Do you know what cookies your company’s website is using? If not, you likely do not know whether your company’s website is honoring users’ data protection choices involving the use of cookies. You should know and care so your company is not unwittingly violating data protection laws.

California’s CCPA/CPRA,[1] as well as many other U.S. states’ data protection laws enacted in the past few years, require website owners – your business – to inform visitors to your website about the cookies your website uses. Some recent U.S. data protection laws require affirmative consent for targeted advertising and affirmative consent for sharing of “sensitive” personal data. Both targeted advertising and the sharing of sensitive personal data involve the use of cookies. You must know what types of cookies your website uses and what those cookies do with the personal data collected through your website to comply with data protection laws.

More onerous than U.S. data protection laws is GDPR.[2] If your users are residents of the EU, or your business operates in the EU, your business must obtain affirmative consent for tracking or advertising-related cookies (or not use them at all).

While these basic rules may seem straightforward, you should not assume that because your business has enacted a cookie banner, all is well.  

What are Cookies?

Cookies are small files of data that are sent to and from a user’s browser to identify the user. Related to cookies are “tags,” which convey information from a website to a search engine. When a user visits a website, the user’s browser sends a piece of data to the web server hosting the website. Every time that user accesses a new website, a cookie is created and placed in a temporary folder on the user’s device. Cookies try to match the user’s preferences to what the user may want to read, see, or purchase.[3]

What are Third-Party Cookies?

Third-party cookies are files that are created and placed on a user’s browser by different websites from the one the user is visiting. They can be placed on a user’s browser by ads, social media plug-ins, or advertising networks that a website may use. Third-party cookies can track users across websites, gathering data about their browsing habits, preferences, and interests. This information may be used for cross-site tracking, retargeting and targeted advertising.[4]

Crumbling Cookie Compliance

Studies have shown that many websites fail to enact and honor the data protection choices of users. This is not only a problem in failing to honor users’ data privacy choices, but also it may expose the website owner company to FTC claims of unfair and deceptive trade acts and practices.[5]

The Office of the New York State Attorney General (OAG) analyzed third-party tags and privacy controls on a variety of websites. It found that many high-traffic websites had privacy controls that did not work as described. For example, certain marketing or advertising tags would remain active even after users tried to disable them using the websites’ privacy controls. Thus, users continued to be tracked, even after opting out of tracking.[6] 

The OAG explained that this problem can be caused by not properly categorizing the types of cookies that a website uses. Most websites implement privacy controls using a type of software known as a consent-management tool. This tool allows categories of cookies to be turned on and off. However, this functionality only works when tags are properly categorized in the consent-management tool. If a tag is miscategorized, or not categorized at all, it will not respond to the tool’s controls. This often means the tag remains active, regardless of a website user’s privacy rights choices.[7]

Another cause of websites failing to honor user’s data privacy choices is that the website cookies have not been configured to work with the websites’ privacy controls. Instead, the tags were hardcoded into the website.  Because the tags were hardcoded, the consent-management tool was unable to control them, and they would continue to operate every time certain webpages loaded.[8] 

Thus, your company should find out from its marketing team or website developer what cookies your website uses, what personal data is processed for advertising purposes or shared with third-parties, and whether your website privacy controls actually work to honor consumers’ data privacy selections. This is not a significant undertaking, and the benefits of avoiding a data protection investigation or consumer class action are enormous.

_______

[1] California Consumer Privacy Act, as amended and supplemented by California Privacy Rights Act, Cal. Civ. Code § 1798.100, et seq.

[2] General Data Protection Regulation, Regulation (EU) 2016/679.

[3] https://www.microsoft.com/en-us/edge/learning-center/what-are-cookies/, visited 8.27.2024.

[4] https://clearcode.cc/blog/difference-between-first-party-third-party-cookies/, visited 8.27.2024.

[5] See Section 5(a) of the Federal Trade Commission Act (FTC Act) (15 USC §45), which prohibits “unfair or deceptive acts or practices in or affecting commerce.”

[6] https://ag.ny.gov/resources/organizations/business-guidance/website-privacy-controls, visited 8.27.2024.

[7] Id.

[8] Id.