-In Consent:
This cookie banner informs the user of the usage of the cookies by the
website and also requests them to either accept or reject the consent to
use cookies before they are deployed
Non-compliancewithCookieLaw?GoodLuck!
Google and Amazon were slapped with a total penalty of $148 Million by French
Regulator CNIL for placing advertising cookies without users' consent
The Spanish DPA fined Vueling Airlines and Twitter a $33,000 fine for not allowing
users to reject the cookie or manage the preference.
TypesofCookieBanners
8. 7
Fines
GDPR: up to 20 million EUR or up to 4% of the annual turnover,
whichever is greater
CCPA: up to $2,500 per violation and $7,500 per violation
that is intentional or involves children (as per CPRA).
VCDPA: Fines for non-compliance with Virginia's VCDPA can
go up to $7,500 per violation.
LGPD: Up to 50 million Real or 4% of the annual turnover,
whichever is higher.
PIPEDA: up to CAD 100,000 per infringement.
Reputationaldamage
Per the Deloitte survey, 87% of top executives report
reputational damage as more detrimental than only other
strategic risks that a company faces.
Penalties
For example, according to Finbold's "Bank Fines 2020"
reports, the Top three US banks, namely Goldman Sachs,
Wells Fargo, and JP Morgan Chase, have paid a total of $7.5
Billion in fines in 2020. Keeping lawsuits separate, the
settlement itself can cost you millions of dollars.
Fines&ReputationalDamage
9. 8
Audits
Audits are time-consuming and take lots of effort.
Being non-compliant with Data Privacy Laws might
demand extra audits to uncover the real reason for
non-compliance.
Legalactionsandimprisonment
In a rare scenario, compliance officers have
personally faced regulatory and government
enforcement actions. Especially after the financial
crash of 2007-2008, regulators and government
agencies have been tough and thoroughly
scrutinized compliance officers' roles and
responsibilities.
Companyshutdown
Being non-compliant with data privacy regulations
is considered illegal, and governing authorities
might take any relevant action on your business.
Companies, by government order, might be shut
down or completely dissolved in case of serious
non-compliance issues.
Fines&ReputationalDamage
10. 9
Dos
• Option to Accept or Reject
nonessential cookies
• Convey the user the purpose of using
a cookie, the types of cookies used,
and your data will be processed.
• Give people in-depth information
about cookies by linking to your
cookie policy page
• Informing users about third-party
vendors/cookie providers
• Specify the duration of the cookie
(Cookie's expiry date)
• Informing the user of sharing/selling
of personal data
Donts
• Placing your cookie banner at the
corner of the screen or behind other
page elements makes visibility
harder.
• Using ambiguous and legalese in your
cookie banner.
• Assuming and deploying
nonessential cookies without the
consent of the user.
• Not being up to date with the latest
changes in cookie regulations.
• Having pre-ticked boxes in the
cookie banner for nonessential
cookies
DosandDontsofCookieConsent
ImplementingCookieconsentonyourwebsite
There are various methods to implement cookie consent such as:
• So one of the most popular methods is JavaScript libraries and HTML templates
• Another way of implementing cookie consent is through plugins.
• But your best and the less hectic option would be to work with a Consent
Management Platform (CMP) like Adzapiers.
11. 10
CookiecompliancewithAdzapier:
Yourbestdecisionever
Integrating Adzapier's CMP with your business would make you compliant in
minutes, even with the strictest data privacy laws.
Integrating smoothly with your website/mobile app, Adzapier's CMP needs
minimal manual intervention to set up, which doesn't mess up your website's
core vitals.
There are particularly three important components of Adzapier's CMP that
hardly a few other compliance platforms have in the market.
Sessionrecording:
It is how Adzapier records the consent of the user who had given their
consent to use the cookie. This will help you prove your compliance with the
regulatory authority in unforeseen legal issues.
Automatedcookieblocking:
With GDPR making it extremely clear that nonessential cookies can't be
deployed without the user's explicit consent, Adzapier's Auto-cookie
blocking feature helps block nonessential cookies at the user's end until
they give their consent.
Globalcompliance:
Adzapier is updated with the latest changes and amendments to data
privacy compliance so that you don't have to. We comply with the strictest
laws like GDPR and CPRA to other major laws like VCDPA, LGPD, and much
more.
Try Adzapier free for 14 days and see your
business take off.